thulab/iot-benchmark

Dependency org.apache.httpcomponents:httpclient, leading to CVE problem

CVEDetect opened this issue · 0 comments

Hi, In kairosdb/,there is a dependency **org.apache.httpcomponents:httpclient:4.3.3
** that calls the risk method.

CVE-2020-13956

The scope of this CVE affected version is [,4.5.13)

After further analysis, in this project, the main Api called is org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 8

cn.edu.tsinghua.iotdb.benchmark.kairosdb.KairosDB: cleanup() .m2/repository/com/google/code/findbugs/jsr305/2.0.0/jsr305-2.0.0.jar
org.kairosdb.client.HttpClient: deleteMetric(java.lang.String) .m2/repository/com/google/code/findbugs/jsr305/2.0.0/jsr305-2.0.0.jar
org.kairosdb.client.HttpClient: delete(java.lang.String,org.kairosdb.client.response.JsonResponseHandler)Ljava.lang.Object; .m2/repository/com/google/code/findbugs/jsr305/2.0.0/jsr305-2.0.0.jar
org.kairosdb.client.HttpClient: execute(com.proofpoint.http.client.Request,org.kairosdb.client.response.JsonResponseHandler)Ljava.lang.Object; .m2/repository/com/google/code/findbugs/jsr305/2.0.0/jsr305-2.0.0.jar
org.apache.http.impl.client.CloseableHttpClient: execute(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.client.methods.CloseableHttpResponse; .m2/repository/com/google/code/findbugs/jsr305/2.0.0/jsr305-2.0.0.jar
org.apache.http.impl.client.CloseableHttpClient: execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)Lorg.apache.http.client.methods.CloseableHttpResponse; .m2/repository/com/google/code/findbugs/jsr305/2.0.0/jsr305-2.0.0.jar
org.apache.http.impl.client.CloseableHttpClient: determineTarget(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.HttpHost; .m2/repository/com/google/code/findbugs/jsr305/2.0.0/jsr305-2.0.0.jar
org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost;

Dependency tree--

[INFO] cn.edu.tsinghua:kairosdb:jar:0.0.1
[INFO] +- cn.edu.tsinghua:core:jar:0.0.1:compile
[INFO] |  +- commons-cli:commons-cli:jar:1.3.1:compile
[INFO] |  +- org.apache.commons:commons-lang3:jar:3.7:compile
[INFO] |  +- org.weakref:jmxutils:jar:1.21:compile
[INFO] |  +- postgresql:postgresql:jar:9.1-901-1.jdbc4:compile
[INFO] |  +- mysql:mysql-connector-java:jar:5.1.44:compile
[INFO] |  +- com.alibaba:fastjson:jar:1.2.31:compile
[INFO] |  +- joda-time:joda-time:jar:2.10.1:compile
[INFO] |  +- net.agkn:hll:jar:1.6.0:compile
[INFO] |  |  \- it.unimi.dsi:fastutil:jar:6.5.11:compile
[INFO] |  +- com.clearspring.analytics:stream:jar:2.9.8:compile
[INFO] |  +- org.apache.kafka:kafka_2.10:jar:0.8.2.0:compile
[INFO] |  |  +- org.apache.kafka:kafka-clients:jar:0.8.2.0:compile
[INFO] |  |  |  +- net.jpountz.lz4:lz4:jar:1.2.0:compile
[INFO] |  |  |  \- org.xerial.snappy:snappy-java:jar:1.1.1.6:compile
[INFO] |  |  +- com.yammer.metrics:metrics-core:jar:2.2.0:compile
[INFO] |  |  +- org.scala-lang:scala-library:jar:2.10.4:compile
[INFO] |  |  +- org.apache.zookeeper:zookeeper:jar:3.4.6:compile
[INFO] |  |  |  +- jline:jline:jar:0.9.94:compile
[INFO] |  |  |  \- io.netty:netty:jar:3.7.0.Final:compile
[INFO] |  |  +- net.sf.jopt-simple:jopt-simple:jar:3.2:compile
[INFO] |  |  \- com.101tec:zkclient:jar:0.3:compile
[INFO] |  +- javax.xml.bind:jaxb-api:jar:2.3.1:compile
[INFO] |  |  \- javax.activation:javax.activation-api:jar:1.2.0:compile
[INFO] |  +- javax.activation:activation:jar:1.1:compile
[INFO] |  +- org.glassfish.jaxb:jaxb-runtime:jar:2.3.1:compile
[INFO] |  |  +- org.glassfish.jaxb:txw2:jar:2.3.1:compile
[INFO] |  |  +- com.sun.istack:istack-commons-runtime:jar:3.0.7:compile
[INFO] |  |  +- org.jvnet.staxex:stax-ex:jar:1.8:compile
[INFO] |  |  \- com.sun.xml.fastinfoset:FastInfoset:jar:1.2.15:compile
[INFO] |  \- com.opencsv:opencsv:jar:5.5.2:compile
[INFO] |     +- org.apache.commons:commons-text:jar:1.9:compile
[INFO] |     +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] |     |  \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] |     \- org.apache.commons:commons-collections4:jar:4.4:compile
[INFO] +- org.kairosdb:client:jar:3.0.0:compile
[INFO] |  +- com.google.guava:guava:jar:25.1-jre:compile
[INFO] |  |  +- org.checkerframework:checker-qual:jar:2.0.0:compile
[INFO] |  |  +- com.google.errorprone:error_prone_annotations:jar:2.1.3:compile
[INFO] |  |  +- com.google.j2objc:j2objc-annotations:jar:1.1:compile
[INFO] |  |  \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile
[INFO] |  +- org.apache.httpcomponents:httpclient:jar:4.3.3:compile
[INFO] |  |  +- org.apache.httpcomponents:httpcore:jar:4.3.2:compile
[INFO] |  |  +- commons-logging:commons-logging:jar:1.1.3:compile
[INFO] |  |  \- commons-codec:commons-codec:jar:1.6:compile
[INFO] |  +- commons-lang:commons-lang:jar:2.6:compile
[INFO] |  +- commons-io:commons-io:jar:2.5:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:2.0.0:compile
[INFO] |  +- com.proofpoint.platform:http-client:jar:1.80:compile
[INFO] |  |  +- org.eclipse.jetty:jetty-io:jar:9.3.24.v20180605:compile
[INFO] |  |  +- org.eclipse.jetty:jetty-util:jar:9.3.24.v20180605:compile
[INFO] |  |  +- com.proofpoint.platform:concurrent:jar:1.80:compile
[INFO] |  |  +- com.proofpoint.platform:json:jar:1.80:compile
[INFO] |  |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.5:compile
[INFO] |  |  |  +- com.fasterxml.jackson.core:jackson-core:jar:2.9.5:compile
[INFO] |  |  |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.5:compile
[INFO] |  |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.5:compile
[INFO] |  |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.5:compile
[INFO] |  |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-guava:jar:2.9.5:compile
[INFO] |  |  |  \- com.fasterxml.jackson.datatype:jackson-datatype-joda:jar:2.9.5:compile
[INFO] |  |  +- com.proofpoint.platform:log:jar:1.80:compile
[INFO] |  |  |  \- ch.qos.logback:logback-core:jar:1.2.3:compile
[INFO] |  |  +- com.proofpoint.platform:units:jar:1.80:compile
[INFO] |  |  +- com.proofpoint.platform:stats:jar:1.80:compile
[INFO] |  |  |  +- com.proofpoint.platform:reporting:jar:1.80:compile
[INFO] |  |  |  \- org.openjdk.jol:jol-core:jar:0.1:compile
[INFO] |  |  +- com.proofpoint.platform:configuration:jar:1.80:compile
[INFO] |  |  |  \- cglib:cglib-nodep:jar:3.1:compile
[INFO] |  |  +- com.proofpoint.platform:trace-token:jar:1.80:compile
[INFO] |  |  +- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] |  |  +- javax.inject:javax.inject:jar:1:compile
[INFO] |  |  +- com.google.inject:guice:jar:4.2.0:compile
[INFO] |  |  |  \- aopalliance:aopalliance:jar:1.0:compile
[INFO] |  |  +- com.google.inject.extensions:guice-multibindings:jar:4.2.0:compile
[INFO] |  |  \- com.fasterxml.jackson.dataformat:jackson-dataformat-smile:jar:2.9.5:compile
[INFO] |  +- org.apache.bval:bval-jsr303:jar:0.5:compile
[INFO] |  |  \- org.apache.bval:bval-core:jar:0.5:compile
[INFO] |  |     \- commons-beanutils:commons-beanutils-core:jar:1.8.3:compile
[INFO] |  \- com.google.code.gson:gson:jar:2.8.0:compile
[INFO] +- org.slf4j:jcl-over-slf4j:jar:1.7.30:compile
[INFO] +- org.slf4j:jul-to-slf4j:jar:1.7.30:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.30:compile
[INFO] +- org.slf4j:slf4j-log4j12:jar:1.7.30:compile
[INFO] +- junit:junit:jar:4.13.1:compile
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] \- log4j:log4j:jar:1.2.17:compile

Suggested solutions:

Update dependency version

Thank you very much.