| Table of Contents |
|---|
Overview
This page provides WhiteSource Mend notices for its customers.
To ensure that you remain updated, WhiteSource Mend recommends that you subscribe to the Customer Community Portal Announcements section in order to receive immediate email notifications on important announcements, and follow the biweekly release notes.
...
The default of php.removeDuplicateDependencies has been changed to True.
File System Agent
The WhiteSource Mend File System Agent (FSA) has been renamed to the WhiteSource Unified Mend Unified Agent.
Sun License
The name of the Sun license was changed to Sun Public License. (21.3.2, 4/11/21)
...
New and updated documentation has been published for the Global Org/Organization/Product/Project-Level APIs and Product and Project-Level APIs.
...
Mend Cure Version (version 21.7.1)
A new product, WhiteSource Mend Cure, has been released in beta status. WhiteSource Mend Cure automatically generates remediation suggestions and proposed fixes for vulnerabilities identified by detection tools in proprietary code. The remediation suggestions, called “reports”, are displayed on the vulnerable code itself and can be used as-is in your IDE.
...
The contents of the following topics were moved. The pages of those topics will be deprecated. Note that after being moved, no changes to the information contained will be made
The contents of Triggering a new Scan in Bitbucket were moved to WhiteSource Mend for Bitbucket Server.
The contents of Utilizing Security Vulnerabilities Information were moved to Understanding and Managing Security Vulnerabilities.
...
High Severity Bugs Report
File System
Getting Started
Setup Projects
Automate the Process by Using the Unified Agent
Deprecated Features was deprecated and the content was moved to the Notices page
Setting the Home Page was deprecated and the content was moved to the WhiteSource Mend Home Page topic.
Version 21.2.2
Beginning in this version the following page was archived and is therefore no longer in use.
WhiteSource Mend Advise for Visual Studio Codespaces
...
The TeamCity plugin will reach its End Of Life starting November 1, 2021. After this date, WhiteSource Mend will no longer provide standard support, including updates and fixes, for the deprecated plugin. Extended Support, which is limited to configuration and Support troubleshooting, will continue until May 1, 2022. Following this date, the TeamCity plugin will no longer be supported by WhiteSourceMend. Please make sure to migrate to the Unified Agent before the end of standard support on November 1, 2021 to maintain full support o
...
Beginning on February 15, 2020, WhiteSource Mend will deprecate API version 1.0 and below for new developments to make way for the more advanced and secure versions 1.1, 1.2 and 1.3. Support for 1.0 versions and below will end six months from that date (August 15, 2020).
Additionally, on February 15, 2020, WhiteSource Mend will begin enforcing the quota limits for API usage per customer according to the contract. Please prepare accordingly for these changes. For any questions or concerns, contact WhiteSource Mend support.
IntelliJ Old Plugin End of Life
On July 12, 2020, WhiteSource Mend will deprecate the old plugin version of WhiteSource Mend Advise for IntelliJ (see here).
A new WhiteSource Mend Advise plugin is already available directly from the IntelliJ IDEA Marketplace (see here), which besides offering the same features as the old plugin, includes functionality improvements as well as performance-related enhancements.
...
With the wide functionality of the WhiteSource Mend Unified Agent providing support for more than 200 languages, the NuGet plugin will reach its End Of Life starting October 1, 2020.
After this date, WhiteSource Mend will no longer provide standard support, including updates and fixes, for the deprecated plugin. Extended Support, which is limited to configuration and Support troubleshooting, will continue until April 1, 2021. Following this date, the NuGet plugin will no longer be supported by WhiteSourceMend. Please make sure to migrate to the Unified Agent before the end of standard support on October 1, 2020 to maintain full support of your product.
...
JFrog's vulnerability data integration strategy has changed: Integration with third-party providers of solutions that scan open-source libraries will no longer be available. Therefore, WhiteSource’s Mend’s Xray Integration will be deprecated.
Shared customers integrating Xray with WhiteSource Mend will no longer be supported or maintained by JFrog. Note that existing integrations with JFrog Artifactory (independent of JFrog Xray) are not affected.WhiteSource Mend invites you to continue to use its variety of supported integrations for detecting vulnerabilities in open-source software. For more information, contact support@whitesourcesoftware.com.
...
In some cases, vulnerabilities are fixed by the deprecation of the vulnerable classes or methods. To that extent, WhiteSourceMend, as other official advisories, will mark the vulnerabilities as fixed with the relevant version. In these cases, the vulnerabilities are fixed by adding "@Deprecated" to the vulnerable method.
...
Major improvements to the Azure DevOps integration have been introduced. The underlying scanning mechanism has been modified to allow a direct WhiteSource Mend scan from within the Azure DevOps pipeline. As part of this change, the following updates have been introduced:
The extension activation procedure has been moved to the Organization settings section by navigating to Organization settings > Extensions > WhiteSourceMend page.
The WhiteSource Mend tab under Project > Pipelines has been deprecated.
The WhiteSource Mend Open Source Risk Report is available at the Azure DevOps build level only, deprecating the project level aggregated report.
The direct WhiteSource Mend scan from within the Azure DevOps pipeline is now the only scanning option.
...
There are three main challenges that should be taken into consideration in order to understand WhiteSource’s Mend’s support for GO projects:
Commits are pushed to GO repositories at a high rate (several times per day).
GO repositories are relatively large in size.
GO provides an option to use the “latest” package, meaning the latest commit pushed to the repository.
The combination of these three factors create difficulty when scanning GO projects, and retrieving the exact commit that was used would cause WhiteSource Mend scans for GO projects to take an exceptionally long time.
In order to overcome the challenges described above, whenever the given SHA-1 isn’t immediately recognized by WhiteSourceMend, an approximate result is provided while WhiteSource Mend imports the exact requested commit. Whenever a library displayed in the WhiteSource Mend UI as an approximated result, it will be displayed as such with a disclaimer in the library details page while the exact commit is imported in the background. Once the exact commit is imported, it will automatically replace the approximate result in your inventory.
...
In the next Unified Agent release, the behavior of the includes and excludes and parameters will be fixed with respect to the use of the projectPerFolder parameter by matching their values relative to the main root path.
Within the next two releases of the Unified Agent, several improvements to the default configuration will be introduced:
The includes parameter will have a default value (comprises of all the WhiteSource Mend supported extensions) that will be applied to all the Unified Agent's configuration methods (environment variables, config file, etc)
The excludes parameter will have a default value of
**/.*, **/node_modules, **/src/test, **/testdata, **/*sources.jar, **/*javadoc.jar
Within the next two releases of the Unified Agent, the Go dependencies detection will be improved by enabling the optimized resolver for Go Modules by default. In addition, the Go resolution will no longer be triggered by Go source files and will be aligned to the other resolvers to be triggered only by the package managers' manifest files.
...
If you are using PowerShell, you might encounter an issue where downloading files from GitHub.com fails with HTTP 403 when going through BITS, and a signed URL is required. Refer here for a description of the issue and the solution.
If you are using Linux, use this command and link to the .jar file: curl-LJO https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar
Contact WhiteSource Mend Support if further assistance is needed.
...
Taking into consideration the fact that the vulnerable DLL libraries may still be loaded and that WhiteSource Mend retrieves the SHA-1 identifiers of the DLL libraries after the NuGet package is built, the vulnerabilities mentioned above will continue to be reported by WhiteSource Mend so users can ensure their environment isn't vulnerable.
...
As many of you know, OSS vulnerabilities are published in multiple advisories.The National Vulnerability Database (NVD) is commonly acknowledged as a primary database for known security vulnerabilities but has been arguably slow in adopting data from advisories. In order to attain broader coverage of reported security vulnerabilities, WhiteSource Mend has not been relying solely on the NVD but has been reviewing vulnerability data from dozens of additional sources as well. Whereas the NVD publishes security vulnerabilities using a "CVE-" prefixed identifier, WhiteSource Mend classifies non-NVD security vulnerabilities using a "WS-" prefix.Recently, we have noticed that the NVD features support for additional sources, potentially enabling it to encompass security vulnerabilities that are already flagged by WhiteSource Mend using a designated "WS-" identifier.
...
To avoid duplicate, redundant identifiers for vulnerabilities (i.e., "WS-" and "CVE-" entries that refer to the same vulnerability), WhiteSource Mend will replace non-NVD, "WS-" entries with the corresponding NVD, "CVE-" entries featuring associated CVE metadata, thereby enabling customers to benefit from the extended coverage of pertinent vulnerabilities directly from the NVD. The new CVEs were assigned by NVD with a “CVE-2018-” prefix.
...
(npm packages only) Customers may notice that some or all of the "WS-" entries previously featured in WhiteSource Mend displays and reports are no longer listed in their inventory. Such "WS-" entries are now listed with corresponding "CVE-" identifiers and feature the vulnerability metadata from the NVD.For these vulnerabilities, the severity and score may change.New alerts associated with vulnerabilities that were previously marked using a "WS-" identifier will be triggered as well with "CVE-" information.
...
CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVSS 3.x Score: 7.5 HIGHCVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVSS 3.x Score: 7.5 HIGHCVE-2019-9513 “Resource Loop”: The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.
CVSS 3.x Score: 7.5 HIGHCVE-2019-9514 “Reset Flood”: The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
CVSS 3.x Score: 7.5 HIGHCVE-2019-9515 “Settings Flood”: The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVSS 3.x Score: 7.5 HIGHCVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.
CVSS 3.x Score: 7.5 HIGHCVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
CVSS 3.x Score: 7.5 HIGHCVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service.
CVSS 3.x Score: 7.5 HIGH
Vulnerable Projects
Project | Vulnerabilities | Vulnerable Versions | Mitigation |
|---|---|---|---|
CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518. | 6.x: 6.0 - 6.2.3 | 6.x: No fix available. | |
CVE-2019-9512, CVE-2019-9514. Official Website Advisory | 1.11.x: 1.11.0 - 1.11.12 | 1.11.x: Upgrade to 1.11.13 (patch). | |
CVE-2019-9512, CVE-2019-9514, CVE-2019-9515. Official Website Advisory | 2.2.x: 2.2.0 - 2.2.5 | 2.2.x: Upgrade to 2.2.6 (patch). | |
CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518. Official Website Advisory | 9.3.x - 9.4.20 | Upgrade to 9.4.21 (patch). | |
CVE-2019-9512, CVE-2019-9514, CVE-2019-9515, CVE-2019-9518. Official Website Advisory | 4.1.0-beta4 - 4.1.38 | Upgrade to 4.1.39 (patch-1 [9512, 9514, 9515], patch-2 [9518]). | |
CVE-2019-9511, CVE-2019-9513. Official Website Advisory | 0.1.0 - 1.39.1 | ||
CVE-2019-9511, CVE-2019-9513, CVE-2019-9516. Official Website Advisory | NOTE: The releases (X.Y.Z) splitted into two types: if Y is divisible by 2 - stable, otherwise - mainline. | Stable: Upgrade to 1.16.1 (patch-1 [9511], patch-2 [9513], patch-3 [9516]). | |
CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518. Official Website Advisory | 8.x: 8.0.0 - 8.16.0 | 8.x: Upgrade to 8.16.1 (patch-1 [9511, 9517], patch-2 [9511, 9517], patch-3 [9512, 9515], patch-4 [9512, 9515], patch-5 [9513], patch-6 [9513], patch-7 [9514], patch-8 [9514], patch-9 [9516], patch-10 [9518]). |
...
The package is a metapackage. A metapackage is a package that does not contain any code, but only references other packages. Due to the fact that the package does not contain any code, the package itself cannot contain any vulnerable elements and WhiteSource Mend will not display any vulnerable elements.
For example, according to this Microsoft Advisory, Microsoft.NETCore.App is vulnerable to CVE-2020-0603. However, this is only the case because Microsoft.NETCore.App references Microsoft.AspNetCore.All and Microsoft.AspNetCore.App which are the actual vulnerable packages. Microsoft.NETCore.App itself does not include any actual vulnerable code, and therefore will not be marked as vulnerable by WhiteSourceMend.
The package is only vulnerable if you are using a specific runtime dependency.
For example, according to this Microsoft advisory, Microsoft.AspNetCore.Mvc is vulnerable. However, when comparing the vulnerable and fixed versions of Microsoft.AspNetCore.Mvc, you can see that they contain the same exact code implementation, meaning no vulnerable code exists in the Dlls within this package, but rather in the runtime dependencies it utilizes.
WhiteSource Mend contacted Microsoft officials regarding the above, and Microsoft officials verified that WhiteSource’s Mend’s analysis is correct. Microsoft treats the cases mentioned above as vulnerable in order to raise awareness. Microsoft encourages updating the metapackage to ensure all vulnerable dependencies are updated, rather than updating only specific packages. The same approach is encouraged for runtime dependencies, where Microsoft encourages updating the entire runtime crucial environment packages, rather than referring to specific packages.
...
Major improvements to the Azure DevOps integration will be introduced in July 2021. The underlying scanning mechanism will be modified to allow a direct WhiteSource Mend scan from within the Azure DevOps pipeline. As part of this change, the following updates will be introduced:
The extension activation procedure will be moved to the Organization settings section by navigating to Organization settings > Extensions > WhiteSourceMend page.
The WhiteSource Mend tab under Project > Pipelines will be deprecated.
The WhiteSource Mend Open Source Risk Report will be available at the Azure DevOps build level only, deprecating the project level aggregated report.
The direct WhiteSource Mend scan from within the Azure DevOps pipeline will be the only scanning option.