Lots of vulnerabilities suddenly reported by dependency review action

[divergentdave]

#23 and #24 are failing CI because actions/dependency-review-action is suddenly identifying seventeen vulnerabilities, while it hasn't made note of anything before.

17 vulnerabilities

  settings.gradle.kts » com.google.protobuf:protobuf-java@3.19.3 – Protobuf Java vulnerable to Uncontrolled Resource Consumption (high severity)
    ↪ https://github.com/advisories/GHSA-g5ww-5jh7-63cx
  settings.gradle.kts » com.google.protobuf:protobuf-java@3.19.3 – Protobuf Java vulnerable to Uncontrolled Resource Consumption (high severity)
    ↪ https://github.com/advisories/GHSA-4gg5-vx3j-xwc7
  settings.gradle.kts » com.google.protobuf:protobuf-java@3.19.3 – protobuf-java has a potential Denial of Service issue (moderate severity)
    ↪ https://github.com/advisories/GHSA-h4h5-3hr4-j3g2
  settings.gradle.kts » io.grpc:grpc-protobuf@1.45.1 – Connection confusion in gRPC (high severity)
    ↪ https://github.com/advisories/GHSA-cfgp-2977-2fmm
  settings.gradle.kts » io.grpc:grpc-protobuf@1.45.1 – gRPC Reachable Assertion issue (high severity)
    ↪ https://github.com/advisories/GHSA-6628-q6j9-w8vg
  settings.gradle.kts » io.grpc:grpc-protobuf@1.45.1 – gRPC connection termination issue (moderate severity)
    ↪ https://github.com/advisories/GHSA-9hxf-ppjv-w6rq
  settings.gradle.kts » io.netty:netty-codec-http2@4.1.72.Final – io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack (high severity)
    ↪ https://github.com/advisories/GHSA-xpw8-rcwv-8f8p
  settings.gradle.kts » org.bitbucket.b_c:jose4j@0.7.0 – jose4j uses weak cryptographic algorithm (high severity)
    ↪ https://github.com/advisories/GHSA-7g24-qg88-p43q
  settings.gradle.kts » org.bitbucket.b_c:jose4j@0.7.0 – Chosen Ciphertext Attack in Jose4j (moderate severity)
    ↪ https://github.com/advisories/GHSA-jgvc-jfgh-rjvv
  settings.gradle.kts » com.google.guava:guava@31.1-jre – Guava vulnerable to insecure use of temporary directory (moderate severity)
    ↪ https://github.com/advisories/GHSA-7g45-4rm6-3mm3
  settings.gradle.kts » com.google.guava:guava@31.1-jre – Information Disclosure in Guava (low severity)
    ↪ https://github.com/advisories/GHSA-5mg8-w23w-74h3
  settings.gradle.kts » commons-io:commons-io@2.4 – Path Traversal and Improper Input Validation in Apache Commons IO (moderate severity)
    ↪ https://github.com/advisories/GHSA-gwrp-pvrq-jmwv
  settings.gradle.kts » io.netty:netty-codec-http@4.1.72.Final – Local Information Disclosure Vulnerability in io.netty:netty-codec-http (moderate severity)
    ↪ https://github.com/advisories/GHSA-269q-hmxg-m83q
  settings.gradle.kts » io.netty:netty-handler@4.1.72.Final – netty-handler SniHandler 16MB allocation (moderate severity)
    ↪ https://github.com/advisories/GHSA-6mjq-h674-j845
  settings.gradle.kts » org.apache.httpcomponents:httpclient@4.5.6 – Cross-site scripting in Apache HttpClient (moderate severity)
    ↪ https://github.com/advisories/GHSA-7r82-7xv7-xcpj
  settings.gradle.kts » org.bouncycastle:bcprov-jdk15on@1.67 – Bouncy Castle For Java LDAP injection vulnerability (moderate severity)
    ↪ https://github.com/advisories/GHSA-hr8g-6v94-x4m9
  settings.gradle.kts » xerces:xercesimpl@2.12.0 – Infinite Loop in Apache Xerces Java (moderate severity)
    ↪ https://github.com/advisories/GHSA-h65f-jvqw-m9fj
  Error: Dependency review detected vulnerable packages.

Further down in its output, we can see it thinks every dependency across the project was newly added. This is relevant because it "scans your pull requests for dependency changes, and will raise an error if any vulnerabilities or invalid licenses are being introduced." The action's documentation links to the API method it uses, and the following commands reflect the same issue. (first, comparing the PR's head and base, then, using against an earlier commit from main as the base)

$ gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/divviup/divviup-android/dependency-graph/compare/1f3b47777b76b42df52761cb07e306c3376c2b21...ac29b935ba040b0b674b9ca1052a57bff230f0ab | jq -r '.[] | .change_type' | sort | uniq -c
    253 added
$ gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/divviup/divviup-android/dependency-graph/compare/f0fceb030be70309c0a9d7e82df4f19d7726b672...ac29b935ba040b0b674b9ca1052a57bff230f0ab | jq -r '.[] | .change_type' | sort | uniq -c
      5 added
      3 removed

The key difference about the current tip of main is that it was pushed by Dependabot, via a merge command. When the CI ran on it, the following warning was emitted.

Failed to submit dependency graph dependency-graph-reports/ci-build.json.
Please ensure that the 'contents: write' permission is available for the workflow job.
Note that this permission is never available for a 'pull_request' trigger from a repository fork.

This is the same sort of issue we previously had on prio-server, where container images couldn't be pushed from Dependabot's merge commits because secrets weren't provided. To get out of this jam, I could rebase the PR branches back one, so that it has a good base dependency graph to work from, or maybe just re-run the workflow, so that it can successfully run with my github.actor. Based on this blog post we could fix this long-term by specifying permissions explicitly for the build job. Alternately, we could also avoid @dependabot squash and merge, and instead use GitHub's merge and automerge features directly.

Separately, while a lot of the reported vulnerabilities are in build tools only, or are otherwise not applicable to our uses of libraries, it would be nice to get some of these vulnerable dependency versions with fixes available updated. I'm not sure whether there's a good way to update transitive dependencies without the direct dependency itself updating. At any rate, AGP 8.1.3 came out last week, and that may help.

[divergentdave]

Rebasing worked to get things unstuck, it now has a correct view of the dependency changes. Re-running the workflow on 1f3b477 didn't work, the issue I was looking at may have meant starting a new workflow_dispatch run. I had Dependabot re-scan the repository to pick up the new AGP version, but it failed to do so because it only checked the Gradle Central Plugin Repository, JCenter, and Maven Central repositories. AGP was instead downloaded from Google's repository. We can work around this by defining the registry explicitly in the configuration file.

[divergentdave]

I found a new trigger for the same issue:

Submitted dependency-graph-reports/ci-build.json: The snapshot was accepted, but it is superseded by a newer snapshot from the same detector and correlator. It will not update dependency results for the repository.