| Name | Found in Code | CVEs | Due Date | Status | |----|----|----|----|----| | json-20180813.jar | This is scattered throughout the https://github.com/hyperledger/fabric-chaincode-java repository as a dependency. The one being reported on is a direct dependency from here https://github.com/hyperledger/fabric-chaincode-java/blob/main/fabric-chaincode-integration-test/build.gradle, but would suggest looking at search results because it is smattered throughout the example projects as well: https://github.com/search?q=repo%3Ahyperledger%2Ffabric-chaincode-java%2020180813&type=code | https://nvd.nist.gov/vuln/detail/CVE-2022-45688 | Aug 21, 2023 | Needs Update | junit-4.12.jar | `fabric-chaincode-java` includes jUnit v4.12 directly at https://github.com/hyperledger/fabric-chaincode-java/blob/main/build.gradle#L54. Also referenced here: https://github.com/hyperledger/fabric-chaincode-java/blob/main/fabric-chaincode-integration-test/src/contracts/fabric-ledger-api/build.gradle#L22. And here: https://github.com/hyperledger/fabric-chaincode-java/blob/main/fabric-chaincode-integration-test/src/contracts/bare-gradle/build.gradle. Also, `fabric-chaincode-java` refers to system-rules v1.17.0 here: https://github.com/hyperledger/fabric-chaincode-java/blob/main/build.gradle#L52, which refers to `junit-dep` v4.9 as shown in https://mvnrepository.com/artifact/com.github.stefanbirkner/system-rules/1.17.0, and `junit-dep` v4.9 has migrated to `junit` v4.11 as per https://mvnrepository.com/artifact/junit/junit-dep/4.11 | https://nvd.nist.gov/vuln/detail/CVE-2020-15250 | Oct 20, 2023 | Partially addressed by https://github.com/hyperledger/fabric-chaincode-java/pull/309... https://github.com/hyperledger/fabric-chaincode-java/blob/main/build.gradle#L54 still shows v4.12 as a testCompile dependency... not sure why | | logback-classic-1.2.0.jar, logback-core-1.2.0.jar | This is included in the examples as well as the poms for several of the integration tests. Note that `logback-classic` v1.2.0 imports `logback-core` v1.2.0 at https://mvnrepository.com/artifact/ch.qos.logback/logback-classic/1.2.0. Here's the locations: https://github.com/hyperledger/fabric-chaincode-java/blob/40126d0f1cada533c81f2393ad8c3fa417474417/examples/fabric-contract-example-maven/pom.xml#L18, https://github.com/hyperledger/fabric-chaincode-java/blob/40126d0f1cada533c81f2393ad8c3fa417474417/fabric-chaincode-integration-test/src/contracts/bare-maven/pom.xml#L18, https://github.com/hyperledger/fabric-chaincode-java/blob/40126d0f1cada533c81f2393ad8c3fa417474417/fabric-chaincode-integration-test/src/contracts/wrapper-maven/pom.xml#L18 | https://nvd.nist.gov/vuln/detail/CVE-2021-42550 | Aug 20, 2023 | A lot has improved with many of the examples. One remains (https://github.com/hyperledger/fabric-chaincode-java/blob/main/examples/fabric-contract-example-maven/pom.xml#L18). https://github.com/hyperledger/fabric-chaincode-java/pull/315 fixed it in the examples. This is now resolved ✅ | | protobuf-java-3.19.4.jar | Check this entire repository for `protobuf-java` v3.19.4. The search results can be seen here: https://github.com/search?q=repo%3Ahyperledger%2Ffabric-chaincode-java%20protobuf-java&type=code. Examples include https://github.com/hyperledger/fabric-chaincode-java/blob/3b5b2cb27ee7834f0f6d30580c7576ae18e48e4d/fabric-chaincode-integration-test/src/contracts/bare-gradle/build.gradle#L26 and https://github.com/hyperledger/fabric-chaincode-java/blob/3b5b2cb27ee7834f0f6d30580c7576ae18e48e4d/fabric-chaincode-integration-test/src/contracts/fabric-shim-api/build.gradle#L26. | https://nvd.nist.gov/vuln/detail/CVE-2022-3509, https://nvd.nist.gov/vuln/detail/CVE-2022-3171, https://nvd.nist.gov/vuln/detail/CVE-2022-3510 | Oct 20, 2023 | The instance of `protobuf-java-util` at https://github.com/hyperledger/fabric-chaincode-java/blob/main/fabric-chaincode-shim/build.gradle#L55 has been addressed, but unfortunately, the vulnerability is about `protobuf-java`, not `protobuf-java-util`. However, the instances at https://github.com/hyperledger/fabric-chaincode-java/blob/main/fabric-chaincode-integration-test/src/contracts/bare-gradle/build.gradle and https://github.com/hyperledger/fabric-chaincode-java/blob/main/fabric-chaincode-integration-test/src/contracts/fabric-shim-api/build.gradle have had `protobuf-java` _completely removed_, which is great work. This appears to be the only instance left in the project. Oddly, Mend scanning is still picking another one up, but I can't find it. | | grpc-protobuf-1.45.4.jar, grpc-protobuf-1.46.0 | One is included in `fabric-chaincode-shim`: https://github.com/hyperledger/fabric-chaincode-java/blob/main/fabric-chaincode-shim/build.gradle#L55. Also got one in https://github.com/hyperledger/fabric-chaincode-java/blob/main/fabric-chaincode-shim/build.gradle#L44, which pulls in `fabric-protos` v0.2.0, which includes grpc-protobuf v1.45.1 as per https://mvnrepository.com/artifact/org.hyperledger.fabric/fabric-protos/0.2.0. | https://nvd.nist.gov/vuln/detail/CVE-2023-32731 | Sep 8, 2023 | Needs Update |
