Lots of vulnerabilities suddenly reported by dependency review action #25
Description
#23 and #24 are failing CI because actions/dependency-review-action is suddenly identifying seventeen vulnerabilities, while it hasn't made note of anything before.
17 vulnerabilities
settings.gradle.kts » com.google.protobuf:protobuf-java@3.19.3 – Protobuf Java vulnerable to Uncontrolled Resource Consumption (high severity)
↪ https://github.com/advisories/GHSA-g5ww-5jh7-63cx
settings.gradle.kts » com.google.protobuf:protobuf-java@3.19.3 – Protobuf Java vulnerable to Uncontrolled Resource Consumption (high severity)
↪ https://github.com/advisories/GHSA-4gg5-vx3j-xwc7
settings.gradle.kts » com.google.protobuf:protobuf-java@3.19.3 – protobuf-java has a potential Denial of Service issue (moderate severity)
↪ https://github.com/advisories/GHSA-h4h5-3hr4-j3g2
settings.gradle.kts » io.grpc:grpc-protobuf@1.45.1 – Connection confusion in gRPC (high severity)
↪ https://github.com/advisories/GHSA-cfgp-2977-2fmm
settings.gradle.kts » io.grpc:grpc-protobuf@1.45.1 – gRPC Reachable Assertion issue (high severity)
↪ https://github.com/advisories/GHSA-6628-q6j9-w8vg
settings.gradle.kts » io.grpc:grpc-protobuf@1.45.1 – gRPC connection termination issue (moderate severity)
↪ https://github.com/advisories/GHSA-9hxf-ppjv-w6rq
settings.gradle.kts » io.netty:netty-codec-http2@4.1.72.Final – io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack (high severity)
↪ https://github.com/advisories/GHSA-xpw8-rcwv-8f8p
settings.gradle.kts » org.bitbucket.b_c:jose4j@0.7.0 – jose4j uses weak cryptographic algorithm (high severity)
↪ https://github.com/advisories/GHSA-7g24-qg88-p43q
settings.gradle.kts » org.bitbucket.b_c:jose4j@0.7.0 – Chosen Ciphertext Attack in Jose4j (moderate severity)
↪ https://github.com/advisories/GHSA-jgvc-jfgh-rjvv
settings.gradle.kts » com.google.guava:guava@31.1-jre – Guava vulnerable to insecure use of temporary directory (moderate severity)
↪ https://github.com/advisories/GHSA-7g45-4rm6-3mm3
settings.gradle.kts » com.google.guava:guava@31.1-jre – Information Disclosure in Guava (low severity)
↪ https://github.com/advisories/GHSA-5mg8-w23w-74h3
settings.gradle.kts » commons-io:commons-io@2.4 – Path Traversal and Improper Input Validation in Apache Commons IO (moderate severity)
↪ https://github.com/advisories/GHSA-gwrp-pvrq-jmwv
settings.gradle.kts » io.netty:netty-codec-http@4.1.72.Final – Local Information Disclosure Vulnerability in io.netty:netty-codec-http (moderate severity)
↪ https://github.com/advisories/GHSA-269q-hmxg-m83q
settings.gradle.kts » io.netty:netty-handler@4.1.72.Final – netty-handler SniHandler 16MB allocation (moderate severity)
↪ https://github.com/advisories/GHSA-6mjq-h674-j845
settings.gradle.kts » org.apache.httpcomponents:httpclient@4.5.6 – Cross-site scripting in Apache HttpClient (moderate severity)
↪ https://github.com/advisories/GHSA-7r82-7xv7-xcpj
settings.gradle.kts » org.bouncycastle:bcprov-jdk15on@1.67 – Bouncy Castle For Java LDAP injection vulnerability (moderate severity)
↪ https://github.com/advisories/GHSA-hr8g-6v94-x4m9
settings.gradle.kts » xerces:xercesimpl@2.12.0 – Infinite Loop in Apache Xerces Java (moderate severity)
↪ https://github.com/advisories/GHSA-h65f-jvqw-m9fj
Error: Dependency review detected vulnerable packages.
Further down in its output, we can see it thinks every dependency across the project was newly added. This is relevant because it "scans your pull requests for dependency changes, and will raise an error if any vulnerabilities or invalid licenses are being introduced." The action's documentation links to the API method it uses, and the following commands reflect the same issue. (first, comparing the PR's head and base, then, using against an earlier commit from main as the base)
$ gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/divviup/divviup-android/dependency-graph/compare/1f3b47777b76b42df52761cb07e306c3376c2b21...ac29b935ba040b0b674b9ca1052a57bff230f0ab | jq -r '.[] | .change_type' | sort | uniq -c
253 added
$ gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/divviup/divviup-android/dependency-graph/compare/f0fceb030be70309c0a9d7e82df4f19d7726b672...ac29b935ba040b0b674b9ca1052a57bff230f0ab | jq -r '.[] | .change_type' | sort | uniq -c
5 added
3 removedThe key difference about the current tip of main is that it was pushed by Dependabot, via a merge command. When the CI ran on it, the following warning was emitted.
Failed to submit dependency graph dependency-graph-reports/ci-build.json.
Please ensure that the 'contents: write' permission is available for the workflow job.
Note that this permission is never available for a 'pull_request' trigger from a repository fork.
This is the same sort of issue we previously had on prio-server, where container images couldn't be pushed from Dependabot's merge commits because secrets weren't provided. To get out of this jam, I could rebase the PR branches back one, so that it has a good base dependency graph to work from, or maybe just re-run the workflow, so that it can successfully run with my github.actor. Based on this blog post we could fix this long-term by specifying permissions explicitly for the build job. Alternately, we could also avoid @dependabot squash and merge, and instead use GitHub's merge and automerge features directly.
Separately, while a lot of the reported vulnerabilities are in build tools only, or are otherwise not applicable to our uses of libraries, it would be nice to get some of these vulnerable dependency versions with fixes available updated. I'm not sure whether there's a good way to update transitive dependencies without the direct dependency itself updating. At any rate, AGP 8.1.3 came out last week, and that may help.