Log4j dependency update and OSSF Scorecard#6
Open
AkkalaNPC wants to merge 1 commit intoUSCDataScience:masterfrom
Open
Log4j dependency update and OSSF Scorecard#6AkkalaNPC wants to merge 1 commit intoUSCDataScience:masterfrom
AkkalaNPC wants to merge 1 commit intoUSCDataScience:masterfrom
Conversation
Updated log4j 1.x to log4j 2.x, the namespace has changed from log4j:log4j to org.apache.logging.log4j:log4j-core Also updated sl4j-sl4j12 to slf4j-reload4j, which is a drop in replacement for log4j 1.x, and updated all other slf4j packages to the same version for compatability.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hello! My security scanner has detected a number of vulnerabilities in your project that are introduced by log4j 1.x, which has been end of life since 2015:
` ✗ Man-in-the-Middle (MitM) [Low Severity][CVE-2020-9488] in log4j:log4j@1.2.17
introduced by edu.usc.ir:sentiment-analysis-parser@0.1 > log4j:log4j@1.2.17
✗ Arbitrary Code Execution [Medium Severity][CVE-2021-4104] in log4j:log4j@1.2.17
introduced by edu.usc.ir:sentiment-analysis-parser@0.1 > log4j:log4j@1.2.17
✗ SQL Injection [High Severity][CVE-2022-23305] in log4j:log4j@1.2.17
introduced by edu.usc.ir:sentiment-analysis-parser@0.1 > log4j:log4j@1.2.17
✗ Deserialization of Untrusted Data [High Severity][CVE-2022-23307] in log4j:log4j@1.2.17
introduced by edu.usc.ir:sentiment-analysis-parser@0.1 > log4j:log4j@1.2.17
✗ Deserialization of Untrusted Data [High Severity][CVE-2022-23302] in log4j:log4j@1.2.17
introduced by edu.usc.ir:sentiment-analysis-parser@0.1 > log4j:log4j@1.2.17
✗ Denial of Service (DoS) [Medium Severity][CVE-2023-26464] in log4j:log4j@1.2.17
introduced by edu.usc.ir:sentiment-analysis-parser@0.1 > log4j:log4j@1.2.17
✗ Deserialization of Untrusted Data [Critical Severity][CVE-2019-17571] in log4j:log4j@1.2.17
introduced by edu.usc.ir:sentiment-analysis-parser@0.1 > log4j:log4j@1.2.17`
I have made the following changes to your project in order to remediate these vulnerabilities:
-Updated log4j 1.x to log4j 2.x, the namespace has changed from log4j:log4j to org.apache.logging.log4j:log4j-core
-Also updated sl4j-sl4j12 to slf4j-reload4j, which is a drop in replacement for log4j 1.x, and updated all other slf4j packages to the same version for compatability
I also ran your repository through OSSF Scorecard, which does a number of security configuration checks. Currently branch protection is not optimized and anyone can force push code, merge branches, or force delete branches. I recommend optimizing your branch protection settings on dev/release branches to prevent force push and force delete. This will keep people downstream of your project safe from unauthorized changes to your project.
OSSF Scorecard Results:
`Aggregate score: 3.9 / 10
Check scores:
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Branch-Protection | branch protection not enabled | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#branch-protection |
| | | on development/release | |
| | | branches | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CI-Tests | 0 out of 3 merged PRs | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#ci-tests |
| | | checked by a CI test -- score | |
| | | normalized to 0 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no badge detected | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#cii-best-practices |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 1 / 10 | Code-Review | 3 out of last 23 changesets | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#code-review |
| | | reviewed before merge -- score | |
| | | normalized to 1 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors | 8 different organizations | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#contributors |
| | | found -- score normalized to | |
| | | 10 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#dangerous-workflow |
| | | detected | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Dependency-Update-Tool | no update tool detected | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#fuzzing |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License | license file detected | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#license |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Maintained | 0 commit(s) out of 30 and 0 | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#maintained |
| | | issue activity out of 2 found | |
| | | in the last 90 days -- score | |
| | | normalized to 0 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Packaging | no published package detected | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#packaging |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Pinned-Dependencies | all dependencies are pinned | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#pinned-dependencies |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | SAST | SAST tool is not run on all | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#sast |
| | | commits -- score normalized to | |
| | | 0 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Security-Policy | security policy file not | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#security-policy |
| | | detected | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Signed-Releases | no releases found | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#signed-releases |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Token-Permissions | tokens are read-only in GitHub | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#token-permissions |
| | | workflows | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Vulnerabilities | 14 existing vulnerabilities | https://github.com/ossf/scorecard/blob/376f465c111c39c6a5ad7408e8896cd790cb5219/docs/checks.md#vulnerabilities |
| | | detected | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
`