Dependency to com.squareup.wire:wire-runtime:2.2.0 with CVEs

[eaglerainbow]

Dependency Security Scans of our project indicate that through org.cloudfoundry:cloudfoundry-client:5.6.0-RELEASE (most recent version as of writing) the dependency com.squareup.wire:wire-runtime:2.2.0 is declared.
This version is known to be subject to (at least) 3 CVEs (evidence):

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237

The most current version of wire-runtime is 4.0.1, dating from December 2021, which apparently has these CVEs fixed.

Is it possible for the project to bump to a newer version to resolve the associated security risks?

[dmikusa]

We'll get this and a few other versions bumped shortly.

For what it's worth, our releases do not bundle these dependencies in them. It's just referenced. You should be able to override the version in your own pom.xml.

For example:

                <dependency>
			<groupId>com.squareup.wire</groupId>
			<artifactId>wire-runtime</artifactId>
			<version>4.0.1</version>
		</dependency>

Let me know if you're hitting problems with that. Thanks

[donacarr]

Just to let you know that latest dep scan found 9 CRITICAL CVEs:

https://nvd.nist.gov/vuln/detail/CVE-2018-8909
https://nvd.nist.gov/vuln/detail/CVE-2020-15258
https://nvd.nist.gov/vuln/detail/CVE-2021-21301
https://nvd.nist.gov/vuln/detail/CVE-2020-27853
https://nvd.nist.gov/vuln/detail/CVE-2021-32665
https://nvd.nist.gov/vuln/detail/CVE-2021-32666
https://nvd.nist.gov/vuln/detail/CVE-2021-32755
https://nvd.nist.gov/vuln/detail/CVE-2021-41093
https://nvd.nist.gov/vuln/detail/CVE-2022-23625

[dmikusa]

https://nvd.nist.gov/vuln/detail/CVE-2018-8909
https://nvd.nist.gov/vuln/detail/CVE-2020-15258
https://nvd.nist.gov/vuln/detail/CVE-2021-21301
https://nvd.nist.gov/vuln/detail/CVE-2020-27853
https://nvd.nist.gov/vuln/detail/CVE-2021-32665
https://nvd.nist.gov/vuln/detail/CVE-2021-32666
https://nvd.nist.gov/vuln/detail/CVE-2021-32755
https://nvd.nist.gov/vuln/detail/CVE-2021-41093
https://nvd.nist.gov/vuln/detail/CVE-2022-23625

@donacarr I don't believe any of these are actually problems with the wire we consume. They all reference "wireos" and seem to be issues with some unrelated mobile (IOS/Android) library.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237

I'm not even sure that the original three issues reported impact cf-java-client. The notes on those issues reference Guava and JUnit. Junit is the only item we actually consume, obviously that only happens during testing.

We did look into upgrading but the problem is that the com.squareup.wire Maven plugin that we're using was discontinued so it's not just a matter of bumping the version. It'll take more effort to evaluate if a switch is possible and to do regression testing to make sure that switching doesn't cause any breaking changes.

[kvmw]

@Kehrlann Is there any plan to upgrade the wire-runtime in the coming releases? It would be nice to have it upgraded to 4.x or 5.x, to mitigate CVE-2023-3635

[Kehrlann]

@kvmw unfortunately, I can't get Wire to work with JDK 8, see #1262 (comment)

We'll release a new major version with JDK 17 support, and Wire 5.x