Skip to content

Security Vulnerability Identified in software.amazon:flow:1.7 Dependency #1227

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
SamBumgardner opened this issue Apr 24, 2019 · 7 comments
Closed

Security Vulnerability Identified in software.amazon:flow:1.7 Dependency #1227

SamBumgardner opened this issue Apr 24, 2019 · 7 comments
Labels
dependencies This issue is a problem in a dependency.

Comments

@SamBumgardner
Copy link

Running DependencyCheck on a project mid-migration to software.amazon.awssdk:sns:2.5.29 revealed a possible vulnerability:

The dependency software.amazon:flow:1.7 contains CVE-2018-13525

I don't have a good idea of how to tell if it's a false positive or not, since I don't have a clear idea of how it's being used behind-the-scenes.

Please let me know if there's any further investigation I can do to help dig up more information on this issue.
@varunnvs92
Copy link
Contributor

The flow library is a copy of aws-eventstream-java repo and is included along with the SDK before the other repo was open sourced. We have plans to remove flow from our repo and add a dependency on the other library.

Can you run the check on eventstream library and cut a ticket there if vulnerability still exists?
Github repo: https://github.com/awslabs/aws-eventstream-java
Maven artifact: https://mvnrepository.com/artifact/software.amazon.eventstream/eventstream/1.0.0

@SamBumgardner
Copy link
Author

Thanks for the info. I confirmed that aws-eventstream-java is vulnerability free!

My team would like to put off migrating to v2 until this vulnerability is resolved - could we use this ticket (or a new one) to track the switch from flow to aws-eventstream-java?

@varunnvs92
Copy link
Contributor

Sure, we will use this for tracking.

@varunnvs92 varunnvs92 reopened this Apr 25, 2019
@varunnvs92
Copy link
Contributor

After discussing with the team, I am not sure if we are actually effected. The CVE says The mintToken function of a smart contract implementation for Flow,. The flow library we use don't have a mintToken function unless I missed something. Can you clarify the vulnerability?

@SamBumgardner
Copy link
Author

I was confused by that too - it seems like a strange thing to have hanging out in the flow dependency. I don't have much visibility into the library, though, so I don't have a reliable way to tell if it's a false positive or not.

If your team agrees that its a false positive, that would be great news for us. I wanted to raise the issue in the first place because I don't have a good idea of what's actually going on in the potentially vulnerable dependency.

@varunnvs92
Copy link
Contributor

We think its a false positive as the flow library is just a clone of aws-eventstream-java (before it went open source). Anyways we will schedule the work to move to aws-eventstream-java as customers can get better support from the owning team.

@varunnvs92 varunnvs92 added dependencies This issue is a problem in a dependency. and removed SECURITY labels Apr 26, 2019
@dagnir
Copy link
Contributor

dagnir commented May 2, 2019

Closing this as it was a false positive. The move to the eventstream library can be tracked in the PR: #1220

@dagnir dagnir closed this as completed May 2, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies This issue is a problem in a dependency.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dagnir @SamBumgardner @varunnvs92