I did make a PR for fixing this issue by removing the pom.xml file from the rebased jar https://github.com/gwtproject/gwt/pull/9785
I did scan a sample project and attached is the report. It would be great if there is anyone can help verify the fix. <https://github.com/gwtproject/gwt/pull/9785> On Friday, 28 October 2022 at 16:53:20 UTC+2 [email protected] wrote: > This is discussed at https://github.com/gwtproject/gwt/issues/9778 and > https://github.com/gwtproject/gwt/issues/9752: this is a false positive, > but still needs to be corrected. The simplest fix is probably to just stop > packaging up the "I am running an old version" marker file, since the > > Is there a functioning "bug bounty" tool for github? I found a few options > that all seem defunct, but this seems like a good candidate for someone to > either scratch their own itch and get it fixed, or fund someone else who > has the time. > > Regardless, as someone not actually affected by this false positive (so I > can't justify the time right now to focus on it, run the verification that > tools accept the output, etc), I'll put up a bounty of 100USD (via > paypal/etc) to see this fixed, with a bonus 100USD for a first-time > contributor. If someone has experience with a platform for setting up > bounties like this, it might be helpful to formalize future issues. > > On Wednesday, October 26, 2022 at 4:07:48 PM UTC-5 [email protected] > wrote: > >> I know that this conversation is about 2 years old. We upgraded to GWT >> 2.10 in hopes that it would resolve the following vulnerabilities with >> protobuf-java, they are all being reports in the gwt-servlet.jar (version >> 2.10.0): >> https://nvd.nist.gov/vuln/detail/CVE-2022-3171 >> https://www.cve.org/CVERecord?id=CVE-2015-5237 >> https://github.com/advisories/GHSA-wrvw-hg22-4m67 >> https://github.com/advisories/GHSA-h4h5-3hr4-j3g2 >> https://nvd.nist.gov/vuln/detail/CVE-2021-22569 >> >> These are all being reported in our project by the AWS Enhanced >> Scanning. It there any way to upgrade Protobuf from 2.5.0 to the latest >> version of 3.21.8? >> >> Thanks in advance. >> Ben >> >> On Tuesday, June 30, 2020 at 4:16:01 AM UTC-6 [email protected] wrote: >> >>> Thank you very much for quick responses. >>> Here are Vulnerabilities listed - >>> >>> >>> Gwt-dev.jar - >>> 1.1 Vulnerable version of jetty library(current version-- 9.2.14, >>> available version -9.2.27+ ) >>> [Associated CVEs - >>> CVE-2017-7656,CVE-2017-7657,CVE-2017-7658,CVE-2017-9735,CVE-2018-12536] >>> 1.2 Vulnerable version of commons-collections(current version - 3.2.1) >>> [ CVE-2015-6420,CVE-2017-15708,CVE-2014-3577] >>> 1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current >>> version - 4.3.1) [ CVE-2015-6420,CVE-2017-15708,CVE-2014-3577] >>> 1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, >>> available version - 3.4.0) [CVE-2015-5237] >>> 1.5 Vulnerable version of htmlunit ( current version - 2.19 , available >>> version- 2.37) [CVE-2020-5529] >>> >>> Gwt-servlet.jar - >>> 1.1 Vulnerable version of Google Protobuf(current version - >>> 2.5.0, available version - 3.4.0) [CVE-2015-5237] >>> >>> >>> On Monday, 29 June 2020 16:27:41 UTC+5:30, Priya Kolekar wrote: >>>> >>>> >>>> Hi All, >>>> >>>> Security Vulnerability have been detected in gwt-dev.jar & >>>> gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker >>>> tool <https://jeremylong.github.io/DependencyCheck/>. >>>> >>>> Below are the details - >>>> >>>> Gwt-dev.jar - >>>> 1.1 Vulnerable version of jetty library(current version-- 9.2.14, >>>> available version -9.2.27+ ) >>>> 1.2 Vulnerable version of commons-collections(current version - 3.2.1) >>>> 1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current >>>> version - 4.3.1) >>>> 1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, >>>> available version - 3.4.0) >>>> 1.5 Vulnerable version of htmlunit ( current version - 2.19 , >>>> available version- 2.37) >>>> >>>> Gwt-servlet.jar - >>>> 1.1 Vulnerable version of Google Protobuf(current version - >>>> 2.5.0, available version - 3.4.0) >>>> >>>> Given above vulnerabilities - >>>> 1. Are those security issues addressed in latest 2.9.0 release? >>>> 2. If no, is there a plan to include them in any future release say 3.x? >>>> 3. As we know that gwt-dev.jar is used for development purpose & can be >>>> flagged as false positive, still are there any attack surfaces exists? >>>> >>> -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/802ff23c-f281-4f18-8c7e-947b18d60fb2n%40googlegroups.com.
<<attachment: dependency-check-report.zip>>
