Update README.md

[kavisuresh]

No description provided.

[kavisuresh]

IBM Cloud Continuous Delivery Bill of Materials

Download Bill of Materials Report: [JSON Format]

Bill of Materials Diff

Compare To: [Branch = master] [Commitid = a310cd4]

[kavisuresh]

IBM Cloud Continuous Delivery Deployment Configuration Analysis

No configuration risks discovered

[kavisuresh]

IBM Cloud Continuous Delivery Vulnerability Report

Expand to reveal report findings

✅ Manifest File: db2/Dockerfile-ibmcom/db2express-c:latest

Vulnerability Data by Clair

No OS package vulnerabilities found

✅ Manifest File: result-app/Dockerfile-websphere-liberty:kernel

Vulnerability Data by Clair

No OS package vulnerabilities found

✅ Manifest File: voting-app/Dockerfile-ibmcom/wxs-client-liberty:latest

Vulnerability Data by Clair

No OS package vulnerabilities found

✅ Manifest File: worker/Dockerfile-ibmcom/ibmjava:sdk

Vulnerability Data by Clair

No OS package vulnerabilities found

✅ Manifest File: wxs_cat/Dockerfile-ibmcom/wxs:latest

Vulnerability Data by Clair

No OS package vulnerabilities found

✅ Manifest File: wxs_con/Dockerfile-ibmcom/wxs:latest

Vulnerability Data by Clair

No OS package vulnerabilities found

✅ Manifest File: voting-app/pom.xml

Vulnerability Data by Snyk

No application package vulnerabilities found

✅ Manifest File: worker/pom.xml

Vulnerability Data by Snyk

No application package vulnerabilities found

❌ Manifest File: result-app/pom.xml

Vulnerability Data by Snyk

Package Name: com.google.guava:guava Version : 18.0

Vulnerabilities

1. ID: CVE-2020-8908
   Severity: medium
   Fixed in Version: 24.1.1-android
   Description: com.google.guava:guava is a set of core libraries that includes new collection types (such as multimap and multiset,immutable collections, a graph library, functional types, an in-memory cache and more. Affected versions of this package are vulnerable to Information Disclosure. The file permissions on the file created by com.google.common.io.Files.createTempDir allows an attacker running a malicious program co-resident on the same machine can steal secrets stored in this directory. This is because by default on unix-like operating systems the /temp directory is shared between all users, so if the correct file permissions aren't set by the directory/file creator, the file becomes readable by all other users on that system.

2. ID: CVE-2018-10237
   Severity: medium
   Fixed in Version: 24.1.1-android
   Description: com.google.guava:guava is a set of core libraries that includes new collection types (such as multimap and multiset,immutable collections, a graph library, functional types, an in-memory cache and more. Affected versions of this package are vulnerable to Deserialization of Untrusted Data. During deserialization, two Guava classes accept a caller-specified size parameter and eagerly allocate an array of that size:

• AtomicDoubleArray (when serialized with Java serialization)
• CompoundOrdering (when serialized with GWT serialization)

An attacker may be able to send a specially crafted request which with then cause the server to allocate all it's memory, without validation whether the data size is reasonable.