Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-73532

Outdated HSQLDB Dependency in Jenkins performance plugin

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • performance-plugin
    • None

      I was scanning all our Jenkins plugins using JFrog Xray and found that the Performance Plugin has a dependency on HyperSQL Database (HSQLDB). This dependency includes two Java classes (java.sql.Statement and java.sql.PreparedStatement) which are vulnerable to the critical vulnerability CVE-2022-41853.

      As per the security ticket raised here: SECURITY-3436, your team has confirmed that these classes (java.sql.Statement and java.sql.PreparedStatement) from HSQLDB are not used in this plugin as a transitive dependency of the net.sf.ucanaccess library. Could you please confirm this?

      However, I noticed that the JAR file hsqldb-2.5.0.jar is present in the plugin code, which may contain these classes (java.sql.Statement and java.sql.PreparedStatement).

      Could you please consider updating the HSQLDB JAR to the latest version or at least version 2.7.1?

      For more information, please refer to the Jira ticket here: SECURITY-3436.

          [JENKINS-73532] Outdated HSQLDB Dependency in Jenkins performance plugin

          Mark Waite added a comment -

          gopi_22100, security issues are only visible to specific people on issues.jenkins.io. The maintainers of the performance plugin won't be able to see the comments on that issue. I've copied the text that I wrote in that issue into this comment.

          As far as I can tell from reading the source code and reviewing the dependency tree of the performance plugin, the HSQLDB dependency is included in the plugin as a transitive dependency of the net.sf.ucanaccess:ucanaccess library. The ucanaccess library is only used in a single class, LoadRunnerParser. That class includes a single static SQL query that does not allow any untrusted input. Since the vulnerability requires untrusted input, I believe that this is not a vulnerability in the performance plugin.

          Plugin maintainers are encouraged to update dependencies, but in this case, the dependency to be updated is a transitive dependency of the net.sf.ucanaccess library. Updating a transitive dependency usually requires additional verification that the update has not broken the functionality of the primary dependency.

          I reduced the priority of this request from critical to minor because the analysis shows that the plugin is not vulnerable to CVE-2022-41853.

          Mark Waite added a comment - gopi_22100 , security issues are only visible to specific people on issues.jenkins.io. The maintainers of the performance plugin won't be able to see the comments on that issue. I've copied the text that I wrote in that issue into this comment. As far as I can tell from reading the source code and reviewing the dependency tree of the performance plugin, the HSQLDB dependency is included in the plugin as a transitive dependency of the net.sf.ucanaccess:ucanaccess library. The ucanaccess library is only used in a single class, LoadRunnerParser. That class includes a single static SQL query that does not allow any untrusted input. Since the vulnerability requires untrusted input, I believe that this is not a vulnerability in the performance plugin. Plugin maintainers are encouraged to update dependencies, but in this case, the dependency to be updated is a transitive dependency of the net.sf.ucanaccess library. Updating a transitive dependency usually requires additional verification that the update has not broken the functionality of the primary dependency. I reduced the priority of this request from critical to minor because the analysis shows that the plugin is not vulnerable to CVE-2022-41853.

          Gopinath Mellempudi added a comment -

          markewaite Any updates on verifying whether the update to a transitive dependency has affected the functionality of the primary dependency?

          Gopinath Mellempudi added a comment - markewaite Any updates on verifying whether the update to a transitive dependency has affected the functionality of the primary dependency?

          Mark Waite added a comment -

          gopi_22100 there is no update.

          I've not done any additional work on this issue and I don't intend to do any additional work on this issue. I'm not a maintainer of the performance plugin. As far as I can tell, my earlier comments still apply. This is not a vulnerability in the performance plugin.

          Scanners may complain that there is a vulnerable version in the plugin, but those scanners are wrong if they claim that there is a vulnerability in the plugin due to the vulnerable version of the library in the plugin. The solution is for scanner users to record in their scanner that the issue being reported is not a vulnerability.

          If your organization is concerned that the dependency update needs to be performed, then you're welcome to submit a pull request proposing that update.

          Mark Waite added a comment - gopi_22100 there is no update. I've not done any additional work on this issue and I don't intend to do any additional work on this issue. I'm not a maintainer of the performance plugin. As far as I can tell, my earlier comments still apply. This is not a vulnerability in the performance plugin. Scanners may complain that there is a vulnerable version in the plugin, but those scanners are wrong if they claim that there is a vulnerability in the plugin due to the vulnerable version of the library in the plugin. The solution is for scanner users to record in their scanner that the issue being reported is not a vulnerability. If your organization is concerned that the dependency update needs to be performed, then you're welcome to submit a pull request proposing that update.

            Unassigned Unassigned
            gopi_22100 Gopinath Mellempudi
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: