[Security] Bump dependency-check-maven from 9.0.6 to 9.0.7 (!368) · Merge requests · school / jaar2 / lalaland

Dependabot requested to merge dependabot-maven-org.owasp-dependency-check-maven-9.0.7 into master Dec 19, 2023

Bumps dependency-check-maven from 9.0.6 to 9.0.7. This update includes a security fix.

Vulnerabilities fixed

nvdApiKey is logged in debug mode

Summary

The value of nvdApiKey configuration parameter is logged in clear text in debug mode.

Details

The NVD API key is a kind of secret and should be treated like other secrets when logging in debug mode. Expecting the same behavior as for several password configurations: just print ******

Note that while the NVD API Key is an access token for the NVD API - they are not that sensitive. The only thing an NVD API Token grants is a higher rate limit when making calls to publicly available data. The data available from the NVD API is the same whether you have an API Key or not.

PoC

The nvdApiKey is configured to use an environment variable; when running mvn -X dependency-check:check the clear value is logged twice.

Impact

The NVD API key is a kind of secret and should not be exposed. If stolen, an attacker can use this key to obtain already public information.

Patched versions: none Affected versions: >= 9.0.0, <= 9.0.6

Release notes

Sourced from dependency-check-maven's releases.

Version 9.0.7

Refer to the CHANGELOG.md for information about improvements and upgrade notes.

Changelog

Sourced from dependency-check-maven's changelog.

Version 9.0.7 (2023-12-18)

docs: document insecure configuration for GHSA-qqhq-8r2c-c3f5 (#6315)

fix: improve memory usage on NVD update (#6321)

fix: skip pyproject.toml unless it contains tool.poetry (#6316)

fix: resolve build error that may cause an issue on some JDK versions (#6312)

See the full listing of changes.

Commits

f7eab9f build: prepare release v9.0.7
60a3b38 docs: prepare release
1eedf4c fix: skip pyproject.toml unless it contains tool.poetry (#6316)
667fde1 fix: improve memory usage on NVD update (#6321)
8c6a97b build(deps): bump actions/github-script from 7.0.0 to 7.0.1 (#6079)
1fee73a docs: document insecure configuration for GHSA-qqhq-8r2c-c3f5 (#6315)
62ae1a1 fix: resolve build error (#6312)
793931a chore: add codeql back (#6311)
b511b03 build: Release 9.0.6 (#6310)
See full diff in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

$dependabot rebase will rebase this MR
$dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

[Security] Bump dependency-check-maven from 9.0.6 to 9.0.7

Summary

Details

PoC

Impact

Version 9.0.7

Version 9.0.7 (2023-12-18)

Merge request reports