Plugin pulls in org.glassfish:jakarta.json:2.0.1 which is flagged by vulnerability scanners

[bmuschko]

Precondition

• I checked the issues list for existing open or closed reports of the same problem.

This was reported before but has been closed without a fix: #7192. Please see the explanation on why it needs fixing below.

Describe the bug

Vulnerability scanners flag the transitive dependency org.glassfish:jakarta.json:2.0.1 as vulnerable.

• CVE-2023-4043
• CVE-2023-7272

These CVEs are being reported because org.glassfish:jakarta.json is the older, unmaintained implementation that was replaced by Eclipse Parsson. The vulnerabilities exist in the underlying JSON parsing code that both share.

Version of dependency-check used

Gradle plugin: org.owasp:dependency-check-gradle:12.1.8

Log file

N/A

To Reproduce

N/A

Expected behavior

org.glassfish:jakarta.json → migrated to → org.eclipse.parsson:parsson

The org.glassfish artifact is the original implementation and is no longer maintained. Security scanners flag it because it contains the same vulnerable code patterns that were later fixed in Eclipse Parsson. The latest Eclipse Parsson versions (1.0.5+ or 1.1.4+) have both vulnerabilities fixed.

Additional context

N/A

[chadlwilson]

Sorry, I am a bit confused by this ticket. ODC “is” a vulnerability/security scanner, so I don’t really follow the title “Plugin pulls in org.glassfish:jakarta.json:2.0.1 which is flagged by vulnerability scanners” and the comment “ Security scanners flag it because”.

Are you reporting a false positive for a dependency of some Gradle project you are scanning with ODC, the same as the original ticket? Or are you noting an issue with a dependency of ODC itself?

If the former, any reason you filed a bug rather than a false positive report? The latter format collects the information in a standard way and automates collecting information to help a very small number of volunteers keep the project going in their spare time, as with the ticket you linked.

[bmuschko]

I am reporting an issue for the org.owasp.dependencycheck Gradle plugin. In the plugin page, it list this GitHub repository as the source. That's why I reported the issue here.

Maybe the code lives somewhere else and the information provided for the plugin is not correct?

Build script:

plugins {
    id("org.owasp.dependencycheck") version "2.7.2"
}

Transitive dependencies. See the org.glassfish:jakarta.json:2.0.1 marked below with an arrow.

$ gradle buildEnv
classpath
\--- org.owasp.dependencycheck:org.owasp.dependencycheck.gradle.plugin:12.1.9
     \--- org.owasp:dependency-check-gradle:12.1.9
          +--- io.github.jeremylong:jcs3-slf4j:1.0.5
          |    +--- org.apache.commons:commons-jcs3-core:3.0 -> 3.2.1
          |    \--- org.slf4j:slf4j-api:1.7.36 -> 2.0.12
          +--- org.owasp:dependency-check-core:12.1.9
          |    +--- io.github.jeremylong:open-vulnerability-clients:7.3.2
          |    |    +--- org.apache.httpcomponents.client5:httpclient5:5.4.3 -> 5.5.1
          |    |    |    +--- org.apache.httpcomponents.core5:httpcore5:5.3.6
          |    |    |    +--- org.apache.httpcomponents.core5:httpcore5-h2:5.3.6
          |    |    |    |    \--- org.apache.httpcomponents.core5:httpcore5:5.3.6
          |    |    |    \--- org.slf4j:slf4j-api:1.7.36 -> 2.0.12
          |    |    +--- org.apache.httpcomponents.client5:httpclient5-cache:5.4.3
          |    |    |    +--- org.apache.httpcomponents.client5:httpclient5:5.4.3 -> 5.5.1 (*)
          |    |    |    \--- org.slf4j:slf4j-api:1.7.36 -> 2.0.12
          |    |    +--- com.fasterxml.jackson:jackson-bom:2.18.3 -> 2.20.1
          |    |    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.20 (c)
          |    |    |    +--- com.fasterxml.jackson.core:jackson-core:2.20.1 (c)
          |    |    |    +--- com.fasterxml.jackson.core:jackson-databind:2.20.1 (c)
          |    |    |    +--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.20.1 (c)
          |    |    |    +--- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.20.1 (c)
          |    |    |    \--- com.fasterxml.jackson.module:jackson-module-blackbird:2.20.1 (c)
          |    |    +--- com.fasterxml.jackson.core:jackson-databind -> 2.20.1
          |    |    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.20
          |    |    |    +--- com.fasterxml.jackson.core:jackson-core:2.20.1
          |    |    |    |    \--- com.fasterxml.jackson:jackson-bom:2.20.1 (*)
          |    |    |    \--- com.fasterxml.jackson:jackson-bom:2.20.1 (*)
          |    |    +--- com.fasterxml.jackson.datatype:jackson-datatype-jsr310 -> 2.20.1
          |    |    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.20
          |    |    |    +--- com.fasterxml.jackson.core:jackson-core:2.20.1 (*)
          |    |    |    +--- com.fasterxml.jackson.core:jackson-databind:2.20.1 (*)
          |    |    |    \--- com.fasterxml.jackson:jackson-bom:2.20.1 (*)
          |    |    \--- com.samskivert:jmustache:1.16
          |    +--- org.anarres.jdiagnostics:jdiagnostics:1.0.7
          |    +--- org.whitesource:pecoff4j:0.0.2.1
          |    +--- org.apache.commons:commons-jcs3-core:3.2.1
          |    +--- io.github.jeremylong:jcs3-slf4j:1.0.5 (*)
          |    +--- com.github.package-url:packageurl-java:1.5.0
          |    +--- us.springett:cpe-parser:3.0.1
          |    |    \--- org.slf4j:slf4j-api:1.7.36 -> 2.0.12
          |    +--- org.semver4j:semver4j:5.8.0
          |    |    \--- org.jspecify:jspecify:1.0.0
          |    +--- org.slf4j:slf4j-api:1.7.36 -> 2.0.12
          |    +--- org.owasp:dependency-check-utils:12.1.9
          |    |    +--- commons-io:commons-io:2.21.0
          |    |    +--- org.apache.commons:commons-lang3:3.19.0
          |    |    +--- org.apache.httpcomponents.client5:httpclient5:5.5.1 (*)
          |    |    +--- org.apache.httpcomponents.core5:httpcore5:5.3.6
          |    |    +--- com.fasterxml.jackson.core:jackson-databind:2.20.1 (*)
          |    |    +--- com.fasterxml.jackson.core:jackson-core:2.20.1 (*)
          |    |    \--- org.slf4j:slf4j-api:1.7.36 -> 2.0.12
          |    +--- org.apache.commons:commons-collections4:4.5.0
          |    +--- org.apache.commons:commons-compress:1.27.1
          |    |    +--- commons-codec:commons-codec:1.17.1
          |    |    +--- commons-io:commons-io:2.16.1 -> 2.21.0
          |    |    \--- org.apache.commons:commons-lang3:3.16.0 -> 3.19.0
          |    +--- commons-io:commons-io:2.21.0
          |    +--- org.apache.commons:commons-lang3:3.19.0
          |    +--- org.apache.commons:commons-text:1.14.0
          |    |    \--- org.apache.commons:commons-lang3:3.18.0 -> 3.19.0
          |    +--- org.apache.commons:commons-dbcp2:2.13.0
          |    |    +--- org.apache.commons:commons-pool2:2.12.0
          |    |    +--- commons-logging:commons-logging:1.3.4 -> 1.3.5
          |    |    \--- jakarta.transaction:jakarta.transaction-api:1.3.3
          |    +--- org.apache.lucene:lucene-core:9.12.3
          |    +--- org.apache.lucene:lucene-analysis-common:9.12.3
          |    |    \--- org.apache.lucene:lucene-core:9.12.3
          |    +--- org.apache.lucene:lucene-queryparser:9.12.3
          |    |    +--- org.apache.lucene:lucene-core:9.12.3
          |    |    +--- org.apache.lucene:lucene-queries:9.12.3
          |    |    |    \--- org.apache.lucene:lucene-core:9.12.3
          |    |    \--- org.apache.lucene:lucene-sandbox:9.12.3
          |    |         +--- org.apache.lucene:lucene-core:9.12.3
          |    |         +--- org.apache.lucene:lucene-queries:9.12.3 (*)
          |    |         \--- org.apache.lucene:lucene-facet:9.12.3
          |    |              \--- org.apache.lucene:lucene-core:9.12.3
          |    +--- org.slf4j:jul-to-slf4j:1.7.36
          |    |    \--- org.slf4j:slf4j-api:1.7.36 -> 2.0.12
          |    +--- org.apache.velocity:velocity-engine-core:2.4.1
          |    |    +--- org.apache.commons:commons-lang3:3.17.0 -> 3.19.0
          |    |    \--- org.slf4j:slf4j-api:1.7.36 -> 2.0.12
          |    +--- com.h2database:h2:2.4.240
          |    +--- org.glassfish:jakarta.json:2.0.1           <----------
...

[chadlwilson]

I didn’t question why you are reporting the issue here, I’m trying to understand what type of issue you are trying to report, as you did not provide clear reproduction steps, and instead linked to #7192 which is a false positive report.

A FP report like #7192 is different to reporting an issue with the dependencies of the ODC software itself.

What are you using to determine that this dependency has vulnerabilities to be concerned with?

[bmuschko]

Maybe my link to the other issue is more confusing than helping. I saw the same dependency reported in #7192 given that you were asking to check for existing issues in your issue template. Forget about this now. It's about the dependency org.glassfish:jakarta.json:2.0.1 pulled in by the org.owasp.dependencycheck Gradle plugin.

I can't give you more information about the vulnerability scanner as this has been detected in a governed environment. I believe it has been detected by Sonatype Lifecycle.

[chadlwilson]

It’s pretty bizarre to be scanning one dependency scanner with another in such an environment to be honest, especially if you can’t supply the specific information about why it claims it’s vulnerable, and the CVEs linked are not linked to the older glassfish CPEs/versions. That kind of opacity is not in the interests of open source security.

It’s possible it’s correct, but “please do volunteer/free work for me to migrate this dependency to a new version because some tool I can’t tell you about says” doesn’t really allow for much in the way of thoughtful analysis.

[bmuschko]

It’s pretty bizarre to be scanning one dependency scanner with another in such an environment to be honest, especially if you can’t supply the specific information about why it claims it’s vulnerable, and the CVEs linked are not linked to the older glassfish CPEs/versions. That kind of opacity is not in the interests of open source security.

The situation is more of the following: All dependencies that are requested by a consumer are scanned independent of their origin (regular dependencies, build dependencies, dependencies of dependency scanners). It's not that I don't want to provide you with more details but 1) I don't have the exact details on the scanning mechanism used and 2) I am legally bound.

It’s possible it’s correct, but “please do volunteer/free work for me to migrate this dependency to a new version because some tool I can’t tell you about says” doesn’t really allow for much in the way of thoughtful analysis.

I see opening an issue as the beginning of a conversation, not necessarily an obligation for you to provide a fix. I'd be happy to send a PR and add the details in the description on "why" I think the change makes sense. Let me know.

[chadlwilson]

Yeah, I'm sure a PR would be welcome if we indeed can move to the newer parser incarnation without other dependency clashes, independent of whether there is actually a security issue here or not (I am suspicious of that, but whatever).

[bmuschko]

I created this PR:

• build: Transition dependency to org.eclipse.parsson groupId #8128