CoreNLP icon indicating copy to clipboard operation
CoreNLP copied to clipboard

Published 20 hours ago verified publisher icon stanfordnlp

owasp check failed

Open eduarddrenth opened this issue 1 year ago • 6 comments

My build shows:

[ERROR] protobuf-java-3.19.6.jar: CVE-2024-7254(8.699999809265137)

Can you please update xthis dependency?

eduarddrenth avatar Sep 20 '24 08:09 eduarddrenth

This will be in the next release

AngledLuffa avatar Sep 24 '24 20:09 AngledLuffa

Some more: lucene CVE-2024-45772 and javax.json CVE-2023-7272.

For lucene dep I use version 9.12.0 now with stanford, seems to be working fine (but all I do is return new Sentence(form).lemmas(); so I might never touch lucene)

eduarddrenth avatar Oct 07 '24 10:10 eduarddrenth

if i update javax.json to

https://repo1.maven.org/maven2/org/glassfish/jakarta.json/1.1.6/

do you know if that will solve your problems with that library? i have no idea what effect updating to 2.... would have

AngledLuffa avatar Oct 08 '24 23:10 AngledLuffa

the lucene stuff is for a specific package which we're not sure too many people use (@manning wants me to delete it entirely)

AngledLuffa avatar Oct 08 '24 23:10 AngledLuffa

for lucene, what about the 7.7.3 series? again i feel wary bumping the major version number without actually knowing anything about the package that uses it

https://mvnrepository.com/artifact/org.apache.lucene/lucene-core/7.7.3

but if that still has security problems then i guess it's time to do something bigger

AngledLuffa avatar Oct 08 '24 23:10 AngledLuffa

Perhaps, but I think that version has the vulnerability as well. There will probably be some impact here. But it could be that the way Stanford uses lucene doesn't expose the vulnerability.

Op wo 9 okt. 2024 01:53 schreef John Bauer @.***>:

for lucene, what about the 7.7.3 series? again i feel wary bumping the major version number without actually knowing anything about the package that uses it

https://mvnrepository.com/artifact/org.apache.lucene/lucene-core/7.7.3

but if that still has security problems then i guess it's time to do something bigger

— Reply to this email directly, view it on GitHub https://github.com/stanfordnlp/CoreNLP/issues/1465#issuecomment-2401006780, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACN2KKCRYJD4BFIWT7WNREDZ2RWBBAVCNFSM6AAAAABORRMB2WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMBRGAYDMNZYGA . You are receiving this because you authored the thread.Message ID: @.***>

eduarddrenth avatar Oct 09 '24 04:10 eduarddrenth

So, it turns out we can't upgrade to any version of Lucene that doesn't have this issue without moving to Java 11. We're going to move to a more modern version of Java this summer, but in the meantime, the solution we took was to remove the patterns project and make one more CoreNLP release without it. If people get annoyed at its absence, we'll bring it back for the Java 11 release.

AngledLuffa avatar Jun 06 '25 07:06 AngledLuffa

Thanks, I'll have a look at it

eduarddrenth avatar Jun 06 '25 11:06 eduarddrenth

just tested, owasp 12.1.0, release 4.5.9 improves, I only have to include these exclusions now:

                <exclusions>
                    <exclusion>
                        <groupId>com.apple</groupId>
                        <artifactId>AppleJavaExtensions</artifactId>
                    </exclusion>
                    <exclusion>
                        <groupId>xom</groupId>
                        <artifactId>xom</artifactId>
                    </exclusion>
                </exclusions>

eduarddrenth avatar Jun 06 '25 13:06 eduarddrenth

Sounds good.

There's also a Xerces vulnerability listed, but not much we can do about that for now:

https://ossindex.sonatype.org/vulnerability/CVE-2017-10355?component-type=maven&component-name=xerces%2FxercesImpl&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0

Anyway, I posted a version which will hopefully show up soon on Maven and has no lucene dependency, so maybe that will help too.

AngledLuffa avatar Jun 07 '25 02:06 AngledLuffa