GithubHelp home page GithubHelp logo

opensaml-bom's Introduction

Logo

opensaml-bom

License Maven Central

Maven Bill of Materials (BOM) for OpenSAML

The dependencies you get from OpenSAML sometimes are old and Snyk complains about some of them. This project contains a Maven BOM that fixes these issues.

The versioning of this BOM corresponds to the OpenSAML version that it fixes (starting from 3.4.3) followed by another version which is the actual version for this BOM regarding the given OpenSAML release, for example 3.4.3.R1.

Include the following in your POM using OpenSAML to get patched transitive dependencies:

<dependencyManagement>
  <dependencies>
      
    <!-- Setup OpenSAML dependencies with no reported vulnerabilities. -->
    <dependency>
      <groupId>se.swedenconnect.opensaml</groupId>
      <artifactId>opensaml-bom</artifactId>
      <version>...</version>
      <type>pom</type>
      <scope>import</scope>
    </dependency>

  </dependencies>
</dependencyManagement>

Special handling

In most cases you could just include the OpenSAML dependency you need and trust that the OpenSAML BOM has sorted out all dependencies, but for some includes you need to do a little bit more yourself.

dom4j

The opensaml-storage-impl jar has a transitive dependency to dom4j:dom4j:jar:1.6.1. This version has been reported to be vulnerable (https://snyk.io/vuln/SNYK-JAVA-DOM4J-174153). Unfortunately, the replacement needed has another group name (org.dom4j) so the BOM cannot fix this for you. It excludes the bad dom4j-dependency from opensaml-storage-impl, but you need to add the org.dom4j dependency yourself.

So, if you include opensaml-storage-impl as a dependency, you must do:

<dependency>
  <groupId>org.opensaml</groupId>
  <artifactId>opensaml-storage-impl</artifactId>
</dependency>

<!-- We don't want to use dom4j:dom4j:jar:1.6.1 from opensaml-storage-impl. -->   
<dependency>
  <groupId>org.dom4j</groupId>
  <artifactId>dom4j</artifactId>
</dependency>

Velocity and commons-collection

The Velocity template engine jar (org.apache.velocity:velocity:jar:1.7) is included by opensaml-saml-impl. This dependency will include the commons-collections:commons-collections:jar:3.2.1 dependency which Snyk reports has an arbitrary code execution vulnerability (https://app.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). It does not exist any fixes for this bug, so the OpenSAML BOM simply excludes the Velocity-dependency. If you need Velocity (for example when sending an AuthnRequest using OpenSAML-style), you need to include the dependency yourself.

<dependency>
  <groupId>org.apache.velocity</groupId>
  <artifactId>velocity</artifactId>
  <version>1.7</version>
</dependency>

Copyright © 2019-2022, Sweden Connect. Licensed under version 2.0 of the Apache License.

opensaml-bom's People

Contributors

martin-lindstrom avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

opensaml-bom's Issues

dom4j 2.1.1 har vulnerabilities

CVE-2020-10683

high severity
Vulnerable versions: < 2.1.3
Patched version: 2.1.3
dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

Add BOM for OpenSAML 4

We need to add a BOM for OpenSAML 4. Since we need to support OpenSAML 3 as well, we should keep a specific branch for OpenSAML 4.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.