Hei,
Det er blitt tatt ut flere avhengigheter siden log4j-saken så det å ha fokus på unødvendig avhengigheter er noe vi bør fortsette med. Om du ikke har prøvd det enda, er det mulig å gjøre en
mvn dependency:tree
for å se oppbygging av avhengigheter som et tre.
Er det kjent hvilke angrepsflater disse bibliotekene åpner mot Nikita som nett-tjeneste?
Det er ikke gjort noe spesiel arbeid med dette i det siste, men jeg hadde tidligere utforsket dependency-check-maven plugin i maven. Det er kanskje på tide å gjøre det igjen. Litt mer info om denne fant jeg raskt her:
https://nullbeans.com/2021/02/28/how-to-identify-vulnerable-dependencies-in-...
men det er en stund siden jeg så på det. Gitlab hadde også en vulnerability checker som en del av CI. Disse er ting som absolutt er verdt å prøve å få mer inn i CI.
Trengs virkelig alle disse 161 avhengighetene for å kjøre Nikita?
Dersom du ser på avhengighetstreet så ser du at mange av disse er spring avhengigheter.
For eksempel asciidoctor og jruby virker litt rart på meg.
Begge disse spesielt, asciidoctor avhengigheten er i bruk. Dersom du ser i filen:
target/generated-docs/index.html
så ser du starten på et arbeid for å lage egen dokumentasjon som genereres ved bygging. Her er det mulig å lage masse nyttig dokumentasjon for utviklere. Dessverre, har jeg ikke hatt tid til å jobbe videre med dette, så det kan være at vi tar det ut av prosjektet.
Hvorfor trengs både json og jsonsmart?
[INFO] +- org.json:json:jar:20231013:compile
peker til at det er en frittstående avhengighet. Dette er noe som burde blitt håndtert av spring synes jeg.
[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:3.2.5:test [INFO] | +- org.springframework.boot:spring-boot-test:jar:3.2.5:test [INFO] | +- org.springframework.boot:spring-boot-test-autoconfigure:jar:3.2.5:test [INFO] | +- com.jayway.jsonpath:json-path:jar:2.9.0:test [INFO] | +- jakarta.xml.bind:jakarta.xml.bind-api:jar:4.0.2:compile [INFO] | +- net.minidev:json-smart:jar:2.5.1:compile
Dersom man ser på avhengighetstreet så er det egentlig alt som ikke henger av en spring avhengighet som er noe vi kan/bør stille spørsmål til.
Å bruke litt tid på avhengigheter i spring prosjekter er alltid en god ide og noe vi bør bruke litt tid på her.
Thomas ________________________________ Fra: Petter Reinholdtsen pere@hungry.com Sendt: mandag 16. desember 2024 16:42 Til: nikita-noark@nuug.no nikita-noark@nuug.no Emne: Angrepsflate mot Nikita - oppstartavhengigheter
Jeg tok en titt på 'ps -ef|grep java' etter å ha startet Nikita med 'make run', og ser følgende 161 oppføringer som argument til -cp, for å starte Nikita:
~/.m2/repository/ch/qos/logback/logback-classic/1.4.14/logback-classic-1.4.14.jar ~/.m2/repository/ch/qos/logback/logback-core/1.4.14/logback-core-1.4.14.jar ~/.m2/repository/com/beust/jcommander/1.82/jcommander-1.82.jar ~/.m2/repository/com/fasterxml/classmate/1.6.0/classmate-1.6.0.jar ~/.m2/repository/com/fasterxml/jackson/core/jackson-annotations/2.15.4/jackson-annotations-2.15.4.jar ~/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.15.4/jackson-core-2.15.4.jar ~/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.15.4/jackson-databind-2.15.4.jar ~/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-yaml/2.15.4/jackson-dataformat-yaml-2.15.4.jar ~/.m2/repository/com/fasterxml/jackson/datatype/jackson-datatype-jdk8/2.15.4/jackson-datatype-jdk8-2.15.4.jar ~/.m2/repository/com/fasterxml/jackson/datatype/jackson-datatype-jsr310/2.15.4/jackson-datatype-jsr310-2.15.4.jar ~/.m2/repository/com/fasterxml/jackson/module/jackson-module-parameter-names/2.15.4/jackson-module-parameter-names-2.15.4.jar ~/.m2/repository/com/github/ben-manes/caffeine/caffeine/3.1.8/caffeine-3.1.8.jar ~/.m2/repository/com/github/jnr/jffi/1.3.9/jffi-1.3.9-native.jar ~/.m2/repository/com/github/jnr/jffi/1.3.9/jffi-1.3.9.jar ~/.m2/repository/com/github/jnr/jnr-a64asm/1.0.0/jnr-a64asm-1.0.0.jar ~/.m2/repository/com/github/jnr/jnr-constants/0.10.3/jnr-constants-0.10.3.jar ~/.m2/repository/com/github/jnr/jnr-enxio/0.32.13/jnr-enxio-0.32.13.jar ~/.m2/repository/com/github/jnr/jnr-ffi/2.2.11/jnr-ffi-2.2.11.jar ~/.m2/repository/com/github/jnr/jnr-netdb/1.2.0/jnr-netdb-1.2.0.jar ~/.m2/repository/com/github/jnr/jnr-posix/3.1.15/jnr-posix-3.1.15.jar ~/.m2/repository/com/github/jnr/jnr-unixsocket/0.38.17/jnr-unixsocket-0.38.17.jar ~/.m2/repository/com/github/jnr/jnr-x86asm/1.0.2/jnr-x86asm-1.0.2.jar ~/.m2/repository/com/github/stephenc/jcip/jcip-annotations/1.0-1/jcip-annotations-1.0-1.jar ~/.m2/repository/com/github/waffle/waffle-jna/3.3.0/waffle-jna-3.3.0.jar ~/.m2/repository/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar ~/.m2/repository/com/google/code/gson/gson/2.10.1/gson-2.10.1.jar ~/.m2/repository/com/google/errorprone/error_prone_annotations/2.21.1/error_prone_annotations-2.21.1.jar ~/.m2/repository/com/h2database/h2/2.2.224/h2-2.2.224.jar ~/.m2/repository/com/headius/backport9/1.12/backport9-1.12.jar ~/.m2/repository/com/headius/invokebinder/1.12/invokebinder-1.12.jar ~/.m2/repository/com/headius/options/1.6/options-1.6.jar ~/.m2/repository/com/jcraft/jzlib/1.1.3/jzlib-1.1.3.jar ~/.m2/repository/com/nimbusds/content-type/2.2/content-type-2.2.jar ~/.m2/repository/com/nimbusds/lang-tag/1.7/lang-tag-1.7.jar ~/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.24.4/nimbus-jose-jwt-9.24.4.jar ~/.m2/repository/com/nimbusds/oauth2-oidc-sdk/9.43.3/oauth2-oidc-sdk-9.43.3.jar ~/.m2/repository/com/rabbitmq/amqp-client/5.19.0/amqp-client-5.19.0.jar ~/.m2/repository/com/sun/istack/istack-commons-runtime/4.1.2/istack-commons-runtime-4.1.2.jar ~/.m2/repository/com/zaxxer/HikariCP/5.0.1/HikariCP-5.0.1.jar ~/.m2/repository/com/zaxxer/SparseBitSet/1.2/SparseBitSet-1.2.jar ~/.m2/repository/commons-codec/commons-codec/1.16.1/commons-codec-1.16.1.jar ~/.m2/repository/commons-io/commons-io/2.11.0/commons-io-2.11.0.jar ~/.m2/repository/io/github/classgraph/classgraph/4.8.149/classgraph-4.8.149.jar ~/.m2/repository/io/micrometer/micrometer-commons/1.12.5/micrometer-commons-1.12.5.jar ~/.m2/repository/io/micrometer/micrometer-core/1.12.5/micrometer-core-1.12.5.jar ~/.m2/repository/io/micrometer/micrometer-jakarta9/1.12.5/micrometer-jakarta9-1.12.5.jar ~/.m2/repository/io/micrometer/micrometer-observation/1.12.5/micrometer-observation-1.12.5.jar ~/.m2/repository/io/projectreactor/reactor-core/3.6.5/reactor-core-3.6.5.jar ~/.m2/repository/io/smallrye/jandex/3.1.2/jandex-3.1.2.jar ~/.m2/repository/io/swagger/core/v3/swagger-annotations/2.2.8/swagger-annotations-2.2.8.jar ~/.m2/repository/io/swagger/core/v3/swagger-core/2.2.8/swagger-core-2.2.8.jar ~/.m2/repository/io/swagger/core/v3/swagger-models/2.2.8/swagger-models-2.2.8.jar ~/.m2/repository/jakarta/activation/jakarta.activation-api/2.1.3/jakarta.activation-api-2.1.3.jar ~/.m2/repository/jakarta/annotation/jakarta.annotation-api/2.1.1/jakarta.annotation-api-2.1.1.jar ~/.m2/repository/jakarta/inject/jakarta.inject-api/2.0.1/jakarta.inject-api-2.0.1.jar ~/.m2/repository/jakarta/mail/jakarta.mail-api/2.1.2/jakarta.mail-api-2.1.2.jar ~/.m2/repository/jakarta/persistence/jakarta.persistence-api/3.1.0/jakarta.persistence-api-3.1.0.jar ~/.m2/repository/jakarta/transaction/jakarta.transaction-api/2.0.1/jakarta.transaction-api-2.0.1.jar ~/.m2/repository/jakarta/validation/jakarta.validation-api/3.0.2/jakarta.validation-api-3.0.2.jar ~/.m2/repository/jakarta/xml/bind/jakarta.xml.bind-api/4.0.2/jakarta.xml.bind-api-4.0.2.jar ~/.m2/repository/joda-time/joda-time/2.12.5/joda-time-2.12.5.jar ~/.m2/repository/me/qmx/jitescript/jitescript/0.4.1/jitescript-0.4.1.jar ~/.m2/repository/net/bytebuddy/byte-buddy/1.14.13/byte-buddy-1.14.13.jar ~/.m2/repository/net/java/dev/jna/jna-platform/5.13.0/jna-platform-5.13.0.jar ~/.m2/repository/net/java/dev/jna/jna/5.13.0/jna-5.13.0.jar ~/.m2/repository/net/minidev/accessors-smart/2.5.1/accessors-smart-2.5.1.jar ~/.m2/repository/net/minidev/json-smart/2.5.1/json-smart-2.5.1.jar ~/.m2/repository/org/antlr/antlr4-runtime/4.13.0/antlr4-runtime-4.13.0.jar ~/.m2/repository/org/apache/commons/commons-collections4/4.4/commons-collections4-4.4.jar ~/.m2/repository/org/apache/commons/commons-lang3/3.12.0/commons-lang3-3.12.0.jar ~/.m2/repository/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar ~/.m2/repository/org/apache/httpcomponents/httpasyncclient/4.1.5/httpasyncclient-4.1.5.jar ~/.m2/repository/org/apache/httpcomponents/httpclient/4.5.13/httpclient-4.5.13.jar ~/.m2/repository/org/apache/httpcomponents/httpcore-nio/4.4.16/httpcore-nio-4.4.16.jar ~/.m2/repository/org/apache/httpcomponents/httpcore/4.4.16/httpcore-4.4.16.jar ~/.m2/repository/org/apache/logging/log4j/log4j-api/2.21.1/log4j-api-2.21.1.jar ~/.m2/repository/org/apache/logging/log4j/log4j-to-slf4j/2.21.1/log4j-to-slf4j-2.21.1.jar ~/.m2/repository/org/apache/poi/poi/5.2.3/poi-5.2.3.jar ~/.m2/repository/org/apache/tika/tika-core/2.8.0/tika-core-2.8.0.jar ~/.m2/repository/org/apache/tika/tika-parsers/2.8.0/tika-parsers-2.8.0.pom ~/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.20/tomcat-embed-core-10.1.20.jar ~/.m2/repository/org/apache/tomcat/embed/tomcat-embed-el/10.1.20/tomcat-embed-el-10.1.20.jar ~/.m2/repository/org/apache/tomcat/embed/tomcat-embed-websocket/10.1.20/tomcat-embed-websocket-10.1.20.jar ~/.m2/repository/org/asciidoctor/asciidoctorj-api/2.5.7/asciidoctorj-api-2.5.7.jar ~/.m2/repository/org/asciidoctor/asciidoctorj/2.5.7/asciidoctorj-2.5.7.jar ~/.m2/repository/org/aspectj/aspectjweaver/1.9.22/aspectjweaver-1.9.22.jar ~/.m2/repository/org/checkerframework/checker-qual/3.31.0/checker-qual-3.31.0.jar ~/.m2/repository/org/eclipse/angus/angus-activation/2.0.2/angus-activation-2.0.2.jar ~/.m2/repository/org/elasticsearch/client/elasticsearch-rest-client-sniffer/8.10.4/elasticsearch-rest-client-sniffer-8.10.4.jar ~/.m2/repository/org/elasticsearch/client/elasticsearch-rest-client/8.10.4/elasticsearch-rest-client-8.10.4.jar ~/.m2/repository/org/glassfish/jaxb/jaxb-core/4.0.5/jaxb-core-4.0.5.jar ~/.m2/repository/org/glassfish/jaxb/jaxb-runtime/4.0.5/jaxb-runtime-4.0.5.jar ~/.m2/repository/org/glassfish/jaxb/txw2/4.0.5/txw2-4.0.5.jar ~/.m2/repository/org/hdrhistogram/HdrHistogram/2.1.12/HdrHistogram-2.1.12.jar ~/.m2/repository/org/hibernate/common/hibernate-commons-annotations/6.0.6.Final/hibernate-commons-annotations-6.0.6.Final.jar ~/.m2/repository/org/hibernate/orm/hibernate-core/6.4.4.Final/hibernate-core-6.4.4.Final.jar ~/.m2/repository/org/hibernate/search/hibernate-search-backend-elasticsearch/6.2.0.Final/hibernate-search-backend-elasticsearch-6.2.0.Final.jar ~/.m2/repository/org/hibernate/search/hibernate-search-engine/6.2.0.Final/hibernate-search-engine-6.2.0.Final.jar ~/.m2/repository/org/hibernate/search/hibernate-search-util-common/6.2.0.Final/hibernate-search-util-common-6.2.0.Final.jar ~/.m2/repository/org/hibernate/validator/hibernate-validator/8.0.1.Final/hibernate-validator-8.0.1.Final.jar ~/.m2/repository/org/javassist/javassist/3.28.0-GA/javassist-3.28.0-GA.jar ~/.m2/repository/org/jboss/jandex/2.4.2.Final/jandex-2.4.2.Final.jar ~/.m2/repository/org/jboss/logging/jboss-logging/3.5.3.Final/jboss-logging-3.5.3.Final.jar ~/.m2/repository/org/jruby/dirgra/0.3/dirgra-0.3.jar ~/.m2/repository/org/jruby/jcodings/jcodings/1.0.57/jcodings-1.0.57.jar ~/.m2/repository/org/jruby/joni/joni/2.1.43/joni-2.1.43.jar ~/.m2/repository/org/jruby/jruby-base/9.3.8.0/jruby-base-9.3.8.0.jar ~/.m2/repository/org/jruby/jruby-stdlib/9.3.8.0/jruby-stdlib-9.3.8.0.jar ~/.m2/repository/org/jruby/jruby/9.3.8.0/jruby-9.3.8.0.jar ~/.m2/repository/org/json/json/20231013/json-20231013.jar ~/.m2/repository/org/latencyutils/LatencyUtils/2.0.3/LatencyUtils-2.0.3.jar ~/.m2/repository/org/mariadb/jdbc/mariadb-java-client/3.3.3/mariadb-java-client-3.3.3.jar ~/.m2/repository/org/ow2/asm/asm-analysis/9.2/asm-analysis-9.2.jar ~/.m2/repository/org/ow2/asm/asm-commons/9.2/asm-commons-9.2.jar ~/.m2/repository/org/ow2/asm/asm-tree/9.2/asm-tree-9.2.jar ~/.m2/repository/org/ow2/asm/asm-util/9.2/asm-util-9.2.jar ~/.m2/repository/org/ow2/asm/asm/9.6/asm-9.6.jar ~/.m2/repository/org/postgresql/postgresql/42.6.2/postgresql-42.6.2.jar ~/.m2/repository/org/reactivestreams/reactive-streams/1.0.4/reactive-streams-1.0.4.jar ~/.m2/repository/org/reflections/reflections/0.10.2/reflections-0.10.2.jar ~/.m2/repository/org/slf4j/jcl-over-slf4j/2.0.13/jcl-over-slf4j-2.0.13.jar ~/.m2/repository/org/slf4j/jul-to-slf4j/2.0.13/jul-to-slf4j-2.0.13.jar ~/.m2/repository/org/slf4j/slf4j-api/2.0.13/slf4j-api-2.0.13.jar ~/.m2/repository/org/springdoc/springdoc-openapi-common/1.6.15/springdoc-openapi-common-1.6.15.jar ~/.m2/repository/org/springdoc/springdoc-openapi-ui/1.6.15/springdoc-openapi-ui-1.6.15.jar ~/.m2/repository/org/springdoc/springdoc-openapi-webmvc-core/1.6.15/springdoc-openapi-webmvc-core-1.6.15.jar ~/.m2/repository/org/springframework/amqp/spring-amqp/3.1.4/spring-amqp-3.1.4.jar ~/.m2/repository/org/springframework/amqp/spring-rabbit/3.1.4/spring-rabbit-3.1.4.jar ~/.m2/repository/org/springframework/boot/spring-boot-actuator-autoconfigure/3.2.5/spring-boot-actuator-autoconfigure-3.2.5.jar ~/.m2/repository/org/springframework/boot/spring-boot-actuator/3.2.5/spring-boot-actuator-3.2.5.jar ~/.m2/repository/org/springframework/boot/spring-boot-autoconfigure/3.2.5/spring-boot-autoconfigure-3.2.5.jar ~/.m2/repository/org/springframework/boot/spring-boot/3.2.5/spring-boot-3.2.5.jar ~/.m2/repository/org/springframework/data/spring-data-commons/3.2.5/spring-data-commons-3.2.5.jar ~/.m2/repository/org/springframework/data/spring-data-jpa/3.2.5/spring-data-jpa-3.2.5.jar ~/.m2/repository/org/springframework/integration/spring-integration-core/6.2.4/spring-integration-core-6.2.4.jar ~/.m2/repository/org/springframework/restdocs/spring-restdocs-asciidoctor/3.0.1/spring-restdocs-asciidoctor-3.0.1.jar ~/.m2/repository/org/springframework/retry/spring-retry/2.0.5/spring-retry-2.0.5.jar ~/.m2/repository/org/springframework/security/spring-security-config/6.2.4/spring-security-config-6.2.4.jar ~/.m2/repository/org/springframework/security/spring-security-core/6.2.4/spring-security-core-6.2.4.jar ~/.m2/repository/org/springframework/security/spring-security-crypto/6.2.4/spring-security-crypto-6.2.4.jar ~/.m2/repository/org/springframework/security/spring-security-oauth2-client/6.2.4/spring-security-oauth2-client-6.2.4.jar ~/.m2/repository/org/springframework/security/spring-security-oauth2-core/6.2.4/spring-security-oauth2-core-6.2.4.jar ~/.m2/repository/org/springframework/security/spring-security-oauth2-jose/6.2.4/spring-security-oauth2-jose-6.2.4.jar ~/.m2/repository/org/springframework/security/spring-security-oauth2-resource-server/6.2.4/spring-security-oauth2-resource-server-6.2.4.jar ~/.m2/repository/org/springframework/security/spring-security-web/6.2.4/spring-security-web-6.2.4.jar ~/.m2/repository/org/springframework/spring-aop/6.1.6/spring-aop-6.1.6.jar ~/.m2/repository/org/springframework/spring-aspects/6.1.6/spring-aspects-6.1.6.jar ~/.m2/repository/org/springframework/spring-beans/6.1.6/spring-beans-6.1.6.jar ~/.m2/repository/org/springframework/spring-context/6.1.6/spring-context-6.1.6.jar ~/.m2/repository/org/springframework/spring-core/6.1.6/spring-core-6.1.6.jar ~/.m2/repository/org/springframework/spring-expression/6.1.6/spring-expression-6.1.6.jar ~/.m2/repository/org/springframework/spring-jcl/6.1.6/spring-jcl-6.1.6.jar ~/.m2/repository/org/springframework/spring-jdbc/6.1.6/spring-jdbc-6.1.6.jar ~/.m2/repository/org/springframework/spring-messaging/6.1.6/spring-messaging-6.1.6.jar ~/.m2/repository/org/springframework/spring-orm/6.1.6/spring-orm-6.1.6.jar ~/.m2/repository/org/springframework/spring-tx/6.1.6/spring-tx-6.1.6.jar ~/.m2/repository/org/springframework/spring-web/6.1.6/spring-web-6.1.6.jar ~/.m2/repository/org/springframework/spring-webmvc/6.1.6/spring-webmvc-6.1.6.jar ~/.m2/repository/org/webjars/swagger-ui/4.17.1/swagger-ui-4.17.1.jar ~/.m2/repository/org/webjars/webjars-locator-core/0.55/webjars-locator-core-0.55.jar ~/.m2/repository/org/yaml/snakeyaml/2.2/snakeyaml-2.2.jar
Er det kjent hvilke angrepsflater disse bibliotekene åpner mot Nikita som nett-tjeneste? Trengs virkelig alle disse 161 avhengighetene for å kjøre Nikita? For eksempel asciidoctor og jruby virker litt rart på meg. Hvorfor trengs både json og jsonsmart?
-- Vennlig hilsen Petter Reinholdtsen _______________________________________________ nikita-noark mailing list -- nikita-noark@nuug.no To unsubscribe send an email to nikita-noark-leave@nuug.no