Detecting vulnerabilities (CVEs)
You may detect which artifacts (Standard Jobs, Big Data Jobs, Routes) affected by Common Vulnerabilities and Exposures (CVEs) have been fixed since the latest Talend Studio update has been released.
Due to technical limitation:
- The CVEs for the jars with the Talend-specific groupIds org.talend.libraries cannot be detected.
- The CVEs for the jars used by Talend Studio but not by any component cannot be detected.
- The CVEs for the artifacts built as OSGI Bundle or Microservice in the report are not accurate.
Procedure
-
In the From Version field, select from which Talend Studio
update you want to compare and build the CVE report.
-
Click Generate CVE report.
The CVE detect wizard pops up, indicating that the CVE detect completed successfully. A CSV report file <timestamp>_<project-name>_CVE_Report.csv is generated under the directory <Talend-Studio>\workspace\report\CVEReport_<timestamp>, where <timestamp> designates when the report is generated and <project-name> designates the name of your project. Click Browse... to go to the directory.The table below describes the information presented in the report file.
Column name Description Status Can be: - Upgraded: The vulnerability has been fixed by upgrading the library to a new version
- Removed: The vulnerability has been fixed by removing the library from the component/distribution/studio plugin dependencies
Fix Version The update version when the CVE has been fixed. Example: R2022-03
Project Name Name of the project impacted by the Common Vulnerabilities and Exposures. Example: LOCAL_PROJECT
Item type Type of the artifact impacted by the Common Vulnerabilities and Exposures. Example: PROCESS
Item ID Identifier of the artifact impacted by the Common Vulnerabilities and Exposures. Example: _GXOmQFizEeiOq-rLS_Z-8g
Item Name Display name of the artifact impacted by the Common Vulnerabilities and Exposures. Example: MyVeryComplexJob
GAV with CVE The Maven Group, Artifact, Version (GAV) of the JAR file that has unsolved vulnerabilities. Example: org.apache.logging.log4j:log4j-core:2.13.2
GAV with CVE mitigated The Maven Group, Artifact, Version (GAV) of the JAR file that has fixed vulnerabilities. Example: org.apache.logging.log4j:log4j-core:2.17.1
UsedByTalendComponent Can be: - True: The GAV with CVE has been fixed in the listed components but is still used by Talend Studio somewhere else.
- False: The GAV with CVE has been completely removed from the Talend Studio component dependencies.
CVE-ID Identifier of the Common Vulnerabilities and Exposures. If not available, you will get CVE-NOT_DISCLOSED. Example: CVE-2021-44228
CVSS The CVSS (Common Vulnerability Scoring System) score for rating the severity of security vulnerabilities in software. It can be between 0.0 and 10.0, with 10.0 being the most severe. For more information about CVSS, see https://nvd.nist.gov/vuln-metrics/cvss. Component Names Name of the component impacted by the Common Vulnerabilities and Exposures. It can be the technical name used for code generation, or it can be studio if it impacts the whole Talend Studio. Comment Additional comments. You can also detect the fixed CVEs of your artifacts while building using CI. For more information, see Detecting the fixed vulnerabilities (CVEs) of your artifacts while building.