temporalio / edu-101-java-code Goto Github PK
View Code? Open in Web Editor NEWCode Exercises for Temporal 101 in java
License: MIT License
Code Exercises for Temporal 101 in java
License: MIT License
Path to dependency file: /exercises/finale-workflow/go/go.mod
Path to vulnerable library: /exercises/finale-workflow/go/go.mod
CVE | Severity | CVSS | Dependency | Type | Fixed in (go.temporal.io/sdk-v1.22.1 version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-39325 | High | 7.5 | golang.org/x/net-v0.8.0 | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.8.0.zip
Path to dependency file: /exercises/finale-workflow/go/go.mod
Path to vulnerable library: /exercises/finale-workflow/go/go.mod
Dependency Hierarchy:
Found in base branch: main
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
Publish Date: 2023-10-11
URL: CVE-2023-39325
Base Score Metrics:
Type: Upgrade version
Origin: https://pkg.go.dev/vuln/GO-2023-2102
Release Date: 2023-10-11
Fix Resolution: go1.20.10, go1.21.3, golang.org/x/net - v0.17.0
Path to dependency file: /exercises/farewell-workflow/solution/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar
Found in HEAD commit: 609f532cd3d68a8e2f49228ed020168e1ac404b3
CVE | Severity | CVSS | Dependency | Type | Fixed in (rapidoid-quick version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-22102 | High | 8.3 | mysql-connector-java-5.1.41.jar | Transitive | N/A* | ❌ |
CVE-2023-5072 | High | 7.5 | json-20140107.jar | Transitive | N/A* | ❌ |
CVE-2023-6481 | High | 7.5 | logback-core-1.1.3.jar | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /demos/service-workflow/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar
Dependency Hierarchy:
Found in HEAD commit: 609f532cd3d68a8e2f49228ed020168e1ac404b3
Found in base branch: main
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Publish Date: 2023-10-17
URL: CVE-2023-22102
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-22102
Release Date: 2023-10-17
Fix Resolution: com.mysql:mysql-connector-j:8.2.0
JSON is a light-weight, language independent, data interchange format. See http://www.JSON.org/
The files in this package implement JSON encoders/decoders in Java.
It also includes the capability to convert between JSON and XML, HTTP
headers, Cookies, and CDL.
This is a reference implementation. There is a large number of JSON packages
in Java. Perhaps someday the Java community will standardize on one. Until
then, choose carefully.
The license includes this restriction: "The software shall be used for good,
not evil." If your conscience cannot live with that, then choose a different
package.
The package compiles on Java 1.2 thru Java 1.4.</p>
Library home page: https://github.com/douglascrockford/JSON-java
Path to dependency file: /exercises/farewell-workflow/practice/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/json/json/20140107/json-20140107.jar,/home/wss-scanner/.m2/repository/org/json/json/20140107/json-20140107.jar,/home/wss-scanner/.m2/repository/org/json/json/20140107/json-20140107.jar
Dependency Hierarchy:
Found in HEAD commit: 609f532cd3d68a8e2f49228ed020168e1ac404b3
Found in base branch: main
Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.
Publish Date: 2023-10-12
URL: CVE-2023-5072
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-rm7j-f5g5-27vv
Release Date: 2023-10-12
Fix Resolution: org.json:json:20231013
logback-core module
Library home page: http://logback.qos.ch
Path to dependency file: /demos/service-workflow/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.3/logback-core-1.1.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.3/logback-core-1.1.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.3/logback-core-1.1.3.jar
Dependency Hierarchy:
Found in HEAD commit: 609f532cd3d68a8e2f49228ed020168e1ac404b3
Found in base branch: main
A serialization vulnerability in logback receiver component part of
logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
Publish Date: 2023-12-04
URL: CVE-2023-6481
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-6481
Release Date: 2023-12-04
Fix Resolution: ch.qos.logback:logback-core:1.2.13,1.3.14,1.4.14
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.