Luminus / nvd

i just ran:

lein new luminus dangerp +postgres +reagent +auth

and got:

(defproject dangerp "0.1.0-SNAPSHOT"

  :description "FIXME: write description"
  :url "http://example.com/FIXME"

  :dependencies [[buddy "2.0.0"]
                 [ch.qos.logback/logback-classic "1.2.3"]
                 [cheshire "5.8.1"]
                 [cljs-ajax "0.8.0"]
                 [clojure.java-time "0.3.2"]
                 [com.cognitect/transit-clj "0.8.313"]
                 [conman "0.8.3"]
                 [cprop "0.1.14"]
                 [funcool/struct "1.4.0"]
                 [luminus-jetty "0.1.7"]
                 [luminus-migrations "0.6.5"]
                 [luminus-transit "0.1.1"]
                 [luminus/ring-ttl-session "0.3.3"]
                 [markdown-clj "1.10.0"]
                 [metosin/muuntaja "0.6.4"]
                 [metosin/reitit "0.3.9"]
                 [metosin/ring-http-response "0.9.1"]
                 [mount "0.1.16"]
                 [nrepl "0.6.0"]
                 [org.clojure/clojure "1.10.1"]
                 [org.clojure/clojurescript "1.10.520" :scope "provided"]
                 [org.clojure/tools.cli "0.4.2"]
                 [org.clojure/tools.logging "0.4.1"]
                 [org.postgresql/postgresql "42.2.6"]
                 [org.webjars.npm/bulma "0.7.5"]
                 [org.webjars.npm/material-icons "0.3.0"]
                 [org.webjars/webjars-locator "0.36"]
                 [reagent "0.8.1"]
                 [ring-webjars "0.2.0"]
                 [ring/ring-core "1.7.1"]
                 [ring/ring-defaults "0.3.2"]
                 [selmer "1.12.12"]]

  :min-lein-version "2.0.0"
  
  :source-paths ["src/clj" "src/cljs" "src/cljc"]
  :test-paths ["test/clj"]
  :resource-paths ["resources" "target/cljsbuild"]
  :target-path "target/%s/"
  :main ^:skip-aot dangerp.core

  :plugins [[lein-cljsbuild "1.1.7"]]
  :clean-targets ^{:protect false}
  [:target-path [:cljsbuild :builds :app :compiler :output-dir] [:cljsbuild :builds :app :compiler :output-to]]
  :figwheel
  {:http-server-root "public"
   :server-logfile "log/figwheel-logfile.log"
   :nrepl-port 7002
   :css-dirs ["resources/public/css"]
   :nrepl-middleware [cider.piggieback/wrap-cljs-repl]}
  

  :profiles
  {:uberjar {:omit-source true
             :prep-tasks ["compile" ["cljsbuild" "once" "min"]]
             :cljsbuild{:builds
              {:min
               {:source-paths ["src/cljc" "src/cljs" "env/prod/cljs"]
                :compiler
                {:output-dir "target/cljsbuild/public/js"
                 :output-to "target/cljsbuild/public/js/app.js"
                 :source-map "target/cljsbuild/public/js/app.js.map"
                 :optimizations :advanced
                 :pretty-print false
                 :infer-externs true
                 :closure-warnings
                 {:externs-validation :off :non-standard-jsdoc :off}
                 :externs ["react/externs/react.js"]}}}}
             
             :aot :all
             :uberjar-name "dangerp.jar"
             :source-paths ["env/prod/clj"]
             :resource-paths ["env/prod/resources"]}

   :dev           [:project/dev :profiles/dev]
   :test          [:project/dev :project/test :profiles/test]

   :project/dev  {:jvm-opts ["-Dconf=dev-config.edn"]
                  :dependencies [[binaryage/devtools "0.9.10"]
                                 [cider/piggieback "0.4.1"]
                                 [doo "0.1.11"]
                                 [expound "0.7.2"]
                                 [figwheel-sidecar "0.5.19"]
                                 [pjstadig/humane-test-output "0.9.0"]
                                 [prone "2019-07-08"]
                                 [ring/ring-devel "1.7.1"]
                                 [ring/ring-mock "0.4.0"]]
                  :plugins      [[com.jakemccrary/lein-test-refresh "0.24.1"]
                                 [lein-doo "0.1.11"]
                                 [lein-figwheel "0.5.19"]]
                  :cljsbuild{:builds
                   {:app
                    {:source-paths ["src/cljs" "src/cljc" "env/dev/cljs"]
                     :figwheel {:on-jsload "dangerp.core/mount-components"}
                     :compiler
                     {:main "dangerp.app"
                      :asset-path "/js/out"
                      :output-to "target/cljsbuild/public/js/app.js"
                      :output-dir "target/cljsbuild/public/js/out"
                      :source-map true
                      :optimizations :none
                      :pretty-print true}}}}
                  
                  
                  :doo {:build "test"}
                  :source-paths ["env/dev/clj"]
                  :resource-paths ["env/dev/resources"]
                  :repl-options {:init-ns user}
                  :injections [(require 'pjstadig.humane-test-output)
                               (pjstadig.humane-test-output/activate!)]}
   :project/test {:jvm-opts ["-Dconf=test-config.edn"]
                  :resource-paths ["env/test/resources"]
                  :cljsbuild 
                  {:builds
                   {:test
                    {:source-paths ["src/cljc" "src/cljs" "test/cljs"]
                     :compiler
                     {:output-to "target/test.js"
                      :main "dangerp.doo-runner"
                      :optimizations :whitespace
                      :pretty-print true}}}}
                  
                  }
   :profiles/dev {}
   :profiles/test {}})

i add [lein-nvd "1.2.0"] as a dev plugin and then run:

lein nvd check

from this i get:

+-------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| dependency                                      | status                                                                                                   |
+-------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| bcprov-jdk15on-1.58.jar                         | CVE-2018-1000613, CVE-2018-1000180, CVE-2017-13098                                                       |
| jackson-databind-2.9.8.jar                      | CVE-2019-12086, CVE-2019-12384, CVE-2019-12814                                                           |
| jetty-util-9.4.12.v20180830.jar                 | CVE-2019-10247, CVE-2019-10241                                                                           |
| prone-2019-07-08.jar: prone-lib.js              |  including untrusted objects as React children can result in an XSS security vulnerability               |
| protobuf-java-3.0.2.jar                         | CVE-2015-5237                                                                                            |
| react-16.3.2-0.jar                              | CVE-2018-6341                                                                                            |
| react-dom-16.3.2-0.jar                          | CVE-2018-6341                                                                                            |
| react-dom-server-16.3.2-0.jar                   | CVE-2018-6341                                                                                            |
| reitit-swagger-ui-0.3.9.jar                     | CVE-2016-5682                                                                                            |
| ring-swagger-ui-2.2.10.jar: handlebars-4.0.5.js | A prototype pollution vulnerability in handlebars is exploitable if an attacker can control the template |
| ring-swagger-ui-2.2.10.jar: jquery-1.8.0.min.js | CVE-2019-11358, CVE-2012-6708, CVE-2015-9251                                                             |
+-------------------------------------------------+----------------------------------------------------------------------------------------------------------+

18 vulnerabilities detected. Severity: HIGH

now i think security is really important, and i do try to stay informed, but right now this level of detail is just much more than i can handle…

so i guess i just wanted to post this in the hope that somebody has already ran into the same problem, and is willing to share some insight :slight_smile:

1 Like

Hi! Library maintainers do not update the library dependencies all the time, so if there’s a security issue in a dependency of a dependency (of a dependency of a dependency…), you often end up with vulnerable versions in your dependency tree.

That said, you have to use a bit of judgement. For example, the issue in React, CVE-2018-6341 is in server-side rendering, but as far as I can tell, the Luminus template only uses client-side React. Thus the issue probably does not matter. If you want to be on the safe side, you can overwrite the dependency by adding the React dependency with the latest version directly in your :dependencies vector:

[cljsjs/react "16.8.6-0"]
[cljsjs/react-dom "16.8.6-0"]
[cljsjs/react-dom-server "16.8.6-0"]

Also, it’s not obvious from the lein nvd check console output, but if you look at the HTML report generated under directory target/nvd, it thinks that reitit-swagger-ui-0.3.9.jar is Swagger UI 0.3.9. In reality reitit-swagger-ui is a library that depends on Swagger UI 2.2.10, which does not contain the vulnerability reported.

1 Like

thanks for answering.

using +http-kit would also help with this…

also about websockets with jetty / http-kit: https://github.com/luminus-framework/luminus/issues/245#issuecomment-518258711

so… why not?