Setup Victims

[ruebot]

No description provided.

[ruebot]

[nruest@gorila:aut] (git)-[issue-5]-$ mvn clean install
[INFO] Scanning for projects...
[INFO]                                                                         
[INFO] ------------------------------------------------------------------------
[INFO] Building Archives Unleashed Toolkit 0.1.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO] 
[INFO] --- maven-clean-plugin:2.5:clean (default-clean) @ aut ---
[INFO] 
[INFO] --- maven-enforcer-plugin:1.4:enforce (enforce-victims-rule) @ aut ---
[INFO] 
+=========================+
|VICTIMS-ENFORCER SETTINGS|
+=========================+
metadata     = fatal
fingerprint  = fatal
updates      = daily

[INFO] Last update was on Wed Jun 07 11:40:23 EDT 2017. Checking for new vulnerabilities at http://www.victi.ms/
[WARNING] The dependency commons-httpclient-3.1 matches a vulnerability recorded in the victims database. [CVE-2012-5783]
[WARNING] Rule 0: com.redhat.victims.VictimsRule failed with message:

+=======================+
|VULNERABILITY DETECTED!|
+=======================+
For more information visit: 
  - https://access.redhat.com/security/cve/CVE-2012-5783

[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 25.354 s
[INFO] Finished at: 2017-08-22T14:53:12-04:00
[INFO] Final Memory: 57M/1416M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:1.4:enforce (enforce-victims-rule) on project aut: Some Enforcer rules have failed. Look above for specific messages explaining why the rule failed. -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

[ruebot]

@lintool @ianmilligan1 do we care about Victims, and this vulnerability? commons-httpclient-3.1 comes in via webarchive-commons. I've tried updating webarchive-commons to 1.1.8, and it is still there.

[INFO] +- org.netpreserve.commons:webarchive-commons:jar:1.1.8:compile
[INFO] |  +- org.json:json:jar:20131018:compile
[INFO] |  +- org.htmlparser:htmlparser:jar:1.6:compile
[INFO] |  +- com.googlecode.juniversalchardet:juniversalchardet:jar:1.0.3:compile
[INFO] |  +- commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO] |  +- org.apache.hadoop:hadoop-core:jar:0.20.2-cdh3u4:compile
[INFO] |  |  +- com.cloudera.cdh:hadoop-ant:pom:0.20.2-cdh3u4:compile
[INFO] |  |  +- commons-cli:commons-cli:jar:1.2:compile
[INFO] |  |  +- xmlenc:xmlenc:jar:0.52:compile
[INFO] |  |  +- org.apache.hadoop.thirdparty.guava:guava:jar:r09-jarjar:compile
[INFO] |  |  +- commons-el:commons-el:jar:1.0:compile
[INFO] |  |  \- org.eclipse.jdt:core:jar:3.1.1:compile

Interesting background discussion here, and it looks like these folks are disabling victims, and excluding using it.

Happy to ask folks in IIPC slack what's up with it as well.

[ianmilligan1]

I'm happy to defer to you here @ruebot, whatever you think is the best way forward.

[ruebot]

This is blocked by iipc/webarchive-commons#78.

I'm going to label it as "blocked" for now, as well open up an issue as well since we make use of it here.

[ruebot]

New issue: #23

[ruebot]

Ran this again:

[INFO] Analyzing the dependencies for io.archivesunleashed:aut
[INFO] Syncing with the victims repository (based on the atom feed)
[INFO] Downloading: https://github.com/victims/victims-cve-db/commits.atom
[INFO] Downloading: https://github.com/victims/victims-cve-db/archive/master.zip
[ERROR] org.apache.hadoop:hadoop-hdfs is vulnerable to CVE-2017-3161
[ERROR] org.apache.hadoop:hadoop-hdfs is vulnerable to CVE-2017-3162
[ERROR] com.fasterxml.jackson.core:jackson-databind is vulnerable to CVE-2017-7525
[ERROR] xerces:xercesImpl is vulnerable to CVE-2013-4002
[ERROR] jline:jline is vulnerable to CVE-2013-2035
[ERROR] commons-beanutils:commons-beanutils is vulnerable to CVE-2014-0114
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  22.059 s
[INFO] Finished at: 2019-08-20T21:03:47-04:00
[INFO] ------------------------------------------------------------------------

Also, with GitHub security notifications, I think that is good enough here. So, I'd recommend closing this.

@lintool @ianmilligan1 that work for you?

[lintool]

👍

[ianmilligan1]

👍 Works for me too!