Mendmix定位是一站式分布式开发架构开源解决方案及云原生架构技术底座。Mendmix提供了数据库、缓存、消息中间件、分布式定时任务、安全框架、网关以及主流产商云服务快速集成能力。基于Mendmix可以不用关注技术细节快速搭建高并发高可用基于微服务的分布式架构。
Home Page: http://www.jeesuite.com/
License: Apache License 2.0
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
java.lang.RuntimeException: com.esotericsoftware.kryo.KryoException: Encountered unregistered class ID: 47
at com.jeesuite.common.serializer.KryoPoolSerializer.deserialize(KryoPoolSerializer.java:163) ~[jeesuite-common-1.1.0.jar:na]
at com.jeesuite.common.serializer.SerializeUtils.deserialize(SerializeUtils.java:37) ~[jeesuite-common-1.1.0.jar:na]
at com.jeesuite.kafka.serializer.KyroMessageDeserializer.deserialize(KyroMessageDeserializer.java:25) ~[jeesuite-kafka-1.1.0.jar:na]
at com.jeesuite.kafka.serializer.MessageDecoder.fromBytes(MessageDecoder.java:29) ~[jeesuite-kafka-1.1.0.jar:na]
at kafka.message.MessageAndMetadata.message(MessageAndMetadata.scala:32) ~[kafka_2.10-0.9.0-kafka-2.0.0.jar:na]
at com.jeesuite.kafka.consumer.OldApiTopicConsumer$MessageProcessor.run(OldApiTopicConsumer.java:193) ~[jeesuite-kafka-1.1.0.jar:na]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_121]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_121]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_121]
Caused by: com.esotericsoftware.kryo.KryoException: Encountered unregistered class ID: 47
at com.esotericsoftware.kryo.util.DefaultClassResolver.readClass(DefaultClassResolver.java:119) ~[kryo-2.24.0.jar:na]
at com.esotericsoftware.kryo.Kryo.readClass(Kryo.java:641) ~[kryo-2.24.0.jar:na]
at com.esotericsoftware.kryo.Kryo.readClassAndObject(Kryo.java:752) ~[kryo-2.24.0.jar:na]
at com.jeesuite.common.serializer.KryoPoolSerializer.deserialize(KryoPoolSerializer.java:161) ~[jeesuite-common-1.1.0.jar:na]
... 8 common frames omitted
rabbitmq没有适配,实现是空的
Hi, I am currently looking into projects on github which are parametrically misusing cryptographic APIs for my research and I came across a few instances in your project where I found such misuses. These misuses have been highlighted in research papers such as
In your source code file DES.java there are following issues in encrypt(String, String):
AlgorithmParameterSpec paramSpec = new IvParameterSpec(IV_PARAMS_BYTES);;The first parameter should be properly randomized using java.security.SecureRandom API.
Cipher cipher = Cipher.getInstance(ALGORITHM_DES);The first parameter (with value "DES/CBC/PKCS5Padding") should be any of {AES, Blowfish, DESede, PBEWithHmacSHA224AndAES_128, PBEWithHmacSHA256AndAES_128, PBEWithHmacSHA384AndAES_128, PBEWithHmacSHA512AndAES_128, PBEWithHmacSHA224AndAES_256, PBEWithHmacSHA256AndAES_256, PBEWithHmacSHA384AndAES_256, PBEWithHmacSHA512AndAES_256, RSA}
cipher.init(Cipher.ENCRYPT_MODE, secretKey,paramSpec); since "paramSpec" was not properly prepared due to the absence of randomzation therefore, here cipher.init() call is compromised as well. Same issues were found in the function "decrypt(String, String)"
Next in your source code file AES.java we found following misuses:
Cipher cipher = Cipher.getInstance("AES"); First parameter (with value "AES") should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB}
Next in your source code file SHA1.java we found following misuses:
MessageDigest md = MessageDigest.getInstance("SHA-1");First parameter (with value "SHA-1") should be any of {SHA-256, SHA-384, SHA-512}
Then in your source code file DigestUtils.java we found following misuses:
MessageDigest md = MessageDigest.getInstance(MD5_NAME);First parameter (with value "MD5") should be any of {SHA-256, SHA-384, SHA-512}
I believe fixing these issues would help your product be more secure.
Hi, In /mendmix-cache,there is a dependency org.yaml:snakeyaml:1.29 that calls the risk method.
The scope of this CVE affected version is ** [0,1.31)**
After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
CVE Bug Invocation Path :
com.mendmix.cache.command.RedisBase: listDerialize(java.util.List)Ljava.util.List; .m2/repository/com/fasterxml/jackson/core/jackson-annotations/2.13.3/jackson-annotations-2.13.3.jar
org.yaml.snakeyaml.Yaml$1: next()Ljava.lang.Object; .m2/repository/org/springframework/spring-context-support/5.2.9.RELEASE/spring-context-support-5.2.9.RELEASE.jar
org.yaml.snakeyaml.constructor.BaseConstructor: getData()Ljava.lang.Object; .m2/repository/org/springframework/spring-context-support/5.2.9.RELEASE/spring-context-support-5.2.9.RELEASE.jar
org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; .m2/repository/org/springframework/spring-context-support/5.2.9.RELEASE/spring-context-support-5.2.9.RELEASE.jar
org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;
Dependency tree--
[INFO] com.mendmix:mendmix-cache:jar:1.4.2
[INFO] +- com.mendmix:mendmix-common:jar:1.4.2:compile
[INFO] | +- org.apache.commons:commons-lang3:jar:3.4:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.3:compile
[INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.3:compile
[INFO] | | \- com.fasterxml.jackson.core:jackson-core:jar:2.13.3:compile
[INFO] | +- com.esotericsoftware:kryo:jar:5.0.4:compile
[INFO] | | +- com.esotericsoftware:reflectasm:jar:1.11.9:compile
[INFO] | | +- org.objenesis:objenesis:jar:3.1:compile
[INFO] | | \- com.esotericsoftware:minlog:jar:1.3.1:compile
[INFO] | +- org.yaml:snakeyaml:jar:1.29:compile
[INFO] | \- net.sf.jmimemagic:jmimemagic:jar:0.1.5:compile
[INFO] | +- commons-logging:commons-logging:jar:1.0.4:compile
[INFO] | \- commons-io:commons-io:jar:2.1:compile
[INFO] +- com.mendmix:mendmix-spring:jar:1.4.2:compile
[INFO] | +- org.springframework:spring-context:jar:5.3.18:compile
[INFO] | +- org.springframework:spring-core:jar:5.3.18:compile
[INFO] | | \- org.springframework:spring-jcl:jar:5.3.18:compile
[INFO] | +- org.springframework:spring-beans:jar:5.3.18:compile
[INFO] | +- org.springframework:spring-tx:jar:5.3.18:compile
[INFO] | +- org.springframework:spring-aop:jar:5.3.18:compile
[INFO] | +- org.springframework:spring-expression:jar:5.3.18:compile
[INFO] | \- org.springframework:spring-aspects:jar:5.3.18:compile
[INFO] | \- org.aspectj:aspectjweaver:jar:1.9.7:compile
[INFO] +- redis.clients:jedis:jar:3.3.0:compile
[INFO] | \- org.apache.commons:commons-pool2:jar:2.6.2:compile
[INFO] +- com.google.guava:guava:jar:30.1.1-jre:compile
[INFO] | +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] | +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] | +- org.checkerframework:checker-qual:jar:3.8.0:compile
[INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.5.1:compile
[INFO] | \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] +- net.sf.ehcache:ehcache-core:jar:2.6.11:compile
[INFO] +- org.springframework.data:spring-data-redis:jar:2.3.4.RELEASE:compile
[INFO] | +- org.springframework.data:spring-data-keyvalue:jar:2.3.4.RELEASE:compile
[INFO] | | \- org.springframework.data:spring-data-commons:jar:2.3.4.RELEASE:compile
[INFO] | +- org.springframework:spring-oxm:jar:5.2.9.RELEASE:compile
[INFO] | \- org.springframework:spring-context-support:jar:5.2.9.RELEASE:compile
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.17.2:test
[INFO] | \- org.apache.logging.log4j:log4j-api:jar:2.17.2:test
[INFO] +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.17.2:test
[INFO] +- org.slf4j:slf4j-api:jar:1.7.32:compile
[INFO] +- junit:junit:jar:4.13.3-SNAPSHOT:test
[INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] \- org.springframework:spring-test:jar:5.3.18:test
Suggested solutions:
Update dependency version
Thank you very much.
spring.profiles.active 除了可以在配置文件中指定外,还可以有下面几种方式:
System.setProperty("spring.profiles.active", "xxx")-Dspring.profiles.active=xxx--spring.profiles.active=xxxSPRING_PROFILES_ACTIVE这些都应该考虑
大神,你好,我在用这个读取的时候,如果一个单元格里面的内容中含有英文冒号,这个单元格会被拆分成两个同一行的单元格,最后读取出来的数据是错乱的,请问这种情况,通过代码怎么解决呢
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.