Dependency org.apache.httpcomponents:httpclient, leading to CVE problem

[CVEDetect]

Hi, In onebusaway-nyc-transit-data-federation/，there is a dependency org.apache.httpcomponents:httpclient:4.3.6 that calls the risk method.

CVE-2020-13956

The scope of this CVE affected version is [,4.5.13)

After further analysis, in this project, the main Api called is org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 4

org.onebusaway.nyc.transit_data_federation.impl.nyc.ApcIntegrationServiceImpl$RawCountWebServicePollerThread:getFeed()Ljava.util.Map; .m2/repository/com/fasterxml/jackson/datatype/jackson-datatype-joda/2.9.0/jackson-datatype-joda-2.9.0.jar
org.apache.http.impl.client.DecompressingHttpClient:execute(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.HttpResponse; .m2/repository/com/fasterxml/jackson/datatype/jackson-datatype-joda/2.9.0/jackson-datatype-joda-2.9.0.jar
org.apache.http.impl.client.DecompressingHttpClient:getHttpHost(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.HttpHost; .m2/repository/com/fasterxml/jackson/datatype/jackson-datatype-joda/2.9.0/jackson-datatype-joda-2.9.0.jar
org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost;

Dependency tree--

[INFO] org.onebusaway:onebusaway-nyc-transit-data-federation:jar:2.33.0
[INFO] +- org.onebusaway:onebusaway-transit-data-federation:jar:2.0.36.16.1-cs-nyc:compile
[INFO] |  +- org.onebusaway:onebusaway-container:jar:2.0.36.16.1-cs-nyc:compile
[INFO] |  |  +- org.onebusaway:onebusaway-collections:jar:1.1.2:compile
[INFO] |  |  +- net.sf.ehcache:ehcache:jar:2.10.3:compile
[INFO] |  |  +- org.hibernate:hibernate-core:jar:5.2.2.Final:compile
[INFO] |  |  |  +- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
[INFO] |  |  |  +- org.hibernate.javax.persistence:hibernate-jpa-2.1-api:jar:1.0.0.Final:compile
[INFO] |  |  |  +- org.javassist:javassist:jar:3.20.0-GA:compile
[INFO] |  |  |  +- antlr:antlr:jar:2.7.7:compile
[INFO] |  |  |  +- org.apache.geronimo.specs:geronimo-jta_1.1_spec:jar:1.1.1:compile
[INFO] |  |  |  +- org.jboss:jandex:jar:2.0.0.Final:compile
[INFO] |  |  |  +- com.fasterxml:classmate:jar:1.3.0:compile
[INFO] |  |  |  +- dom4j:dom4j:jar:1.6.1:compile
[INFO] |  |  |  +- org.hibernate.common:hibernate-commons-annotations:jar:5.0.1.Final:compile
[INFO] |  |  |  \- javax.enterprise:cdi-api:jar:1.1:compile
[INFO] |  |  |     +- javax.el:el-api:jar:2.2:compile
[INFO] |  |  |     \- org.jboss.spec.javax.interceptor:jboss-interceptors-api_1.1_spec:jar:1.0.0.Beta1:compile
[INFO] |  |  +- org.hibernate:hibernate-ehcache:jar:5.2.2.Final:compile
[INFO] |  |  +- commons-dbcp:commons-dbcp:jar:1.4:compile
[INFO] |  |  |  \- commons-pool:commons-pool:jar:1.5.4:compile
[INFO] |  |  +- org.springframework:spring-beans:jar:5.2.20.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-context:jar:5.2.20.RELEASE:compile
[INFO] |  |  |  \- org.springframework:spring-expression:jar:5.2.20.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-jdbc:jar:5.2.20.RELEASE:compile
[INFO] |  |  |  \- org.springframework:spring-tx:jar:5.2.20.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-orm:jar:5.2.20.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-context-support:jar:5.2.20.RELEASE:compile
[INFO] |  |  +- org.aspectj:aspectjrt:jar:1.7.3:compile
[INFO] |  |  +- org.aspectj:aspectjweaver:jar:1.7.3:compile
[INFO] |  |  +- org.springframework:spring-web:jar:5.2.20.RELEASE:compile
[INFO] |  |  \- javax.annotation:javax.annotation-api:jar:1.3.1:compile
[INFO] |  +- org.onebusaway:onebusaway-util:jar:2.0.36.16.1-cs-nyc:compile
[INFO] |  |  +- org.apache.commons:commons-compress:jar:1.18:compile
[INFO] |  |  +- commons-lang:commons-lang:jar:2.6:compile
[INFO] |  |  +- com.brsanthu:google-analytics-java:jar:1.1.2:compile
[INFO] |  |  \- org.apache.httpcomponents:httpclient:jar:4.3.6:compile
[INFO] |  |     +- org.apache.httpcomponents:httpcore:jar:4.3.3:compile
[INFO] |  |     \- commons-codec:commons-codec:jar:1.6:compile
[INFO] |  +- org.onebusaway:onebusaway-transit-data:jar:2.0.36.16.1-cs-nyc:compile
[INFO] |  |  \- org.onebusaway:onebusaway-federations:jar:2.0.36.16.1-cs-nyc:compile
[INFO] |  |     \- com.caucho:hessian:jar:4.0.38:compile
[INFO] |  +- org.onebusaway:onebusaway-realtime-api:jar:2.0.36.16.1-cs-nyc:compile
[INFO] |  +- org.onebusaway:onebusaway-siri-core:jar:1.0.6:compile
[INFO] |  |  +- org.onebusaway:onebusaway-siri-api-v10:jar:1.0.1:compile
[INFO] |  |  +- com.google.inject:guice:jar:3.0:compile
[INFO] |  |  |  +- javax.inject:javax.inject:jar:1:compile
[INFO] |  |  |  \- aopalliance:aopalliance:jar:1.0:compile
[INFO] |  |  \- org.onebusaway:onebusaway-guice-jsr250:jar:1.0.2:compile
[INFO] |  +- org.onebusaway:onebusaway-siri-api-v13:jar:1.0.1:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-core:jar:2.12.0:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.12.0:compile
[INFO] |  +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.12.0:compile
[INFO] |  |  \- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.12.0:compile
[INFO] |  +- colt:colt:jar:1.0.3:compile
[INFO] |  +- com.thoughtworks.xstream:xstream:jar:1.4.19:compile
[INFO] |  |  \- io.github.x-stream:mxparser:jar:1.2.2:compile
[INFO] |  |     \- xmlpull:xmlpull:jar:1.1.3.1:compile
[INFO] |  +- commons-net:commons-net:jar:ftp:2.0:compile
[INFO] |  +- org.onebusaway:onebusaway-gtfs-realtime-api:jar:1.2.16:compile
[INFO] |  |  \- com.google.transit:gtfs-realtime-bindings:jar:0.0.4:compile
[INFO] |  +- org.springframework:spring-test:jar:5.2.20.RELEASE:compile
[INFO] |  +- org.apache.lucene:lucene-core:jar:7.1.0:compile
[INFO] |  +- org.apache.lucene:lucene-queryparser:jar:7.1.0:compile
[INFO] |  |  +- org.apache.lucene:lucene-queries:jar:7.1.0:compile
[INFO] |  |  \- org.apache.lucene:lucene-sandbox:jar:7.1.0:compile
[INFO] |  +- org.apache.lucene:lucene-analyzers-common:jar:7.1.0:compile
[INFO] |  +- com.google.guava:guava:jar:29.0-jre:compile
[INFO] |  |  +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  |  +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |  |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  |  +- org.checkerframework:checker-qual:jar:2.11.1:compile
[INFO] |  |  +- com.google.errorprone:error_prone_annotations:jar:2.3.4:compile
[INFO] |  |  \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] |  +- com.camsys.transit:gtfs-servicechange-bindings:jar:0.3.0:compile
[INFO] |  |  \- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.7.4:compile
[INFO] |  +- org.glassfish.jaxb:jaxb-runtime:jar:2.3.3:compile
[INFO] |  |  +- org.glassfish.jaxb:txw2:jar:2.3.3:compile
[INFO] |  |  \- com.sun.istack:istack-commons-runtime:jar:3.0.11:compile
[INFO] |  \- com.jcraft:jsch:jar:0.1.53:compile
[INFO] +- org.hsqldb:hsqldb:jar:2.6.0:compile
[INFO] +- org.onebusaway:onebusaway-gtfs-hibernate-spring:jar:2.0.36.16.1-cs-nyc:compile
[INFO] |  \- org.onebusaway:onebusaway-gtfs-hibernate:jar:1.3.61.5-cs-nyc:compile
[INFO] |     \- mysql:mysql-connector-java:jar:5.1.48:compile
[INFO] +- com.google.protobuf:protobuf-java:jar:2.6.1:compile
[INFO] +- org.onebusaway:onebusaway-nyc-transit-data:jar:2.33.0:compile
[INFO] +- org.onebusaway:onebusaway-tcip-api-v30:jar:1.0.0:compile
[INFO] +- org.onebusaway:onebusaway-tcip-api-v40:jar:1.0.2:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.12.0:compile
[INFO] |  \- commons-io:commons-io:jar:1.4:compile
[INFO] +- org.onebusaway:onebusaway-nyc-queue-subscriber:jar:2.33.0:compile
[INFO] |  +- org.onebusaway:onebusaway-nyc-util:jar:2.33.0:compile
[INFO] |  |  \- org.geotools:gt-main:jar:23.0:compile
[INFO] |  |     +- org.geotools:gt-referencing:jar:23.0:compile
[INFO] |  |     |  +- org.ejml:ejml-ddense:jar:0.34:compile
[INFO] |  |     |  |  \- org.ejml:ejml-core:jar:0.34:compile
[INFO] |  |     |  +- org.geotools:gt-metadata:jar:23.0:compile
[INFO] |  |     |  |  +- org.geotools:gt-opengis:jar:23.0:compile
[INFO] |  |     |  |  |  \- systems.uom:systems-common-java8:jar:0.7.2:compile
[INFO] |  |     |  |  |     +- tec.uom:uom-se:jar:1.0.8:compile
[INFO] |  |     |  |  |     |  +- javax.measure:unit-api:jar:1.0:compile
[INFO] |  |     |  |  |     |  \- tec.uom.lib:uom-lib-common:jar:1.0.2:compile
[INFO] |  |     |  |  |     +- si.uom:si-quantity:jar:0.7.1:compile
[INFO] |  |     |  |  |     \- si.uom:si-units-java8:jar:0.7.1:compile
[INFO] |  |     |  |  \- org.geotools.ogc:net.opengis.ows:jar:23.0:compile
[INFO] |  |     |  |     +- org.geotools.ogc:org.w3.xlink:jar:23.0:compile
[INFO] |  |     |  |     +- org.eclipse.emf:org.eclipse.emf.common:jar:2.15.0:compile
[INFO] |  |     |  |     +- org.eclipse.emf:org.eclipse.emf.ecore:jar:2.15.0:compile
[INFO] |  |     |  |     \- org.eclipse.emf:org.eclipse.emf.ecore.xmi:jar:2.15.0:compile
[INFO] |  |     |  +- jgridshift:jgridshift-core:jar:1.2:compile
[INFO] |  |     |  |  \- javax:javaee-api:jar:7.0:compile
[INFO] |  |     |  |     \- com.sun.mail:javax.mail:jar:1.5.0:compile
[INFO] |  |     |  |        \- javax.activation:activation:jar:1.1:compile
[INFO] |  |     |  \- net.sf.geographiclib:GeographicLib-Java:jar:1.49:compile
[INFO] |  |     +- org.apache.commons:commons-text:jar:1.6:compile
[INFO] |  |     \- javax.media:jai_core:jar:1.1.3:compile
[INFO] |  +- org.springframework:spring-core:jar:5.2.20.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-jcl:jar:5.2.20.RELEASE:compile
[INFO] |  +- org.springframework:spring-aop:jar:5.2.20.RELEASE:compile
[INFO] |  +- org.springframework:spring-aspects:jar:5.2.20.RELEASE:compile
[INFO] |  +- org.mule.com.github.stephenc.eaio-uuid:uuid:jar:3.4.2-MULE-001:compile
[INFO] |  +- org.onebusaway:onebusaway-nyc-queue-realtime:jar:2.33.0:compile
[INFO] |  \- org.onebusaway:onebusaway-gtfs:jar:1.3.61.5-cs-nyc:compile
[INFO] +- org.onebusaway:onebusaway-csv-entities:jar:1.1.6:compile
[INFO] |  +- commons-beanutils:commons-beanutils:jar:1.9.2:compile
[INFO] |  |  +- commons-logging:commons-logging:jar:1.1.1:compile
[INFO] |  |  \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.5:compile
[INFO] +- com.google.code.gson:gson:jar:1.7.1:compile
[INFO] +- joda-time:joda-time:jar:2.9.5:compile
[INFO] +- org.zeromq:jeromq:jar:0.3.4:compile
[INFO] +- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.12.0:compile
[INFO] |  \- jakarta.activation:jakarta.activation-api:jar:1.2.1:compile
[INFO] +- junit:junit:jar:4.8.1:test
[INFO] +- org.mockito:mockito-all:jar:1.10.19:test
[INFO] +- org.onebusaway:onebusaway-siri-api-v20:jar:1.0.3:compile
[INFO] |  +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] |  +- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
[INFO] |  \- org.codehaus.jackson:jackson-xc:jar:1.9.13:compile
[INFO] +- org.apache.commons:commons-lang3:jar:3.8.1:compile
[INFO] +- org.locationtech.jts:jts-core:jar:1.16.1:compile
[INFO] +- org.onebusaway:onebusaway-geospatial:jar:2.0.36.16.1-cs-nyc:compile
[INFO] |  +- org.onebusaway:onebusaway-core:jar:2.0.36.16.1-cs-nyc:compile
[INFO] |  \- edu.washington.cs.rse:javaproj:jar:1.0.4:compile
[INFO] +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.17.1:compile
[INFO] |  +- org.apache.logging.log4j:log4j-api:jar:2.17.1:compile
[INFO] |  \- org.apache.logging.log4j:log4j-core:jar:2.17.1:runtime
[INFO] +- org.onebusaway:onebusaway-stif-transformer-impl:jar:1.5.0:compile
[INFO] |  +- net.lingala.zip4j:zip4j:jar:1.3.2:compile
[INFO] |  \- org.json:json:jar:20090211:compile
[INFO] +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile
[INFO] +- com.sun.xml.bind:jaxb-impl:jar:2.3.3:runtime
[INFO] |  \- com.sun.activation:jakarta.activation:jar:1.2.2:runtime
[INFO] +- javax.xml.bind:jaxb-api:jar:2.3.1:compile
[INFO] |  \- javax.activation:javax.activation-api:jar:1.2.0:compile
[INFO] \- com.fasterxml.jackson.datatype:jackson-datatype-joda:jar:2.9.0:compile

Suggested solutions:

Update dependency version

Thank you very much.