The lowkey-vault from nagyesta

Create example project for Python clients

New repository set up with Python example
Lowkey Vault updated if necessary to fix compatibility issues found during implementation

7.3 API - Get random bytes

Implement Get random bytes endpoint
Documentation: https://docs.microsoft.com/en-us/rest/api/keyvault/keys/get-random-bytes/get-random-bytes

Support vault creation/deletion

Add Vault create/delete feature
Set and respect recovery level restrictions
Don't allow recovery level changes on individual key level

Bug report: SSL error

Describe the bug

SSL error when trying to ping the https://localhost:8443

To reproduce

$ curl https://localhost:8443
curl: (60) SSL certificate problem: self signed certificate

Expected behavior

No SSL error.

Alternatively, switch to http instead of https

Actual behavior

SSL error

The command you used

If applicable, add screenshots to help explain your problem.

A minimal project that can be used to reproduce the issue

If applicable. Please do NOT share sensitive information.

Environment

OS: [e.g. Windows]

Additional context

Add any other context about the problem here.

Backup utility in client

Add new methods in client for convenient compression/decompression of backup data (to allow storing test data in VCS in human readable format)

Set up API docs

Integrate OpenAPI 3.0 integration
Add documentation annotations

7.3 API - Get/Update Key rotation policy

Perform automated key rotation when performing time shift
Implement Get key rotation policy endpoint
Implement Update key rotation policy endpoint
Documentation: https://docs.microsoft.com/en-us/rest/api/keyvault/keys/get-key-rotation-policy/get-key-rotation-policy and https://docs.microsoft.com/en-us/rest/api/keyvault/keys/update-key-rotation-policy/update-key-rotation-policy

Depends on: 7.3 API - Key rotation logic

jackson-databind-2.13.1.jar: 1 vulnerabilities (highest severity is: 5.5) - autoclosed

Vulnerable Library - jackson-databind-2.13.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /lowkey-vault-testcontainers/build.gradle

Path to vulnerable library: /e/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2020-36518	Medium	5.5	jackson-databind-2.13.1.jar	Direct	jackson-databind-2.10 - 2.10.1;com.fasterxml.jackson.core.jackson-databind - 2.6.2.v20161117-2150	❌

Details

CVE-2020-36518

Vulnerable Library - jackson-databind-2.13.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /lowkey-vault-testcontainers/build.gradle

Path to vulnerable library: /e/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar

Dependency Hierarchy:

❌ jackson-databind-2.13.1.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
WhiteSource Note: After conducting further research, WhiteSource has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.

Publish Date: 2022-03-11

URL: CVE-2020-36518

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-36518

Release Date: 2022-03-11

Fix Resolution: jackson-databind-2.10 - 2.10.1;com.fasterxml.jackson.core.jackson-databind - 2.6.2.v20161117-2150

Step up your Open Source Security Game with WhiteSource here

httpclient-4.5.13.jar: 1 vulnerabilities (highest severity is: 6.5)

Vulnerable Library - httpclient-4.5.13.jar

Path to dependency file: /lowkey-vault-testcontainers/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar

Found in HEAD commit: 1f2ec0f91d1dde8ea2cfe6a78e3e75c0e72f69d6

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
WS-2019-0379	Medium	6.5	commons-codec-1.11.jar	Transitive	N/A	❌

Details

WS-2019-0379

Vulnerable Library - commons-codec-1.11.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Path to dependency file: /lowkey-vault-client/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar

Dependency Hierarchy:

httpclient-4.5.13.jar (Root Library)
- ❌ commons-codec-1.11.jar (Vulnerable Library)

Found in HEAD commit: 1f2ec0f91d1dde8ea2cfe6a78e3e75c0e72f69d6

Found in base branch: main

Vulnerability Details

Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.

Publish Date: 2019-05-20

URL: WS-2019-0379

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: apache/commons-codec@48b6157

Release Date: 2019-05-20

Fix Resolution: commons-codec:commons-codec:1.13

Step up your Open Source Security Game with WhiteSource here

azure-security-keyvault-secrets-4.3.8.jar: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - azure-security-keyvault-secrets-4.3.8.jar

Path to dependency file: /lowkey-vault-docker/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar

Found in HEAD commit: 872a0d5ea6141a047a65b37622328f2e0c45c01a

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2020-36518	High	7.5	jackson-databind-2.13.1.jar	Transitive	N/A	❌

Details

CVE-2020-36518

Vulnerable Library - jackson-databind-2.13.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /lowkey-vault-client/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar

Dependency Hierarchy:

azure-security-keyvault-secrets-4.3.8.jar (Root Library)
- azure-core-1.26.0.jar
  - ❌ jackson-databind-2.13.1.jar (Vulnerable Library)

Found in HEAD commit: 872a0d5ea6141a047a65b37622328f2e0c45c01a

Found in base branch: main

Vulnerability Details

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
WhiteSource Note: After conducting further research, WhiteSource has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.

Publish Date: 2022-03-11

URL: CVE-2020-36518

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Update spring core to v6.1.7 {patch} (patch) (org.springframework:spring-test, org.springframework:spring-webmvc, org.springframework:spring-web, org.springframework:spring-context, org.springframework:spring-core)

Ignored or Blocked

These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.

Update eclipse-temurin Docker tag to v21 {patch}

Detected dependencies

dockerfile

lowkey-vault-docker/src/docker/Dockerfile

eclipse-temurin 17.0.11_9-jre-alpine@sha256:ad9223070abcf5716e98296a98c371368810deb36197b75f3a7b74815185c5e3

github-actions

.github/workflows/add-index-exclusion.yml

actions/checkout v4.1.6@a5ac7e51b41094c92402da3b24376905380afc29

actions/github-script v7.0.1@60a0d83039c74a4aee543508d2ffcb1c3799cdea

.github/workflows/codeql-analysis.yml

actions/checkout v4.1.6@a5ac7e51b41094c92402da3b24376905380afc29

gradle/wrapper-validation-action v3.3.2@216d1ad2b3710bf005dc39237337b9673fd8fcd5

actions/setup-java v4.2.1@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9

github/codeql-action v3.25.5@b7cec7526559c32f1616476ff32d17ba4c59b2d6

gradle/actions v3.3.2@db19848a5fa7950289d3668fb053140cf3028d43

github/codeql-action v3.25.5@b7cec7526559c32f1616476ff32d17ba4c59b2d6

.github/workflows/gradle-ci.yml

actions/checkout v4.1.6@a5ac7e51b41094c92402da3b24376905380afc29

actions/setup-java v4.2.1@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9

gradle/actions v3.3.2@db19848a5fa7950289d3668fb053140cf3028d43

actions/upload-artifact v4.3.3@65462800fd760344b1a7b4382951275a0abb4808

actions/upload-artifact v4.3.3@65462800fd760344b1a7b4382951275a0abb4808

actions/upload-artifact v4.3.3@65462800fd760344b1a7b4382951275a0abb4808

codecov/codecov-action v4.4.0@6d798873df2b1b8e5846dba6fb86631229fbcb17

codecov/codecov-action v4.4.0@6d798873df2b1b8e5846dba6fb86631229fbcb17

codecov/codecov-action v4.4.0@6d798873df2b1b8e5846dba6fb86631229fbcb17

.github/workflows/gradle-oss-index-scan.yml

actions/checkout v4.1.6@a5ac7e51b41094c92402da3b24376905380afc29

gradle/wrapper-validation-action v3.3.2@216d1ad2b3710bf005dc39237337b9673fd8fcd5

actions/setup-java v4.2.1@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9

gradle/actions v3.3.2@db19848a5fa7950289d3668fb053140cf3028d43

.github/workflows/gradle.yml

actions/checkout v4.1.6@a5ac7e51b41094c92402da3b24376905380afc29

actions/setup-java v4.2.1@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9

gradle/actions v3.3.2@db19848a5fa7950289d3668fb053140cf3028d43

docker/login-action v3.1.0@e92390c5fb421da1463c202d546fed0ec5c39f20

codecov/codecov-action v4.4.0@6d798873df2b1b8e5846dba6fb86631229fbcb17

codecov/codecov-action v4.4.0@6d798873df2b1b8e5846dba6fb86631229fbcb17

codecov/codecov-action v4.4.0@6d798873df2b1b8e5846dba6fb86631229fbcb17

.github/workflows/pr-labeler.yml

TimonVS/pr-labeler-action v5.0.0@f9c084306ce8b3f488a8f3ee1ccedc6da131d1af

.github/workflows/release-draft.yml

actions/github-script v7.0.1@60a0d83039c74a4aee543508d2ffcb1c3799cdea

.github/workflows/release-trigger.yml

actions/checkout v4.1.6@a5ac7e51b41094c92402da3b24376905380afc29

actions/github-script v7.0.1@60a0d83039c74a4aee543508d2ffcb1c3799cdea

.github/workflows/update-dependency-checksums.yml

actions/checkout v4.1.6@a5ac7e51b41094c92402da3b24376905380afc29

actions/setup-java v4.2.1@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9

gradle/actions v3.3.2@db19848a5fa7950289d3668fb053140cf3028d43

actions/github-script v7.0.1@60a0d83039c74a4aee543508d2ffcb1c3799cdea

gradle

gradle.properties

settings.gradle

build.gradle

config/ossindex/ossIndexAudit.gradle

gradle/libs.versions.toml

org.springframework.boot:spring-boot-starter 3.2.5

org.springframework.boot:spring-boot-starter-json 3.2.5

org.springframework.boot:spring-boot-starter-web 3.2.5

org.springframework.boot:spring-boot-starter-tomcat 3.2.5

org.springframework.boot:spring-boot-starter-validation 3.2.5

org.springframework.boot:spring-boot-configuration-processor 3.2.5

org.springframework.boot:spring-boot-starter-test 3.2.5

org.springdoc:springdoc-openapi-starter-webmvc-ui 2.5.0

org.springframework:spring-core 6.1.6

org.springframework:spring-context 6.1.6

org.springframework:spring-web 6.1.6

org.springframework:spring-webmvc 6.1.6

org.springframework:spring-test 6.1.6

org.yaml:snakeyaml 2.2

org.apache.tomcat:tomcat-annotations-api 10.1.24

org.apache.tomcat:tomcat-jsp-api 10.1.24

org.apache.tomcat.embed:tomcat-embed-core 10.1.24

org.apache.tomcat.embed:tomcat-embed-el 10.1.24

org.apache.tomcat.embed:tomcat-embed-jasper 10.1.24

org.apache.tomcat.embed:tomcat-embed-websocket 10.1.24

ch.qos.logback:logback-classic 1.5.6

ch.qos.logback:logback-core 1.5.6

com.github.jknack:handlebars 4.4.0

org.bouncycastle:bcpkix-jdk18on 1.78.1

org.hibernate:hibernate-validator 8.0.1.Final

com.google.code.findbugs:jsr305 3.0.2

org.apache.httpcomponents:httpclient 4.5.14

commons-codec:commons-codec 1.17.0

org.mockito:mockito-core 5.12.0

com.azure:azure-security-keyvault-secrets 4.8.3

com.azure:azure-security-keyvault-keys 4.8.4

com.azure:azure-security-keyvault-certificates 4.6.3

org.projectlombok:lombok 1.18.32

org.junit.jupiter:junit-jupiter 5.10.2

com.github.nagyesta.abort-mission.boosters:abort.booster-junit-jupiter 5.0.118

com.github.nagyesta.abort-mission.boosters:abort.booster-cucumber-jvm 5.0.118

io.cucumber:cucumber-java 7.18.0

io.cucumber:cucumber-testng 7.18.0

io.cucumber:cucumber-picocontainer 7.18.0

com.fasterxml.jackson.core:jackson-core 2.17.1

com.fasterxml.jackson.core:jackson-annotations 2.17.1

com.fasterxml.jackson.core:jackson-databind 2.17.1

com.fasterxml.jackson.dataformat:jackson-dataformat-xml 2.17.1

com.fasterxml.jackson.datatype:jackson-datatype-jsr310 2.17.1

org.testcontainers:testcontainers 1.19.8

org.testcontainers:junit-jupiter 1.19.8

org.springframework.boot 3.2.5

io.freefair.lombok 8.6

com.github.nagyesta.abort-mission-gradle-plugin 5.0.37

com.palantir.docker 0.36.0

com.palantir.docker-run 0.36.0

io.toolebox.git-versioner 1.6.7

org.sonatype.gradle.plugins.scan 2.8.2

org.owasp.dependencycheck 9.2.0

org.cyclonedx.bom 1.8.2

app.cash.licensee 1.11.0

io.github.gradle-nexus.publish-plugin 2.0.0

lowkey-vault-app/build.gradle

lowkey-vault-client/build.gradle

lowkey-vault-docker/build.gradle

lowkey-vault-testcontainers/build.gradle

gradle-wrapper

gradle/wrapper/gradle-wrapper.properties

gradle 8.7

Check this box to trigger a request for Renovate to run again on this repository

Add Import Key feature

Import: Allows a client to import an existing key to Key Vault. Asymmetric keys may be imported to Key Vault using a number of different packaging methods within a JWK construct.

https://docs.microsoft.com/en-us/rest/api/keyvault/keys/import-key/import-key

spring-boot-starter-json-2.6.4.jar: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - spring-boot-starter-json-2.6.4.jar

Path to dependency file: /lowkey-vault-app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar

Found in HEAD commit: a3df8c704cbd7c5ce597ed20e793842436ecb39f

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2020-36518	High	7.5	jackson-databind-2.13.1.jar	Transitive	N/A	❌

Details

CVE-2020-36518

Vulnerable Library - jackson-databind-2.13.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /lowkey-vault-docker/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar

Dependency Hierarchy:

spring-boot-starter-json-2.6.4.jar (Root Library)
- ❌ jackson-databind-2.13.1.jar (Vulnerable Library)

Found in HEAD commit: a3df8c704cbd7c5ce597ed20e793842436ecb39f

Found in base branch: main

Vulnerability Details

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
WhiteSource Note: After conducting further research, WhiteSource has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.

Publish Date: 2022-03-11

URL: CVE-2020-36518

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

Add key features (Delete, List, List deleted)

Delete: Allows a client with sufficient permissions to delete a key from Key Vault.
List: Allows a client to list all keys in a given Key Vault.
List deleted keys

spring-boot-starter-2.7.3.jar: 5 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - spring-boot-starter-2.7.3.jar

Path to dependency file: /lowkey-vault-docker/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2022-25857	High	7.5	snakeyaml-1.30.jar	Transitive	N/A	❌
CVE-2022-38749	Medium	6.5	snakeyaml-1.30.jar	Transitive	N/A	❌
CVE-2022-38752	Medium	6.5	snakeyaml-1.30.jar	Transitive	N/A	❌
CVE-2022-38751	Medium	6.5	snakeyaml-1.30.jar	Transitive	N/A	❌
CVE-2022-38750	Medium	6.5	snakeyaml-1.30.jar	Transitive	N/A	❌

Details

CVE-2022-25857

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /lowkey-vault-docker/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

spring-boot-starter-2.7.3.jar (Root Library)
- ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Publish Date: 2022-08-30

URL: CVE-2022-25857

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857

Release Date: 2022-08-30

Fix Resolution: org.yaml:snakeyaml:1.31

Step up your Open Source Security Game with Mend here

CVE-2022-38749

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /lowkey-vault-docker/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

spring-boot-starter-2.7.3.jar (Root Library)
- ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38749

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/525/got-stackoverflowerror-for-many-open

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.31

Step up your Open Source Security Game with Mend here

CVE-2022-38752

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /lowkey-vault-docker/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

spring-boot-starter-2.7.3.jar (Root Library)
- ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

Publish Date: 2022-09-05

URL: CVE-2022-38752

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2022-38751

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /lowkey-vault-docker/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

spring-boot-starter-2.7.3.jar (Root Library)
- ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38751

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2022-38750

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /lowkey-vault-docker/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

spring-boot-starter-2.7.3.jar (Root Library)
- ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38750

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/525/got-stackoverflowerror-for-many-open

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.31

Step up your Open Source Security Game with Mend here

Certificate API - Create/Get certificate - 02

Generate self-signed certificate internally using https://docs.microsoft.com/en-us/rest/api/keyvault/certificates/create-certificate/create-certificate?tabs=HTTP
Implement https://learn.microsoft.com/en-us/rest/api/keyvault/certificates/get-certificate-operation/get-certificate-operation?tabs=HTTP
Implement https://docs.microsoft.com/en-us/rest/api/keyvault/certificates/get-certificate/get-certificate?tabs=HTTP

Unable to find active vault

Describe the bug

Receiving an error from the azclient -> "Unable to find active vault: https://127.0.0.1:8443" I can see in the log of the container that it is reaching the endpoint:

16:45:41.377  INFO [nio-8443-exec-4] c.g.n.l.c.common.CommonSecretController  : Received request to https://127.0.0.1:8443 create secret: sample using API version: 7.2
16:51:16.903  INFO [io-8443-exec-10] c.g.n.l.c.common.CommonSecretController  : Received request to https://127.0.0.1:8443 create secret: sample using API version: 7.2
16:58:14.649  INFO [nio-8443-exec-6] c.g.n.l.c.common.CommonSecretController  : Received request to https://127.0.0.1:8443 create secret: sample using API version: 7.2
17:31:47.418  INFO [nio-8443-exec-8] c.g.n.l.c.common.CommonSecretController  : Received request to https://127.0.0.1:8443 get secret: sample with version: -LATEST- using API version: 7.2

To reproduce

Steps to reproduce the behavior:

Deploy latest version of lowkey-vault into k8s
Try to access the endpoint (I'm using a port-forwarding approach)

apiVersion: apps/v1
kind: Deployment
metadata:
  name: kv-mock
  labels:
    app: kv-mock
spec:
  replicas: 1
  selector:
    matchLabels:
      app: kv-mock
  template:
    metadata:
      labels:
        app: kv-mock
    spec:
      containers:
        - name: kv-mock
          image: "nagyesta/lowkey-vault:1.8.35"
          ports:
            - name: http
              containerPort: 8443
              protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  name: kv-mock
  labels:
    app: kv-mock
spec:
  type: ClusterIP
  ports:
    - port: 8443
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app: kv-mock

kubectl port-forward service/kv-mock 8443:8443

Expected behavior

Expecting to store and retrieve secrets from endpoint

Actual behavior

receive the above error

The command you used

httpClient := PrepareClient()
co = &azsecrets.ClientOptions{
	azcore.ClientOptions{
		Logging:   policy.LogOptions{IncludeBody: true},
		Transport: &httpClient,
		Retry:     policy.RetryOptions{MaxRetries: 3},
		Telemetry:        policy.TelemetryOptions{},
		PerCallPolicies:  []policy.Policy{},
		PerRetryPolicies: []policy.Policy{},
	},
}
client, err := azsecrets.NewClient(vaultUrl, cred, co)
_, err = client.GetSecret(context.TODO(), "sample", nil)

A minimal project that can be used to reproduce the issue

If applicable. Please do NOT share sensitive information.

Environment

OS: Docker Image deployed in Kubernetes v1.23.6
Version:
golang 1.16
github.com/Azure/azure-sdk-for-go/sdk/azcore v0.20.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity v0.12.0
github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.2.0
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.2.0
github.com/Azure/azure-storage-blob-go v0.14.0
nagyesta/lowkey-vault:1.8.35

Key/Secret backup and restore

Backup: Exports a key/secret in a protected form.
Restore: Imports a previously backed up key/secret.

Add basic 7.3 API support

Add 7.3 as known API version
Serve requests which are unchanged from 7.2 to 7.3
Add tests to new code path

Certificate API - Preparation - Hide managed keys/secrets - 01

Get secrets/keys APIs should filter out managed secrets/keys, but other operations should still work with them.

snakeyaml-1.31.jar: 2 vulnerabilities (highest severity is: 6.5)

Vulnerable Library - snakeyaml-1.31.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /lowkey-vault-app/build.gradle

Path to vulnerable library: /e/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.31/cf26b7b05fef01e7bec00cb88ab4feeeba743e12/snakeyaml-1.31.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.31/cf26b7b05fef01e7bec00cb88ab4feeeba743e12/snakeyaml-1.31.jar

Found in HEAD commit: c25e2a70fe16a17a2bcec0434a86831f6d8959b4

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2022-38752	Medium	6.5	snakeyaml-1.31.jar	Direct	N/A	❌
CVE-2022-38751	Medium	6.5	snakeyaml-1.31.jar	Direct	N/A	❌

Details

CVE-2022-38752

Vulnerable Library - snakeyaml-1.31.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /lowkey-vault-app/build.gradle

Path to vulnerable library: /e/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.31/cf26b7b05fef01e7bec00cb88ab4feeeba743e12/snakeyaml-1.31.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.31/cf26b7b05fef01e7bec00cb88ab4feeeba743e12/snakeyaml-1.31.jar

Dependency Hierarchy:

❌ snakeyaml-1.31.jar (Vulnerable Library)

Found in HEAD commit: c25e2a70fe16a17a2bcec0434a86831f6d8959b4

Found in base branch: main

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

Publish Date: 2022-09-05

URL: CVE-2022-38752

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2022-38751

Vulnerable Library - snakeyaml-1.31.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /lowkey-vault-app/build.gradle

Path to vulnerable library: /e/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.31/cf26b7b05fef01e7bec00cb88ab4feeeba743e12/snakeyaml-1.31.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.31/cf26b7b05fef01e7bec00cb88ab4feeeba743e12/snakeyaml-1.31.jar

Dependency Hierarchy:

❌ snakeyaml-1.31.jar (Vulnerable Library)

Found in HEAD commit: c25e2a70fe16a17a2bcec0434a86831f6d8959b4

Found in base branch: main

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38751

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

spring-boot-starter-web-2.6.5.jar: 1 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - spring-boot-starter-web-2.6.5.jar

Path to dependency file: /lowkey-vault-app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.3.17/3d9c415cb47c96a81b1267665f513e4676af53b4/spring-beans-5.3.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.3.17/3d9c415cb47c96a81b1267665f513e4676af53b4/spring-beans-5.3.17.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2022-22965	High	9.8	spring-beans-5.3.17.jar	Transitive	N/A	❌

Details

CVE-2022-22965

Vulnerable Library - spring-beans-5.3.17.jar

Spring Beans

Path to dependency file: /lowkey-vault-docker/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.3.17/3d9c415cb47c96a81b1267665f513e4676af53b4/spring-beans-5.3.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.3.17/3d9c415cb47c96a81b1267665f513e4676af53b4/spring-beans-5.3.17.jar

Dependency Hierarchy:

spring-boot-starter-web-2.6.5.jar (Root Library)
- spring-web-5.3.17.jar
  - ❌ spring-beans-5.3.17.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Spring Framework before 5.2.20 and 5.3.x before 5.3.18 are vulnerable due to a vulnerability in Spring-beans which allows attackers under certain circumstances to achieve remote code execution, this vulnerability is also known as ״Spring4Shell״ or ״SpringShell״. The current POC related to the attack is done by creating a specially crafted request which manipulates ClassLoader to successfully achieve RCE (Remote Code Execution). Please note that the ease of exploitation may diverge by the code implementation.Currently, the exploit requires JDK 9 or higher, Apache Tomcat as the Servlet container, the application Packaged as WAR, and dependency on spring-webmvc or spring-webflux. Spring Framework 5.3.18 and 5.2.20 have already been released. WhiteSource's research team is carefully observing developments and researching the case. We will keep updating this page and our WhiteSource resources with updates.

Publish Date: 2022-01-11

URL: CVE-2022-22965

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-01-11

Fix Resolution: org.springframework:spring-beans:5.2.20.RELEASE,5.3.18

Step up your Open Source Security Game with WhiteSource here

spring-boot-starter-test-2.6.7.jar: 1 vulnerabilities (highest severity is: 5.3)

Vulnerable Library - spring-boot-starter-test-2.6.7.jar

Path to dependency file: /lowkey-vault-docker/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.3.19/4bc68c392ed320c9ab5dc439d7f2deb83f03fe76/spring-beans-5.3.19.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.3.19/4bc68c392ed320c9ab5dc439d7f2deb83f03fe76/spring-beans-5.3.19.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2022-22970	Medium	5.3	multiple	Transitive	N/A	❌

Details

CVE-2022-22970

Vulnerable Libraries - spring-core-5.3.19.jar, spring-beans-5.3.19.jar

spring-core-5.3.19.jar

Spring Core

Path to dependency file: /lowkey-vault-app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.19/344ff3b291d7fdfdb08e865f26238a6caa86acc5/spring-core-5.3.19.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.19/344ff3b291d7fdfdb08e865f26238a6caa86acc5/spring-core-5.3.19.jar

Dependency Hierarchy:

spring-boot-starter-test-2.6.7.jar (Root Library)
- ❌ spring-core-5.3.19.jar (Vulnerable Library)

spring-beans-5.3.19.jar

Spring Beans

Path to dependency file: /lowkey-vault-docker/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.3.19/4bc68c392ed320c9ab5dc439d7f2deb83f03fe76/spring-beans-5.3.19.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.3.19/4bc68c392ed320c9ab5dc439d7f2deb83f03fe76/spring-beans-5.3.19.jar

Dependency Hierarchy:

spring-boot-starter-test-2.6.7.jar (Root Library)
- spring-boot-test-autoconfigure-2.6.7.jar
  - spring-boot-2.6.7.jar
    - spring-context-5.3.19.jar
      - ❌ spring-beans-5.3.19.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Publish Date: 2022-05-12

URL: CVE-2022-22970

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22970

Release Date: 2022-05-12

Fix Resolution: org.springframework:spring-beans:5.2.22,5.3.20;org.springframework:spring-core:5.2.22,5.3.20

Step up your Open Source Security Game with WhiteSource here

jackson-databind-2.13.2.jar: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - jackson-databind-2.13.2.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /lowkey-vault-testcontainers/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.2/926e48c451166a291f1ce6c6276d9abbefa7c00f/jackson-databind-2.13.2.jar,/e/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.2/926e48c451166a291f1ce6c6276d9abbefa7c00f/jackson-databind-2.13.2.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2020-36518	High	7.5	jackson-databind-2.13.2.jar	Direct	N/A	❌

Details

CVE-2020-36518

Vulnerable Library - jackson-databind-2.13.2.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /lowkey-vault-testcontainers/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.2/926e48c451166a291f1ce6c6276d9abbefa7c00f/jackson-databind-2.13.2.jar,/e/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.2/926e48c451166a291f1ce6c6276d9abbefa7c00f/jackson-databind-2.13.2.jar

Dependency Hierarchy:

❌ jackson-databind-2.13.2.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
WhiteSource Note: After conducting further research, WhiteSource has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.

Publish Date: 2022-03-11

URL: CVE-2020-36518

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

Refine OSS Index Scan config

Add a simple way to exclude invalid security vulnerabilities from OSS Index Scan

Purge deleted key/secret

Permanently deletes the specified key/secret.
https://docs.microsoft.com/en-us/rest/api/keyvault/keys/purge-deleted-key/purge-deleted-key
https://docs.microsoft.com/en-us/rest/api/keyvault/secrets/purge-deleted-secret/purge-deleted-secret

Adjust workflows to skip automatic release on version bumps

When Renovate bumps a version and the test passed there is no need to automatically release. A release can be easily triggered manually when mandated.

Add support for .Net clients

Background

Early tests identified problems when using with .Net clients.
This issue aims to fine-tune Lowkey Vault in order to support the official .Net clients better and demonstrate it with a POC

Acceptance criteria

TLSv1.3 is replaced with TLSv1.2
Cipher suite is set to a sensible alternative that can work with most clients and TLSv1.2 (can be default)
The consumes and produces attributes of the annotations used for request mapping are reviewed, unnecessary restrictions are removed.
The authentication filter is updated to return absolute URIs in case of authorization_uri
Example project is created showing .Net POC usage
Java integration must not be affected

Add special endpoint to simulate that a duration of time passed for items in a single vault:

Should shift all time stamps in the vault with the given amount to the past (like we created the items in the past, then waited enough time for seeing them as old now)

Wrong type for jacksom-bom dependency in lowkey-vault-client

Describe the bug

Dependency on jacksom-bom in lowkey-vault-client needs to specify pom. If not the it will try to resolve the default type which is jar.

To reproduce

Add lowkey-vault-client as a dependency in a Maven project where jackson-bom is already used
Maven fails with Could not resolve dependencies for project my.project:module:jar:1.0-SNAPSHOT: Could not find artifact com.fasterxml.jackson:jackson-bom:jar:2.13.3

Expected behavior

That the build works by downloading the pom instead

Actual behavior

Maven fails with Could not resolve dependencies for project my.project:module:jar:1.0-SNAPSHOT: Could not find artifact com.fasterxml.jackson:jackson-bom:jar:2.13.3

The command you used

mvn clean install

A minimal project that can be used to reproduce the issue

If applicable. Please do NOT share sensitive information.

Environment

OS: Mac OS 12.5
Version: 1.8.36
Java version: 11.0.16

Additional context

Temporarly fixed with

    <dependency>
        <groupId>com.github.nagyesta.lowkey-vault</groupId>
        <artifactId>lowkey-vault-client</artifactId>
        <version>1.8.35</version>
        <scope>test</scope>
        <exclusions>
            <exclusion>
                <groupId>com.fasterxml.jackson</groupId>
                <artifactId>jackson-bom</artifactId>
            </exclusion>
        </exclusions>
    </dependency>

Add banner

Add app banner displaying Spring Boot and Lowkey Vault versions

Bug: default.lowkey-vault.local is not covered by the self-signed certificate

Describe the bug

The default.lowkey-vault.local domain, which is one of the default vaults registered at app startup, is not covered by the sel-fsigned certificate used by Lowkey Vault.

To reproduce

Steps to reproduce the behavior:

Start the Lowkey Vault app
Send a request to Lowkey Vault using https://default.lowkey-vault.local:8443 as vault address

Expected behavior

The certificate validation is OK.

Actual behavior

Exception complaining about invalid certificate.

The command you used

A minimal project that can be used to reproduce the issue

N/A

Environment

OS: Any
Version: Any
Java version: Any

Additional context

Relates to #256

Migrate base image to Temurin

Replace OpenJDK base image with Temurin

Key feature (Update)

Update: Allows a client with sufficient permissions to modify the metadata (key attributes) associated with a key previously stored within Key Vault.

Skip TLD scanning on startup

Configure Tomcat to skip TLD scanning.

azure-security-keyvault-keys-4.4.1.jar: 1 vulnerabilities (highest severity is: 5.5) - autoclosed

Vulnerable Library - azure-security-keyvault-keys-4.4.1.jar

Path to dependency file: /lowkey-vault-testcontainers/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-common/4.1.73.Final/27731b58d741b6faa6a00fa3285e7a55cc47be01/netty-common-4.1.73.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-common/4.1.73.Final/27731b58d741b6faa6a00fa3285e7a55cc47be01/netty-common-4.1.73.Final.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2022-24823	Medium	5.5	netty-common-4.1.73.Final.jar	Transitive	N/A	❌

Details

CVE-2022-24823

Vulnerable Library - netty-common-4.1.73.Final.jar

Library home page: https://netty.io/

Path to dependency file: /lowkey-vault-docker/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-common/4.1.73.Final/27731b58d741b6faa6a00fa3285e7a55cc47be01/netty-common-4.1.73.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-common/4.1.73.Final/27731b58d741b6faa6a00fa3285e7a55cc47be01/netty-common-4.1.73.Final.jar

Dependency Hierarchy:

azure-security-keyvault-keys-4.4.1.jar (Root Library)
- azure-core-http-netty-1.11.9.jar
  - reactor-netty-http-1.0.15.jar
    - netty-resolver-dns-4.1.72.Final.jar
      - ❌ netty-common-4.1.73.Final.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Netty is an open-source, asynchronous event-driven network application framework. The package io.netty:netty-codec-http prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own java.io.tmpdir when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.

Publish Date: 2022-05-06

URL: CVE-2022-24823

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24823

Release Date: 2022-05-06

Fix Resolution: io.netty:netty-all;io.netty:netty-common - 4.1.77.Final

Step up your Open Source Security Game with WhiteSource here

Add request logging option

Log full request body to help with debugging

Create Go example project

Implement example project using the Go SDK.
https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-go#sample-code

jackson-databind-2.13.4.jar: 1 vulnerabilities (highest severity is: 5.5)

Vulnerable Library - jackson-databind-2.13.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /lowkey-vault-testcontainers/build.gradle

Path to vulnerable library: /e/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.4/98b0edfa8e4084078f10b7b356c300ded4a71491/jackson-databind-2.13.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.4/98b0edfa8e4084078f10b7b356c300ded4a71491/jackson-databind-2.13.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.4/98b0edfa8e4084078f10b7b356c300ded4a71491/jackson-databind-2.13.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.4/98b0edfa8e4084078f10b7b356c300ded4a71491/jackson-databind-2.13.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.4/98b0edfa8e4084078f10b7b356c300ded4a71491/jackson-databind-2.13.4.jar,/e/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.4/98b0edfa8e4084078f10b7b356c300ded4a71491/jackson-databind-2.13.4.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2022-42003	Medium	5.5	jackson-databind-2.13.4.jar	Direct	N/A	❌

Details

CVE-2022-42003

Vulnerable Library - jackson-databind-2.13.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /lowkey-vault-testcontainers/build.gradle

Path to vulnerable library: /e/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.4/98b0edfa8e4084078f10b7b356c300ded4a71491/jackson-databind-2.13.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.4/98b0edfa8e4084078f10b7b356c300ded4a71491/jackson-databind-2.13.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.4/98b0edfa8e4084078f10b7b356c300ded4a71491/jackson-databind-2.13.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.4/98b0edfa8e4084078f10b7b356c300ded4a71491/jackson-databind-2.13.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.4/98b0edfa8e4084078f10b7b356c300ded4a71491/jackson-databind-2.13.4.jar,/e/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.4/98b0edfa8e4084078f10b7b356c300ded4a71491/jackson-databind-2.13.4.jar

Dependency Hierarchy:

❌ jackson-databind-2.13.4.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

Publish Date: 2022-10-02

URL: CVE-2022-42003

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

Configure Abort-Mission selective test runs

Configure Abort-Mission evaluator names
Set up convenient way to run only certain features of the Docker build

spring-boot-starter-test-2.7.3.jar: 5 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - spring-boot-starter-test-2.7.3.jar

Path to dependency file: /lowkey-vault-app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Found in HEAD commit: c25e2a70fe16a17a2bcec0434a86831f6d8959b4

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2022-25857	High	7.5	snakeyaml-1.30.jar	Transitive	N/A	❌
CVE-2022-38749	Medium	6.5	snakeyaml-1.30.jar	Transitive	N/A	❌
CVE-2022-38752	Medium	6.5	snakeyaml-1.30.jar	Transitive	N/A	❌
CVE-2022-38751	Medium	6.5	snakeyaml-1.30.jar	Transitive	N/A	❌
CVE-2022-38750	Medium	6.5	snakeyaml-1.30.jar	Transitive	N/A	❌

Details

CVE-2022-25857

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /lowkey-vault-docker/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

spring-boot-starter-test-2.7.3.jar (Root Library)
- spring-boot-starter-2.7.3.jar
  - ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in HEAD commit: c25e2a70fe16a17a2bcec0434a86831f6d8959b4

Found in base branch: main

Vulnerability Details

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Publish Date: 2022-08-30

URL: CVE-2022-25857

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857

Release Date: 2022-08-30

Fix Resolution: org.yaml:snakeyaml:1.31

Step up your Open Source Security Game with Mend here

CVE-2022-38749

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /lowkey-vault-docker/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

spring-boot-starter-test-2.7.3.jar (Root Library)
- spring-boot-starter-2.7.3.jar
  - ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in HEAD commit: c25e2a70fe16a17a2bcec0434a86831f6d8959b4

Found in base branch: main

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38749

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/525/got-stackoverflowerror-for-many-open

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.31

Step up your Open Source Security Game with Mend here

CVE-2022-38752

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /lowkey-vault-docker/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

spring-boot-starter-test-2.7.3.jar (Root Library)
- spring-boot-starter-2.7.3.jar
  - ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in HEAD commit: c25e2a70fe16a17a2bcec0434a86831f6d8959b4

Found in base branch: main

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

Publish Date: 2022-09-05

URL: CVE-2022-38752

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2022-38751

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /lowkey-vault-docker/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

spring-boot-starter-test-2.7.3.jar (Root Library)
- spring-boot-starter-2.7.3.jar
  - ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in HEAD commit: c25e2a70fe16a17a2bcec0434a86831f6d8959b4

Found in base branch: main

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38751

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2022-38750

Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /lowkey-vault-docker/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.30/8fde7fe2586328ac3c68db92045e1c8759125000/snakeyaml-1.30.jar

Dependency Hierarchy:

spring-boot-starter-test-2.7.3.jar (Root Library)
- spring-boot-starter-2.7.3.jar
  - ❌ snakeyaml-1.30.jar (Vulnerable Library)

Found in HEAD commit: c25e2a70fe16a17a2bcec0434a86831f6d8959b4

Found in base branch: main

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38750

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/525/got-stackoverflowerror-for-many-open

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.31

Step up your Open Source Security Game with Mend here

Key feature - Sign/Verify

Implement API function

Backup/restore all data

New endpoint for backing up all data and metadata including
- vault names and properties
- full backup of all keys
- full backup of all secrets
Add startup parameter to load earlier backup from a file/folder
- ignore automatic vault registration parameters in this case
- allow using placeholders to fill backup with dynamic information such as
  - port number
  - host/ip
  - timestamps relative to current time ("now-123", "now+123")
Add option to attach an earlier backup using a volume (in Docker)

Pin Jar/POM dependencies using checksums

Save checksums in dependency verification XML
Add workflow to update checksums

7.3 API - Key rotation logic

Implement key rotation inside Lowkey Vault
Implement rotate key endpoint
Include key rotation policy in endpoints where it must appear: restore key, backup key
Documentation: https://docs.microsoft.com/en-us/rest/api/keyvault/keys/rotate-key/rotate-key

Howto get connection working with a non standard ip address

Question

I have som Junit5 tests running fine on my local machine, but I am trying to get the builds running on Jenkins. Jenkins is running containers on a dedicated IP address (10.1.0.1) which is not 127.0.0.1, and I don´t have access to modifying the hosts file to add any aliases. So I have been fiddeling around with a lot of different settings to try to get this working, but I am always ending up with the follow error:

Error during creation of vault: Certificate for <10.1.0.1> doesn't match any of the subject alternative names: [lowkey-vault.local, lowkey-vault, *.localhost, *.lowkey-vault, *.lowkey-vault.local, *.default.svc.cluster.local, localhost, 127.0.0.1]

If I modify ApacheHttpClient#ApacheHttpClient with the following

TrustStrategy acceptingTrustStrategy = (cert, authType) -> true; builder.loadTrustMaterial(null, acceptingTrustStrategy); SSLContext build = builder.loadTrustMaterial(new TrustAll()).build(); final SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(build, SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
to access any cerificate/hostname it starts working, but I really want to try to get it running with the built in lowkey-client.

Maybe I am trying to use Lowkey in the wrong way, but to get this working it seems I need to create an vault with the URI https://10.1.0.1:30443.

Is there any way to make the initial vault, without using .importFile() create with the vault URI like https://10.1.0.1:30443 ?

azure-security-keyvault-keys-4.5.0.jar: 2 vulnerabilities (highest severity is: 5.5)

Vulnerable Library - azure-security-keyvault-keys-4.5.0.jar

Path to dependency file: /lowkey-vault-client/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.3/56deb9ea2c93a7a556b3afbedd616d342963464e/jackson-databind-2.13.3.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.3/56deb9ea2c93a7a556b3afbedd616d342963464e/jackson-databind-2.13.3.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2022-42004	Medium	5.5	jackson-databind-2.13.3.jar	Transitive	N/A	❌
CVE-2022-42003	Medium	5.5	jackson-databind-2.13.3.jar	Transitive	N/A	❌

Details

CVE-2022-42004

Vulnerable Library - jackson-databind-2.13.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /lowkey-vault-app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.3/56deb9ea2c93a7a556b3afbedd616d342963464e/jackson-databind-2.13.3.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.3/56deb9ea2c93a7a556b3afbedd616d342963464e/jackson-databind-2.13.3.jar

Dependency Hierarchy:

azure-security-keyvault-keys-4.5.0.jar (Root Library)
- azure-core-1.32.0.jar
  - ❌ jackson-databind-2.13.3.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

Publish Date: 2022-10-02

URL: CVE-2022-42004

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.13.4

Step up your Open Source Security Game with Mend here

CVE-2022-42003

Vulnerable Library - jackson-databind-2.13.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /lowkey-vault-app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.3/56deb9ea2c93a7a556b3afbedd616d342963464e/jackson-databind-2.13.3.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.3/56deb9ea2c93a7a556b3afbedd616d342963464e/jackson-databind-2.13.3.jar

Dependency Hierarchy:

azure-security-keyvault-keys-4.5.0.jar (Root Library)
- azure-core-1.32.0.jar
  - ❌ jackson-databind-2.13.3.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

Publish Date: 2022-10-02

URL: CVE-2022-42003

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

Add support for alias vault URLs

From: @aiceball

One issue I do have, however, is that to my understanding the vault is defined ONLY through the keyvault URI used. If I have a container on the same docker network communicating with lowkey-vault, the vault I'll be hitting will be based on the internal network name I gave that container, i.e. akv. If I try to write content to the lowkey-vault from a local python-client, however, the address is different, because I am communicating with lowkey-vault from outside the docker network:

graph
    Python-client -- https://localhost:8443 --> Docker-Lowkey-Vault
    Docker-Service -- https://akv:8443 --> Docker-Lowkey-Vault

I wonder if some sort of vault aliasing feature can be added on the management API layer, either at creation time:

POST /management/vault

{
  "baseUri": "https://bbv:8443",
  "aliasUri": "https://localhost:8443",
  "recoveryLevel": "CustomizedRecoverable+Purgeable",
  "recoverableDays": 42,
  "created": 1641092645,
  "deleted": 1641092645
}

or an additional modification point:

PUT /management/vault/{baseUri}

{
 "aliasUri": "https://{newUri}:8443"
}

What this would enable is an access to the same keyvault from multiple networks, i.e. a local network, an internal docker network, an ngrok tunnel, etc.

I am using the Azure Python library to communicate with the Lowkey-Vault if that information is relevant.

springdoc-openapi-ui-1.6.6.jar: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - springdoc-openapi-ui-1.6.6.jar

Path to dependency file: /lowkey-vault-app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar

Found in HEAD commit: ea5cc1904952b2466ef5a2cc88b153c077ef1685

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2020-36518	High	7.5	jackson-databind-2.13.1.jar	Transitive	N/A	❌

Details

CVE-2020-36518

Vulnerable Library - jackson-databind-2.13.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /lowkey-vault-docker/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar

Dependency Hierarchy:

springdoc-openapi-ui-1.6.6.jar (Root Library)
- springdoc-openapi-webmvc-core-1.6.6.jar
  - springdoc-openapi-common-1.6.6.jar
    - swagger-core-2.1.12.jar
      - ❌ jackson-databind-2.13.1.jar (Vulnerable Library)

Found in HEAD commit: ea5cc1904952b2466ef5a2cc88b153c077ef1685

Found in base branch: main

Vulnerability Details

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
WhiteSource Note: After conducting further research, WhiteSource has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.

Publish Date: 2022-03-11

URL: CVE-2020-36518

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

nagyesta / lowkey-vault Goto Github PK

lowkey-vault's Introduction

Recommended use

Valid use-cases

Quick start guide

Java

Docker

Testcontainers

Features

Keys

Secrets

Certificates

Management API

Functionality

Swagger

Port mappings (Default)

HTTP :8080

HTTPS :8443

Startup parameters

Example projects

Limitations

lowkey-vault's People

Contributors

Stargazers

Watchers

Forkers

lowkey-vault's Issues

Describe the bug

To reproduce

Expected behavior

Actual behavior

The command you used

A minimal project that can be used to reproduce the issue

Environment

Additional context

Vulnerabilities

Details

Vulnerable Library - jackson-databind-2.13.1.jar

Vulnerability Details

CVSS 3 Score Details (5.5)

Suggested Fix

Vulnerabilities

Details

Vulnerable Library - commons-codec-1.11.jar

Vulnerability Details

CVSS 3 Score Details (6.5)

Suggested Fix

Vulnerabilities

Details

Vulnerable Library - jackson-databind-2.13.1.jar

Vulnerability Details

CVSS 3 Score Details (7.5)

Open

Ignored or Blocked

Detected dependencies

Vulnerabilities

Details

Vulnerable Library - jackson-databind-2.13.1.jar

Vulnerability Details

CVSS 3 Score Details (7.5)

Vulnerabilities

Details

Vulnerable Library - snakeyaml-1.30.jar

Vulnerability Details

CVSS 3 Score Details (7.5)

Suggested Fix

Vulnerable Library - snakeyaml-1.30.jar

Vulnerability Details

CVSS 3 Score Details (6.5)

Suggested Fix

Vulnerable Library - snakeyaml-1.30.jar

Vulnerability Details

CVSS 3 Score Details (6.5)

Vulnerable Library - snakeyaml-1.30.jar

Vulnerability Details

CVSS 3 Score Details (6.5)

Vulnerable Library - snakeyaml-1.30.jar

Vulnerability Details

CVSS 3 Score Details (6.5)

Suggested Fix

HTTP `:8080`

HTTPS `:8443`