Skip to content

[NCL-9724] Fix CVEs#727

Open
patrikk0123 wants to merge 3 commits into
project-ncl:masterfrom
patrikk0123:ncl9724-2
Open

[NCL-9724] Fix CVEs#727
patrikk0123 wants to merge 3 commits into
project-ncl:masterfrom
patrikk0123:ncl9724-2

Conversation

@patrikk0123

Copy link
Copy Markdown
Member

Checklist:

  • Have you added unit tests for your change?

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Mend Scan Results

Status: ⚠️ Findings detected

⚠️ SCA findings detected

⚠️ SAST findings detected

SCA scan output
pentelemetry-api-1.60.1.jar [1 MEDIUM]
		|-- opentelemetry-sdk-1.60.1.jar
			|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
			|-- opentelemetry-sdk-common-1.60.1.jar
				|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
			|-- opentelemetry-sdk-metrics-1.60.1.jar
				|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
			|-- opentelemetry-sdk-trace-1.60.1.jar
				|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
		|-- opentelemetry-semconv-1.29.0-alpha.jar
			|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
reports-backend-3.0.1-SNAPSHOT.jar
|-- communication-3.0.1-SNAPSHOT.jar
	|-- source-code-manager-3.0.1-SNAPSHOT.jar
		|-- quarkus-quartz-3.37.0.jar
			|-- opentelemetry-instrumentation-api-2.26.1.jar
				|-- opentelemetry-api-incubator-1.60.1-alpha.jar
					|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
				|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
	|-- pnc-common-3.5.1-jakarta.jar
		|-- opentelemetry-ext-cli-java-2.1.0.jar
			|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
			|-- opentelemetry-exporter-otlp-1.60.1.jar
				|-- opentelemetry-exporter-otlp-common-1.60.1.jar
					|-- opentelemetry-exporter-common-1.60.1.jar
						|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
				|-- opentelemetry-sdk-logs-1.60.1.jar
					|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
				|-- opentelemetry-sdk-metrics-1.60.1.jar
					|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
				|-- opentelemetry-sdk-trace-1.60.1.jar
					|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
			|-- opentelemetry-sdk-1.60.1.jar
				|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
				|-- opentelemetry-sdk-common-1.60.1.jar
					|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
			|-- opentelemetry-semconv-1.29.0-alpha.jar
				|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
|-- rest-client-jakarta-3.4.5.jar
	|-- common-3.4.5-jakarta.jar
		|-- opentelemetry-instrumentation-annotations-2.27.0.jar
			|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
reports-rest-3.0.1-SNAPSHOT.jar
|-- reports-backend-3.0.1-SNAPSHOT.jar
	|-- communication-3.0.1-SNAPSHOT.jar
		|-- source-code-manager-3.0.1-SNAPSHOT.jar
			|-- quarkus-quartz-3.37.0.jar
				|-- opentelemetry-instrumentation-api-2.26.1.jar
					|-- opentelemetry-api-incubator-1.60.1-alpha.jar
						|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
					|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
|-- rest-client-jakarta-3.4.5.jar
	|-- common-3.4.5-jakarta.jar
		|-- opentelemetry-instrumentation-annotations-2.27.0.jar
			|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
	|-- pnc-common-3.5.1-jakarta.jar
		|-- opentelemetry-ext-cli-java-2.1.0.jar
			|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
			|-- opentelemetry-exporter-otlp-1.60.1.jar
				|-- opentelemetry-exporter-otlp-common-1.60.1.jar
					|-- opentelemetry-exporter-common-1.60.1.jar
						|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
				|-- opentelemetry-sdk-trace-1.60.1.jar
					|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
			|-- opentelemetry-sdk-1.60.1.jar
				|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
				|-- opentelemetry-sdk-common-1.60.1.jar
					|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
				|-- opentelemetry-sdk-logs-1.60.1.jar
					|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
				|-- opentelemetry-sdk-metrics-1.60.1.jar
					|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
			|-- opentelemetry-semconv-1.29.0-alpha.jar
				|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
source-code-manager-3.0.1-SNAPSHOT.jar
|-- quarkus-quartz-3.37.0.jar
	|-- opentelemetry-instrumentation-api-2.26.1.jar
		|-- opentelemetry-api-incubator-1.60.1-alpha.jar
			|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
		|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
testsuite-3.0.1-SNAPSHOT.jar
|-- application-3.0.1-SNAPSHOT.jar
	|-- quarkus-micrometer-opentelemetry-3.37.0.jar
		|-- opentelemetry-micrometer-1.5-2.26.1-alpha.jar
			|-- opentelemetry-instrumentation-api-2.26.1.jar
				|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
			|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
		|-- quarkus-opentelemetry-3.37.0.jar
			|-- opentelemetry-instrumentation-annotations-support-2.26.1-alpha.jar
				|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
			|-- opentelemetry-jdbc-2.26.1-alpha.jar
				|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
			|-- opentelemetry-runtime-telemetry-java17-2.26.1-alpha.jar
				|-- opentelemetry-runtime-telemetry-2.26.1-alpha.jar
					|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
				|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
			|-- opentelemetry-api-incubator-1.60.1-alpha.jar
				|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
			|-- opentelemetry-exporter-otlp-common-1.60.1.jar
				|-- opentelemetry-exporter-common-1.60.1.jar
					|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
			|-- opentelemetry-sdk-1.60.1.jar
				|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
				|-- opentelemetry-sdk-common-1.60.1.jar
					|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
				|-- opentelemetry-sdk-metrics-1.60.1.jar
					|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
				|-- opentelemetry-sdk-trace-1.60.1.jar
					|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
|-- rest-client-jakarta-3.4.5.jar
	|-- common-3.4.5-jakarta.jar
		|-- opentelemetry-instrumentation-annotations-2.27.0.jar
			|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
	|-- pnc-common-3.5.1-jakarta.jar
		|-- opentelemetry-ext-cli-java-2.1.0.jar
			|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
			|-- opentelemetry-exporter-otlp-1.60.1.jar
				|-- opentelemetry-sdk-logs-1.60.1.jar
					|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]
			|-- opentelemetry-semconv-1.29.0-alpha.jar
				|-- opentelemetry-api-1.60.1.jar [1 MEDIUM]


No Policy violations were detected

Project 'dependency-analysis' was updated, for more information, visit the Mend platform: https://ibmets.whitesourcesoftware.com/app/orgs/Enterprise%20Applications/applications/summary?project=17cd357b-3d0e-43ac-a982-661505cac482
Or the Core UI: https://ibmets.whitesourcesoftware.com/Wss/WSS.html#!project;token=d38fa0abfb554c9cac571a09497e0af3f534680889b74705ab11e416b1c07dd4

Mend AI scan succeeded.

Support Token: 167a9ab00cc93484bb4e7418a350e06981782828567041
SAST scan output
warning: 'info' method of 'org.slf4j.Logger' object could be abused to perform a Log Injection attack. User input reached a Log4j sink. (reports-rest/src/main/java/org/jboss/da/rest/reports/Reports.java:142)
warning: 'info' method of 'org.slf4j.Logger' object could be abused to perform a Log Injection attack. User input reached a Log4j sink. (reports-rest/src/main/java/org/jboss/da/rest/reports/Reports.java:140)
warning: 'info' method of 'org.slf4j.Logger' object could be abused to perform a Log Injection attack. User input reached a Log4j sink. (reports-rest/src/main/java/org/jboss/da/rest/reports/Reports.java:122)
warning: 'info' method of 'org.slf4j.Logger' object could be abused to perform a Log Injection attack. User input reached a Log4j sink. (source-code-manager/src/main/java/org/jboss/da/scm/impl/SCMImpl.java:69)
warning: 'info' method of 'org.slf4j.Logger' object could be abused to perform a Log Injection attack. User input reached a Log4j sink. (reports-rest/src/main/java/org/jboss/da/rest/reports/Reports.java:124)
warning: 'info' method of 'org.slf4j.Logger' object could be abused to perform a Log Injection attack. User input reached a Log4j sink. (reports-backend/src/main/java/org/jboss/da/reports/impl/ReportsGeneratorImpl.java:571)
warning: 'info' method of 'org.slf4j.Logger' object could be abused to perform a Log Injection attack. User input reached a Log4j sink. (reports-rest/src/main/java/org/jboss/da/rest/reports/Reports.java:101)
warning: 'info' method of 'org.slf4j.Logger' object could be abused to perform a Log Injection attack. User input reached a Log4j sink. (reports-rest/src/main/java/org/jboss/da/rest/reports/Reports.java:103)
warning: 'info' method of 'org.slf4j.Logger' object could be abused to perform a Log Injection attack. User input reached a Log4j sink. (source-code-manager/src/main/java/org/jboss/da/scm/impl/SCMImpl.java:44)

Full logs and artifacts

@patrikk0123 patrikk0123 force-pushed the ncl9724-2 branch 2 times, most recently from bd9bf97 to ccbd608 Compare June 30, 2026 12:48
@patrikk0123

Copy link
Copy Markdown
Member Author

First migrated to maven scm provider v2, which brought more CVEs.
v2 also doesn't support cloning by hash, so made the implementation fully cover the git cloning, without the scm provider.
Now scm provider isn't needed for the git part.


/**
* Tries to do a shallow clone (clone only the requested revision) of the remote repository to the local directory.
* First tries to do it using the git, otherwise falls back to ScmManager.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

outdated

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant