AutoMQ/automq-for-rocketmq 软件分析报告

基础信息

项目名称:AutoMQ/automq-for-rocketmq

项目徽章:

Security Status

仓库地址:https://github.com/pterodactyl/panel

检测报告地址:https://www.murphysec.com/console/report/1730108651527426048/1730108652269817856

此报告由Murphysec提供

漏洞列表

漏洞名称 漏洞类型 MPS编号 CVE编号 漏洞等级
Oracle MySQL 安全漏洞 MPS-2022-68687 CVE-2023-22102 高危
Netty 资源管理错误漏洞 不加限制或调节的资源分配 MPS-9u07-bna1 CVE-2023-34462 中危
Okio 安全漏洞 数值类型间的不正确转换 MPS-a2tx-d4fb CVE-2023-3635 高危
Hot Rod 安全漏洞 证书验证不恰当 MPS-b7oj-adm3 CVE-2023-4586 高危
CVE-2023-6378漏洞 MPS-e8pm-na64 CVE-2023-6378 高危
Bouncy Castle 信任管理问题漏洞 证书验证不恰当 MPS-i6w7-d48e CVE-2023-33201 中危
Guava 创建拥有不安全权限的临时文件 MPS-mfku-xzh3 CVE-2023-2976 中危

缺陷组件

组件名称 版本 最小修复版本 依赖关系 修复建议
io.netty:netty-handler 4.1.94.Final 间接依赖 建议修复
com.squareup.okio:okio 2.8.0 3.4.0 间接依赖 建议修复
io.netty:netty-handler 4.1.100.Final 间接依赖 可选修复
com.mysql:mysql-connector-j 8.1.0 8.2.0 直接依赖 可选修复
com.google.guava:guava 31.1-jre 32.0.0-jre 间接依赖 可选修复
ch.qos.logback:logback-classic 1.2.9 1.3.12 间接依赖 可选修复
org.bouncycastle:bcprov-jdk15on 1.69 间接依赖 可选修复
ch.qos.logback:logback-core 1.2.9 1.3.12 间接依赖 可选修复

许可证风险

许可证类型 相关组件 许可证风险
Apache-2.0 201
BSD-2-Clause 1
GPL-2.0 1
EPL-1.0 2
MIT 7
自定义许可证 9
BSD-3-Clause 4
LGPL-2.1 2
LGPL-2.1-or-later 2
EPL-2.0 2
MPL-1.1 1

SBOM清单

组件名称 组件版本 是否直接依赖 仓库
io.openmessaging.storage:dledger 0.3.1.2 间接依赖 maven
io.netty:netty-codec-redis 4.1.100.Final 间接依赖 maven
io.opentelemetry:opentelemetry-exporter-otlp-common 1.32.0 间接依赖 maven
io.opentelemetry:opentelemetry-sdk-logs 1.32.0 间接依赖 maven
com.github.luben:zstd-jni 1.5.2-2 间接依赖 maven
io.grpc:grpc-api 1.58.0 间接依赖 maven
io.netty:netty-codec 4.1.94.Final 间接依赖 maven
io.netty:netty-handler 4.1.100.Final 间接依赖 maven
io.grpc:grpc-core 间接依赖 maven
com.automq.rocketmq:rocketmq-store 5.1.3-automq-0-SNAPSHOT 直接依赖 maven
com.alibaba:druid 1.2.20 直接依赖 maven
io.netty:netty-buffer 4.1.100.Final 直接依赖 maven
io.grpc:grpc-util 1.58.0 间接依赖 maven
org.apache.rocketmq:rocketmq-acl 5.1.3 间接依赖 maven
com.fasterxml.jackson.core:jackson-databind 2.16.0 直接依赖 maven
software.amazon.awssdk:annotations 2.20.127 间接依赖 maven
com.google.errorprone:error_prone_annotations 2.18.0 间接依赖 maven
io.grpc:grpc-stub 1.58.0 直接依赖 maven
software.amazon.awssdk:aws-query-protocol 2.20.127 间接依赖 maven
software.amazon.awssdk:json-utils 2.20.127 间接依赖 maven
software.amazon.awssdk:third-party-jackson-core 2.20.127 间接依赖 maven
commons-codec:commons-codec 1.15 间接依赖 maven
org.apache.tomcat:annotations-api 6.0.53 间接依赖 maven
com.squareup.okio:okio 3.6.0 间接依赖 maven
net.javacrumbs.future-converter:future-converter-java8-common 1.2.0 间接依赖 maven
io.opentelemetry:opentelemetry-api 1.32.0 直接依赖 maven
software.amazon.awssdk:regions 2.20.127 间接依赖 maven
io.opentelemetry:opentelemetry-sdk-trace 1.14.0 间接依赖 maven
com.conversantmedia:disruptor 1.2.10 间接依赖 maven
org.jetbrains.kotlin:kotlin-stdlib 1.9.10 间接依赖 maven
io.netty:netty-resolver-dns-native-macos 4.1.100.Final 间接依赖 maven
io.netty:netty-handler 4.1.94.Final 间接依赖 maven
commons-cli:commons-cli 1.5.0 间接依赖 maven
io.netty:netty-transport-udt 4.1.100.Final 间接依赖 maven
org.apache.httpcomponents:httpcore 4.4.13 间接依赖 maven
com.automq.rocketmq:rocketmq-proto 5.1.3-automq-0-SNAPSHOT 直接依赖 maven
io.opentelemetry:opentelemetry-sdk-common 1.14.0 间接依赖 maven
software.amazon.awssdk:profiles 2.20.127 间接依赖 maven
org.rocksdb:rocksdbjni 8.6.7 直接依赖 maven
io.pyroscope:agent 0.12.2 直接依赖 maven
org.apache.rocketmq:rocketmq-common 5.1.3 直接依赖 maven
ch.qos.logback:logback-core 1.2.9 间接依赖 maven
org.jetbrains:annotations 13.0 间接依赖 maven
io.netty:netty-transport-sctp 4.1.100.Final 间接依赖 maven
org.slf4j:slf4j-api 2.0.9 直接依赖 maven
io.opentelemetry:opentelemetry-sdk-extension-autoconfigure-spi 1.32.0 间接依赖 maven
io.opentelemetry:opentelemetry-exporter-otlp-common 1.14.0 间接依赖 maven
org.apache.rocketmq:rocketmq-filter 5.1.3 间接依赖 maven
org.apache.rocketmq:rocketmq-client 5.1.3 间接依赖 maven
io.perfmark:perfmark-api 0.26.0 间接依赖 maven
org.apache.rocketmq:rocketmq-tiered-store 5.1.3 间接依赖 maven
com.automq.rocketmq:rocketmq-broker 5.1.3-automq-0-SNAPSHOT 直接依赖 maven
com.google.android:annotations 4.1.1.4 间接依赖 maven
io.opentelemetry:opentelemetry-exporter-otlp-metrics 1.14.0 间接依赖 maven
org.slf4j:jul-to-slf4j 2.0.6 间接依赖 maven
com.google.guava:listenablefuture 9999.0-empty-to-avoid-conflict-with-guava 间接依赖 maven
org.antlr:antlr4 4.5.1 间接依赖 maven
io.netty:netty-codec-memcache 4.1.100.Final 间接依赖 maven
com.google.guava:guava 31.1-jre 间接依赖 maven
software.amazon.awssdk:endpoints-spi 2.20.127 间接依赖 maven
io.netty:netty-transport-native-epoll 4.1.100.Final 间接依赖 maven
io.grpc:grpc-protobuf-lite 1.58.0 间接依赖 maven
com.alibaba:fastjson 1.2.83 间接依赖 maven
org.antlr:antlr-runtime 3.5.2 间接依赖 maven
io.opentelemetry:opentelemetry-sdk-common 1.32.0 间接依赖 maven
io.github.aliyunmq:rocketmq-logback-classic 1.0.1 间接依赖 maven
io.netty:netty-transport-classes-epoll 4.1.94.Final 间接依赖 maven
io.netty:netty-codec-dns 4.1.100.Final 间接依赖 maven
org.apache.httpcomponents:httpclient 4.5.13 间接依赖 maven
com.google.protobuf:protobuf-java-util 3.20.1 间接依赖 maven
org.apache.commons:commons-lang3 3.4 间接依赖 maven
org.reactivestreams:reactive-streams 1.0.3 间接依赖 maven
net.javacrumbs.future-converter:future-converter-java8-guava 1.2.0 间接依赖 maven
io.perfmark:perfmark-api 0.25.0 间接依赖 maven
net.java.dev.jna:jna 5.2.0 直接依赖 maven
net.java.dev.jna:jna-platform-jpms 5.13.0 间接依赖 maven
com.google.code.findbugs:jsr305 3.0.2 间接依赖 maven
commons-digester:commons-digester 2.1 间接依赖 maven
software.amazon.awssdk:protocol-core 2.20.127 间接依赖 maven
io.netty:netty-handler-ssl-ocsp 4.1.100.Final 间接依赖 maven
io.opentelemetry.instrumentation:opentelemetry-runtime-telemetry-java8 1.32.0-alpha 间接依赖 maven
org.apache.rocketmq:rocketmq-store 5.1.3 间接依赖 maven
software.amazon.awssdk:crt-core 2.20.127 间接依赖 maven
software.amazon.awssdk:aws-xml-protocol 2.20.127 间接依赖 maven
de.vandermeer:char-translation 0.0.2 间接依赖 maven
com.automq.rocketmq:rocketmq-controller 5.1.3-automq-0-SNAPSHOT 直接依赖 maven
io.netty:netty-transport 4.1.100.Final 间接依赖 maven
com.google.code.gson:gson 2.10.1 直接依赖 maven
com.google.flatbuffers:flatbuffers-java 23.5.26 直接依赖 maven
org.bouncycastle:bcprov-jdk15on 1.69 间接依赖 maven
io.netty:netty-transport-classes-epoll 4.1.100.Final 间接依赖 maven
io.opentelemetry:opentelemetry-context 1.32.0 间接依赖 maven
io.netty:netty-codec-mqtt 4.1.100.Final 间接依赖 maven
io.netty:netty-tcnative-boringssl-static 2.0.53.Final 直接依赖 maven
io.opentelemetry:opentelemetry-exporter-sender-okhttp 1.32.0 间接依赖 maven
io.netty:netty-transport-classes-kqueue 4.1.100.Final 间接依赖 maven
software.amazon.awssdk:arns 2.20.127 间接依赖 maven
software.amazon.awssdk:metrics-spi 2.20.127 间接依赖 maven
io.opentelemetry.instrumentation:opentelemetry-instrumentation-annotations 1.32.0 直接依赖 maven
org.apache.rocketmq:rocketmq-client-apis 5.0.5 间接依赖 maven
com.google.protobuf:protobuf-java-util 3.24.0 直接依赖 maven
ch.qos.logback:logback-classic 1.2.9 间接依赖 maven
io.opentelemetry:opentelemetry-semconv 1.14.0-alpha 间接依赖 maven
io.opentelemetry:opentelemetry-sdk 1.32.0 直接依赖 maven
org.roaringbitmap:RoaringBitmap 1.0.0 直接依赖 maven
software.amazon.awssdk:netty-nio-client 2.20.127 间接依赖 maven
io.netty:netty-codec 4.1.100.Final 间接依赖 maven
org.apache.rocketmq:rocketmq-proxy 5.1.3 直接依赖 maven
io.opentelemetry:opentelemetry-extension-incubator 1.32.0-alpha 间接依赖 maven
io.grpc:grpc-services 1.50.0 间接依赖 maven
net.javacrumbs.future-converter:future-converter-guava-common 1.2.0 间接依赖 maven
io.opentelemetry.instrumentation:opentelemetry-oshi 1.32.0-alpha 直接依赖 maven
org.apache.commons:commons-lang3 3.13.0 直接依赖 maven
io.netty:netty-handler-proxy 4.1.100.Final 间接依赖 maven
io.netty:netty-common 4.1.100.Final 间接依赖 maven
org.apache.rocketmq:rocketmq-srvutil 5.1.3 间接依赖 maven
net.javacrumbs.future-converter:future-converter-common 1.2.0 间接依赖 maven
com.google.j2objc:j2objc-annotations 1.3 间接依赖 maven
com.google.api.grpc:proto-google-common-protos 2.22.0 间接依赖 maven
com.github.oshi:oshi-core-java11 6.4.7 直接依赖 maven
com.fasterxml.jackson.core:jackson-core 2.16.0 间接依赖 maven
org.apache.rocketmq:rocketmq-remoting 5.1.3 间接依赖 maven
io.opentelemetry.instrumentation:opentelemetry-instrumentation-api 1.32.0 间接依赖 maven
io.netty:netty-codec-stomp 4.1.100.Final 间接依赖 maven
io.github.aliyunmq:rocketmq-slf4j-api 1.0.1 间接依赖 maven
org.mybatis:mybatis 3.5.13 直接依赖 maven
org.jetbrains.kotlin:kotlin-stdlib-jdk7 1.9.10 间接依赖 maven
io.netty:netty-codec-http 4.1.100.Final 间接依赖 maven
commons-logging:commons-logging 1.2 间接依赖 maven
io.grpc:grpc-core 1.58.0 间接依赖 maven
software.amazon.awssdk:auth 2.20.127 间接依赖 maven
org.checkerframework:checker-qual 3.12.0 间接依赖 maven
io.opentelemetry:opentelemetry-exporter-logging 1.32.0 直接依赖 maven
org.hamcrest:hamcrest 2.1 间接依赖 maven
io.netty:netty-all 4.1.100.Final 直接依赖 maven
commons-beanutils:commons-beanutils 1.9.4 间接依赖 maven
io.opentelemetry:opentelemetry-sdk 1.14.0 间接依赖 maven
io.grpc:grpc-stub 1.50.0 间接依赖 maven
info.picocli:picocli 4.7.5 直接依赖 maven
com.squareup.okhttp3:okhttp 4.9.3 间接依赖 maven
software.amazon.awssdk:http-client-spi 2.20.127 间接依赖 maven
org.apache.commons:commons-lang3 3.12.0 间接依赖 maven
com.automq.rocketmq:rocketmq-metadata 5.1.3-automq-0-SNAPSHOT 直接依赖 maven
commons-validator:commons-validator 1.7 间接依赖 maven
io.netty:netty-transport-native-kqueue 4.1.100.Final 间接依赖 maven
software.amazon.awssdk:apache-client 2.20.127 间接依赖 maven
org.apache.logging.log4j:log4j-slf4j2-impl 2.20.0 直接依赖 maven
software.amazon.awssdk:aws-core 2.20.127 间接依赖 maven
io.netty:netty-codec-http 4.1.94.Final 间接依赖 maven
com.google.errorprone:error_prone_annotations 2.20.0 间接依赖 maven
io.netty:netty-resolver 4.1.100.Final 间接依赖 maven
org.aspectj:aspectjrt 1.9.20.1 直接依赖 maven
io.grpc:grpc-netty-shaded 1.50.0 间接依赖 maven
org.bouncycastle:bcutil-jdk15on 1.69 间接依赖 maven
org.codehaus.mojo:animal-sniffer-annotations 1.23 间接依赖 maven
io.grpc:grpc-protobuf 1.50.0 间接依赖 maven
software.amazon.awssdk:s3 2.20.127 直接依赖 maven
commons-codec:commons-codec 1.13 间接依赖 maven
io.netty:netty-resolver-dns 4.1.100.Final 间接依赖 maven
com.fasterxml.jackson.core:jackson-annotations 2.16.0 间接依赖 maven
org.aspectj:aspectjweaver 1.9.20.1 直接依赖 maven
com.google.protobuf:protobuf-java 3.24.0 直接依赖 maven
software.amazon.awssdk:utils 2.20.127 间接依赖 maven
commons-io:commons-io 2.7 间接依赖 maven
org.yaml:snakeyaml 2.2 直接依赖 maven
de.vandermeer:asciitable 0.3.2 直接依赖 maven
org.apache.logging.log4j:log4j-api 2.20.0 直接依赖 maven
com.google.guava:guava 32.0.1-jre 直接依赖 maven
org.awaitility:awaitility 4.1.0 间接依赖 maven
io.dropwizard.metrics:metrics-core 4.2.0 直接依赖 maven
com.automq.rocketmq:rocketmq-proxy 5.1.3-automq-0-SNAPSHOT 直接依赖 maven
com.google.errorprone:error_prone_annotations 2.14.0 间接依赖 maven
io.opentelemetry.instrumentation:opentelemetry-instrumentation-api-semconv 1.32.0-alpha 间接依赖 maven
io.opentelemetry:opentelemetry-sdk-logs 1.14.0-alpha 间接依赖 maven
io.opentelemetry:opentelemetry-sdk-trace 1.32.0 间接依赖 maven
com.squareup.okio:okio-jvm 3.6.0 直接依赖 maven
org.jetbrains.kotlin:kotlin-stdlib-jdk8 1.9.10 间接依赖 maven
io.opentelemetry:opentelemetry-exporter-otlp 1.32.0 直接依赖 maven
io.netty:netty-transport-native-unix-common 4.1.94.Final 间接依赖 maven
io.opentelemetry.semconv:opentelemetry-semconv 1.21.0-alpha 间接依赖 maven
io.grpc:grpc-api 1.50.0 间接依赖 maven
io.grpc:grpc-services 1.58.0 直接依赖 maven
io.netty:netty-codec-smtp 4.1.100.Final 间接依赖 maven
io.netty:netty-transport 4.1.94.Final 间接依赖 maven
io.opentelemetry:opentelemetry-api 1.14.0 间接依赖 maven
com.automq.rocketmq:rocketmq-common 5.1.3-automq-0-SNAPSHOT 直接依赖 maven
io.netty:netty-codec-haproxy 4.1.100.Final 间接依赖 maven
io.opentelemetry:opentelemetry-exporter-prometheus 1.32.0-alpha 直接依赖 maven
org.apache.rocketmq:rocketmq-client-java-noshade 5.0.5 直接依赖 maven
io.netty:netty-transport-native-unix-common 4.1.100.Final 间接依赖 maven
io.opentelemetry:opentelemetry-api-events 1.32.0-alpha 间接依赖 maven
com.google.protobuf:protobuf-java-util 3.21.7 间接依赖 maven
io.opentelemetry:opentelemetry-context 1.14.0 间接依赖 maven
io.grpc:grpc-protobuf 1.58.0 直接依赖 maven
io.netty:netty-codec-http2 4.1.100.Final 间接依赖 maven
io.opentelemetry.instrumentation:opentelemetry-runtime-telemetry-java17 1.32.0-alpha 直接依赖 maven
io.netty:netty-codec-http2 4.1.94.Final 间接依赖 maven
com.google.api.grpc:proto-google-common-protos 2.9.0 间接依赖 maven
org.lz4:lz4-java 1.8.0 间接依赖 maven
io.opentelemetry.instrumentation:opentelemetry-instrumentation-annotations-support 1.32.0-alpha 直接依赖 maven
de.vandermeer:ascii-utf-themes 0.0.1 间接依赖 maven
io.netty:netty-resolver-dns-classes-macos 4.1.100.Final 间接依赖 maven
org.apache.commons:commons-collections4 4.4 直接依赖 maven
com.squareup.okio:okio 2.8.0 间接依赖 maven
com.mysql:mysql-connector-j 8.1.0 直接依赖 maven
io.netty:netty-transport-rxtx 4.1.100.Final 间接依赖 maven
io.opentelemetry:opentelemetry-sdk-metrics 1.14.0 间接依赖 maven
com.googlecode.concurrentlinkedhashmap:concurrentlinkedhashmap-lru 1.4.2 间接依赖 maven
com.automq.rocketmq:metadata-jdbc 5.1.3-automq-0-SNAPSHOT 直接依赖 maven
io.netty:netty-codec-socks 4.1.100.Final 间接依赖 maven
org.apache.rocketmq:rocketmq-proto 2.0.2 间接依赖 maven
software.amazon.awssdk:sdk-core 2.20.127 间接依赖 maven
com.bucket4j:bucket4j-core 8.5.0 直接依赖 maven
de.vandermeer:skb-interfaces 0.0.1 间接依赖 maven
io.grpc:grpc-protobuf-lite 1.50.0 间接依赖 maven
com.squareup.okhttp3:okhttp 4.12.0 间接依赖 maven
io.netty:netty-codec-xml 4.1.100.Final 间接依赖 maven
io.grpc:grpc-netty-shaded 1.58.0 直接依赖 maven
net.sourceforge.argparse4j:argparse4j 0.9.0 直接依赖 maven
io.grpc:grpc-context 1.50.0 间接依赖 maven
io.opentelemetry:opentelemetry-exporter-common 1.32.0 间接依赖 maven
org.jetbrains.kotlin:kotlin-stdlib-common 1.9.10 间接依赖 maven
org.checkerframework:checker-qual 3.33.0 间接依赖 maven
com.google.guava:failureaccess 1.0.1 间接依赖 maven
io.grpc:grpc-context 1.58.0 间接依赖 maven
net.java.dev.jna:jna-jpms 5.13.0 间接依赖 maven
org.javassist:javassist 3.20.0-GA 间接依赖 maven
io.netty:netty-resolver 4.1.94.Final 间接依赖 maven
org.apache.logging.log4j:log4j-core 2.20.0 直接依赖 maven
com.google.j2objc:j2objc-annotations 2.8 直接依赖 maven
com.github.ben-manes.caffeine:caffeine 2.9.3 间接依赖 maven
io.opentelemetry:opentelemetry-sdk-metrics 1.32.0 间接依赖 maven
org.bouncycastle:bcpkix-jdk15on 1.69 间接依赖 maven
software.amazon.eventstream:eventstream 1.0.1 间接依赖 maven
com.automq.elasticstream:s3stream 0.6.5-SNAPSHOT 直接依赖 maven
io.netty:netty-tcnative-classes 2.0.53.Final 间接依赖 maven
org.apache.rocketmq:rocketmq-broker 5.1.3 间接依赖 maven
org.antlr:ST4 4.0.8 间接依赖 maven
(0)
上一篇 2023年11月30日
下一篇 2023年11月30日

相关推荐

  • DaoCloud/dotnet-docker-samples 软件分析报告

    基础信息 项目名称:DaoCloud/dotnet-docker-samples 项目徽章: 仓库地址:https://github.com/pterodactyl/panel 检测报告地址:https://www.murphysec.com/console/report/1717041873902239744/1717041875328303104 此报告…

    软件分析 2023年10月25日
    0
  • baygeldin/tantiny 软件分析报告

    基础信息 项目名称:baygeldin/tantiny 项目徽章: 仓库地址:https://github.com/pterodactyl/panel 检测报告地址:https://www.murphysec.com/console/report/1727511600033648640/1727511600746680320 此报告由Murphysec提供 …

    软件分析 2023年11月23日
    0
  • GaiZhenbiao/ChuanhuChatGPT 软件分析报告

    基础信息 项目名称:GaiZhenbiao/ChuanhuChatGPT 项目徽章: 仓库地址:https://github.com/pterodactyl/panel 检测报告地址:https://www.murphysec.com/console/report/1718022955246157824/1718022962338725888 此报告由Mur…

    软件分析 2023年10月28日
    0
  • awgn/cgrep 软件分析报告

    基础信息 项目名称:awgn/cgrep 项目徽章: 仓库地址:https://github.com/pterodactyl/panel 检测报告地址:https://www.murphysec.com/console/report/1716133709332922368/1716133709374865408 此报告由Murphysec提供 漏洞列表 暂无…

    软件分析 2023年10月23日
    0
  • jondot/hygen 软件分析报告

    基础信息 项目名称:jondot/hygen 项目徽章: 仓库地址:https://github.com/pterodactyl/panel 检测报告地址:https://www.murphysec.com/console/report/1719244042134142976/1719244042914283520 此报告由Murphysec提供 漏洞列表 …

    软件分析 2023年10月31日
    0