Details
-
Task
-
Status: Draft (View Workflow)
-
P2
-
Resolution: Unresolved
-
-
ERM Sprint 155-156
-
K-Int
-
Related dependency upgrade
Description
Reported by security team:
Following back-end modules use http-builder:
https://github.com/folio-org/mod-service-interaction/blob/v2.0.0/service/build.gradle#L145
https://github.com/folio-org/mod-licenses/blob/v4.2.1/service/build.gradle#L142
https://github.com/folio-org/mod-remote-sync/blob/a44270c525494b5001f9759656dd1df489748ea2/service/build.gradle#L150
http-builder has been unsupported since 2014.
It's dependencies have multiple security vulnerabilities:
- https://nvd.nist.gov/vuln/detail/CVE-2020-13956, Base Score: 5.3
- https://nvd.nist.gov/vuln/detail/CVE-2015-5262
- https://nvd.nist.gov/vuln/detail/CVE-2014-3577
- https://nvd.nist.gov/vuln/detail/CVE-2012-6153
- https://nvd.nist.gov/vuln/detail/CVE-2016-6814, Base Score: 9.8
- https://nvd.nist.gov/vuln/detail/CVE-2015-3253, Base Score: 9.8
- https://nvd.nist.gov/vuln/detail/CVE-2021-29425, Base Score: 4.8
- https://nvd.nist.gov/vuln/detail/CVE-2022-23305, Base Score: 9.8
- https://nvd.nist.gov/vuln/detail/CVE-2022-23302, Base Score: 8.8
- https://nvd.nist.gov/vuln/detail/CVE-2021-4104, Base Score: 7.5
- https://nvd.nist.gov/vuln/detail/CVE-2019-17571, Base Score: 9.8
- https://nvd.nist.gov/vuln/detail/CVE-2015-7501, Base Score: 9.8
- https://nvd.nist.gov/vuln/detail/CVE-2015-3253, Base Score: 9.8
For details see
https://mvnrepository.com/artifact/org.codehaus.groovy.modules.http-builder/http-builder/0.7.1
Task: Replace http-builder by supported software libraries.
We need to assess what action, if any, needs to be taken