Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Copilot Lvl 3
Message 1 of 7

Check jar file vulnerability and license

Github checks for jar dependencies and vulnerabilities through maven pom.xml. Is it possible to check for dependencies if one is using jar files just placed in a lib folder without the pom.xml?

 

Can a similar check be done for the license of the jar file?

6 Replies
Highlighted
Community Manager
Message 2 of 7

Re: Check jar file vulnerability and license

It isn't possible currently for GitHub to do this for you, no. You could perhaps write some automation using a GitHub App or GitHub Actions to do so, though.

 

I hope that helps!

Highlighted
Copilot Lvl 3
Message 3 of 7

Re: Check jar file vulnerability and license

Thanks, Lee, this is helpful. There is also one more issue, even if there are entries in pom.xml which are vulnerable, they are not shown as alerts. For e.g. activemq-all(v5.7.0) and commons-collections(v3.2.2) have known vulnerability issues, but it doesn't give alerts for these jars.

 

Do we need to make any other changes besides adding these entries in pom.xml?

Highlighted
Community Manager
Message 4 of 7

Re: Check jar file vulnerability and license

Do you have an example repository that's public that we can see the problem you're describing? That would be helpful to possibly debug the problem.

 

Thanks!

Highlighted
Copilot Lvl 3
Message 5 of 7

Re: Check jar file vulnerability and license

Hi Lee,

 

The repository can be accessed from this link,

https://github.com/mshadab-adeptia/SecurityTest

 

Following 2 errors show up, but there are more jars in the project which are vulnerable and we dont get any error in those.sec.png

 

Both commons-collections and activemq-all have known vulnerabilities, but do not show up in the alerts.

 

<dependency>
  <groupId>commons-collections</groupId>
  <artifactId>commons-collections</artifactId>
  <version>3.2.2</version>
</dependency>
<dependency>
  <groupId>org.apache.activemq</groupId>
  <artifactId>activemq-all</artifactId>
  <version>5.7.0</version>
</dependency>

 

https://www.cvedetails.com/cve/CVE-2017-15708/

https://www.cvedetails.com/cve/CVE-2019-0222/

 

Highlighted
Community Manager
Message 6 of 7

Re: Check jar file vulnerability and license

According to https://www.cvedetails.com/cve/CVE-2017-15708/, only commons-collections v3.2.1 has a confirmed vulnerability. You're using v3.2.2.

 

I'll pass along the feedback about the other library.

Highlighted
Copilot Lvl 3
Message 7 of 7

Re: Check jar file vulnerability and license

Thanks for your response Lee. I changed the version to 3.2.1, but still no alerts for commons-collections.