-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SNOW-1732054: CVE-2024-47554 is marking affecting this package due to using a version of Apache Commons IO below version 2.14.0 #1913
Comments
Thanks for the heads up @HappyZombies. Just a few things to note here. The CVE's status is currently "awaiting analysis.". The initial information says the potential issue is with the So while we could probably just upgrade those libraries, I'm not sure it's really necessary at this point. Would you agree with that assessment? |
besides being a likely false positive hit for snowflake-jdbc, i don't really get why the linked advisory is classified at 8.7 High (which then of course Sonatype and other scanners pick up as High), it looks like other companies classify differently:
hopefully the advisory can get adjusted sometime but as my colleague mentioned, we don't rely on the vulnerable class. |
Thank you all for replying! So I started this issue because I noticed that a few days ago, the protobuf package was updated (#1910) due to the following CVE https://nvd.nist.gov/vuln/detail/CVE-2024-7254 (which btw, is still in Awaiting Analysis -- but I'm guessing it was merged/updated since the affected issue is more widespread). But anyways I think I see now how/why this is more than likely a false positive, since the CVE is mentioning a specific file and version, and the fact that it's there is probably tripping these scanners (such as Sonatype) -- even if the method is not being used directly by this package. In addition I also find it interesting how different sites are ranking these vulnerabilities...weird. So while I think it wouldn't hurt to update these anyways, I'm ok with just waiting to see how this plays out. Thanks! |
|
PR is merged and will be part of the next release cycle |
Released in version 3.20.0 |
As per GHSA-78wr-2p64-hpwj, this package is using version 2.11.0 of the Apache Commons IO -- https://github.com/snowflakedb/snowflake-jdbc/blob/master/thin_public_pom.xml#L42
I believe a simple update to the latest version should address this, https://commons.apache.org/proper/commons-io/changes-report.html#a2.17.0 if not at least to version 2.14.0
In addition, I think that Apache Commons Text, https://github.com/snowflakedb/snowflake-jdbc/blob/master/parent-pom.xml#L19 , which is on version 1.10.0 could also use the update? As it's io version is also 2.11.0 https://github.com/apache/commons-text/blob/rel/commons-text-1.10.0/pom.xml#L108
The text was updated successfully, but these errors were encountered: