Question - how are vulnerabilities (CVE) handled in Lucee? We do some preliminary scans of our app using Trivy and DependencyChecker before the corporate scanners hit things so we can be prepared.
We just did our first scan of Lucee (6.2) and Trivy reports back about 40+ ‘HIGH’ severity issues - the main culprit seems to be Ehcache.
With Adobe we’d just get exceptions for everything bundled under /opt/coldfusion and I’m assuming we’ll be able to do the same for Lucee but was hoping things might be updated more often?
Pretty sure (from memory) that CVE is based off scanning the bundled pom.xml, rather than the actual jar being used jackson-databind right?
The rest-management-private-classpath folder with the vulnerable jackson is bundled inside the ehcache jar but never loaded unless you explicitly enable the <managementRESTService> element in your ehcache.xml config - which this extension doesn’t do.
So the CVE scanner is flagging it because the bytes exist in the jar, but in practice:
The vulnerable jackson classes are in a private classpath that’s only loaded on-demand
The REST management service is never enabled in this extension
The code path that would trigger the jackson deserialization vulnerability is never executed
It’s on our TODO list, but we really need more companies using Lucee to step up properly support the project, to fund such ongoing work, not just $10 a month from a developer or I’ll fund this one off thing you need
If each company using Lucee would support the project with say their hourly charge out rate a month, it would make a really huge difference