My mule application is built using mule runtime 4.4.0. In pom.xml of application, I have specified the "[email protected]" dependency as shown below:
<dependency>
<groupId>org.mule.connectors</groupId>
<artifactId>mule-http-connector</artifactId>
<version>1.7.3</version>
<classifier>mule-plugin</classifier>
</dependency>
To check for any vulnerabilities, I am using OWASP dependency-check plugin as shown below command:
mvn org.owasp:dependency-check-maven:8.2.1:check
The dependency-check html report generated using this plugin shows "mule-module-cors-kernel-1.1.2.jar" as vulnerable dependency which is a transitive dependency of "[email protected]" used by application.
Below vulnerabilities are identified:-
- cpe:2.3️mulesoft:api_gateway:1.1.2:::::::*
- cpe:2.3️mulesoft:mule_runtime:1.1.2:::::::*
Links:-
- https://nvd.nist.gov/vuln/detail/CVE-2019-15630#range-4052612
- https://nvd.nist.gov/vuln/detail/CVE-2019-13116
But it looks to me that these vulnerabilities are identified only in older versions of mule runtime, and not in mule runtime version 4.4.0.
Could someone assist me in determining if the report generated by the OWASP Dependency-Check tool is a false positive or not?
Furthermore, despite utilizing Mule Runtime 4.4.0, why is this vulnerability being flagged in the report?
If it is indeed a valid vulnerability, please specify reason and how can I go about fixing it?
The links that you shared about the vulnerabilities show that those vulnerabilities exist in older versions of Mule and were fixed in newer versions. Usually a vulnerability is published after giving the owner of the software a chance to patch it.
Security vulnerability tools are not perfect and can report false positives o miss a vulnerability. You need to be aware of their limitations when using them. You should report the issue to the creator of the tool.
If a software has a security vulnerability your best option is to find if a fix is published or contact the author of the software for a solution.