Welcome! Please see the About page for a little more info on how this works.

0 votes
in Peer API by

Starting about two weeks ago, OWASP Dependency Check (via nvd-clojure) is reporting multiple CVEs on Datomic. It's in the package memcache-asg-java-client- (file path $HOME/.m2/repository/com/datomic/memcache-asg-java-client/ They are reported as level "CRITICAL". The reported CVEs are:

Partial dependency tree (clojure -Stree):

[own code]
  . com.datomic/peer 1.0.7075
    . com.datomic/memcache-asg-java-client

At the very least I want to make sure that you're aware of this, and I'd also appreciate your advice on whether this is ACTUALLY an issue in Datomic context.

Thank you!

1 Answer

+1 vote
selected by
Best answer

Hi Stefan,

Thanks for letting us know. Memcache-java-asg is a fork of com.aws/elasticache-java-cluster-client which is a fork of spymemcached. You should feel free to exclude our dependency here as needed. You would only use this jar if you were using elasticache and auto node discovery: https://docs.datomic.com/pro/overview/caching.html#node-auto-discovery

That being said, I'll bump the story to update this jar.



@Stefan Van den Oord

I talked with dev and we believe that every match here is a false positive. First, each CVE pertains to either the Memcached server itself or misconfigurations of it and not any client implementations. See: https://docs.google.com/spreadsheets/d/1r_WToan1V61_XbAUz71lw-e2acVMsR2i9zMr6h4ZcDY/edit#gid=0

We were able to run the same scan (same tool, nvd-clojure) and see the same report. The match however, is due to the CVEs mentioning memcached:memcached:*:*:*:*:*:*:*:* UP TO 1.4.x (or similar) as the affected software. The package name and version of memcached-asg-java-client trigger the false positives.

We were able to confirm the above by bumping memcached-asg-java-client to 2.0 locally, repeat the scan, and received no CVEs.  

We do use nvd-clojure to scan all builds of Datomic and have added the jar to our process with the ruled out false positives.