Skip to content

Update README.md#4

Open
kavisuresh wants to merge 1 commit intomasterfrom
kavisuresh-patch-1
Open

Update README.md#4
kavisuresh wants to merge 1 commit intomasterfrom
kavisuresh-patch-1

Conversation

@kavisuresh
Copy link
Copy Markdown
Owner

@kavisuresh kavisuresh commented May 10, 2021

No description provided.

@kavisuresh
Copy link
Copy Markdown
Owner Author

kavisuresh commented May 10, 2021

IBM Cloud Continuous Delivery Bill of Materials

Download Bill of Materials Report: [JSON Format]

Bill of Materials Diff

Compare To: [Branch = master] [Commitid = a310cd4]

@kavisuresh
Copy link
Copy Markdown
Owner Author

kavisuresh commented May 10, 2021

IBM Cloud Continuous Delivery Deployment Configuration Analysis

No configuration risks discovered

@kavisuresh
Copy link
Copy Markdown
Owner Author

kavisuresh commented May 10, 2021

IBM Cloud Continuous Delivery Vulnerability Report

Expand to reveal report findings

✅ Manifest File: db2/Dockerfile-ibmcom/db2express-c:latest

Vulnerability Data by Clair

No OS package vulnerabilities found

✅ Manifest File: result-app/Dockerfile-websphere-liberty:kernel

Vulnerability Data by Clair

No OS package vulnerabilities found

✅ Manifest File: voting-app/Dockerfile-ibmcom/wxs-client-liberty:latest

Vulnerability Data by Clair

No OS package vulnerabilities found

✅ Manifest File: worker/Dockerfile-ibmcom/ibmjava:sdk

Vulnerability Data by Clair

No OS package vulnerabilities found

✅ Manifest File: wxs_cat/Dockerfile-ibmcom/wxs:latest

Vulnerability Data by Clair

No OS package vulnerabilities found

✅ Manifest File: wxs_con/Dockerfile-ibmcom/wxs:latest

Vulnerability Data by Clair

No OS package vulnerabilities found

✅ Manifest File: voting-app/pom.xml

Vulnerability Data by Snyk

No application package vulnerabilities found

✅ Manifest File: worker/pom.xml

Vulnerability Data by Snyk

No application package vulnerabilities found

❌ Manifest File: result-app/pom.xml

Vulnerability Data by Snyk

Package Name: com.google.guava:guava Version : 18.0

Vulnerabilities

  1. ID: CVE-2020-8908
    Severity: medium
    Fixed in Version: 24.1.1-android
    Description: com.google.guava:guava is a set of core libraries that includes new collection types (such as multimap and multiset,immutable collections, a graph library, functional types, an in-memory cache and more. Affected versions of this package are vulnerable to Information Disclosure. The file permissions on the file created by com.google.common.io.Files.createTempDir allows an attacker running a malicious program co-resident on the same machine can steal secrets stored in this directory. This is because by default on unix-like operating systems the /temp directory is shared between all users, so if the correct file permissions aren't set by the directory/file creator, the file becomes readable by all other users on that system.

  2. ID: CVE-2018-10237
    Severity: medium
    Fixed in Version: 24.1.1-android
    Description: com.google.guava:guava is a set of core libraries that includes new collection types (such as multimap and multiset,immutable collections, a graph library, functional types, an in-memory cache and more. Affected versions of this package are vulnerable to Deserialization of Untrusted Data. During deserialization, two Guava classes accept a caller-specified size parameter and eagerly allocate an array of that size:

  • AtomicDoubleArray (when serialized with Java serialization)
  • CompoundOrdering (when serialized with GWT serialization)

An attacker may be able to send a specially crafted request which with then cause the server to allocate all it's memory, without validation whether the data size is reasonable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kavisuresh