Updating dependancies to pass a SCA scan

Hi,

I have a project I’ve created in Cuba Platform 7.2 - The application is finished and in a pre-go-live and has now been subjected to both SAST and SCA scans. To pass the SCA testing I need to update some of the dependencies within Cuba itself such as commons-io v2.6 fails against issue CVE-2024-47554 and is fixed in 2.14.0. Likewise logback 1.2.3 fails CVE-2023-6378 and is fixed in 1.2.13.

I have 4 others also (ccs-what, cross-spawn, lodash.pick and thoughtworks.xstream)

They all look to be dependencies of parts of Cuba-Platform, the first two being in the cuba-global library.

Is there an easy way to get these dependencies ‘updated’ to newer version, I’ve been poking around in my project’s build.gradle but its clear its not my project that has the issue and nothing I do resolves it. I’ve listed below the top part of the dependency tree, as you can see its using common-io 2.6 and if I unpack the source for cuba-global I can see it listed in there.

Do I have to re-build cuba platform itself? If so what is the easy way of going that on Windows using the Cuba Studio Plug-in for Intelli-J?

Task :dependencies

Root project

appComponent
±-- com.haulmont.cuba:cuba-global:7.2.21
| ±-- org.codehaus.groovy:groovy:2.5.14
| ±-- org.codehaus.groovy:groovy-templates:2.5.14
| | ±-- org.codehaus.groovy:groovy:2.5.14
| | -– org.codehaus.groovy:groovy-xml:2.5.14
| | -– org.codehaus.groovy:groovy:2.5.14
| ±-- org.codehaus.groovy:groovy-sql:2.5.14
| | -– org.codehaus.groovy:groovy:2.5.14
| ±-- org.apache.commons:commons-lang3:3.9 → 3.12.0
| ±-- org.apache.commons:commons-collections4:4.4
| ±-- org.apache.commons:commons-text:1.10.0
| | -– org.apache.commons:commons-lang3:3.12.0
| ±-- commons-io:commons-io:2.6
| ±-- commons-cli:commons-cli:1.4

Thanks in advance, Paul.

Hi Paul,

You should be able to override dependencies in project build.gradle.
You need to add desired version of dependency in configure block of specific module. In general it should be enough to add it to the global one.

So it will look like this:

configure(globalModule) {
    dependencies {
        ...
        compile('com.thoughtworks.xstream:xstream:1.4.21')
		compile('ch.qos.logback:logback-classic:1.2.13')
		compile('commons-io:commons-io:2.18.0')
    }
    ...
}

After this your application will use the newest version.

The main issue with such approach: if you specify version which is incompatible with the “previous” one - framework modules using it will fail (three versions mentioned above should work fine).

Also can you add more details about another vulnerabilities you found (css-what, cross-spawn, lodash.pick, maybe something else)?
We are currently in process of vulnerability search, but didn’t find issues with them (maybe later I will). Deps trees, module names will be useful.

Regards,
Ivan

Hi Ivan,

Thank you for coming back to me, I did try something like that but will try with your specific example.

I wanted to come back to you with the CVEs for the other libraries.

css-what: failed on CVE-2021-33587 but fixed in 5.0.1

lodash.pick: failed on CVE-2020-8203, but fixed in 4.17.20 but Maven Central has 4.4.0 as the current version, lodash.com lists 4.17.20 though.

cross-spawn: failed on CVE-2024-21538 but addressed in version 7.0.5

Thanks again, Paul.

Hi,

What modules bring those dependencies? Can you attach dependencies tree?

Regards,
Ivan

Hi Ivan,

I have got the project through SCA but there have been a number of extra steps to get there. The SCA scanning was also done on an UberJAR which needed more lines in the build.gradle file to get the correct versions in that jar.

I’m taking a few days off for the Christmas holiday so will write the whole thing up next week and share on this thread.

Thanks again for your help.

Paul.