checkstyle icon indicating copy to clipboard operation
checkstyle copied to clipboard
verified publisher icon checkstyle

Resolve security warning of Saxon-HE for commons-codec usage

Open romani opened this issue 3 years ago • 0 comments

https://snyk.io/test/github/checkstyle/checkstyle?targetFile=pom.xml

Information Exposure

    Vulnerable module: commons-codec:commons-codec
    Introduced through: net.sf.saxon:[email protected]

Detailed paths

    Introduced through: checkstyle/checkstyle@checkstyle/checkstyle#
993733357459770ceb6f86874fea3b42698f675d ›
 net.sf.saxon:[email protected] › org.xmlresolver:[email protected] 
› org.apache.httpcomponents:[email protected]
 › commons-codec:[email protected]

Overview

[commons-codec:commons-codec](https://commons.apache.org/proper/commons-codec) is a package that 
contains simple encoder and decoders for various formats such as Base64 and Hexadecimal.

Affected versions of this package are vulnerable to Information Exposure. When there is no byte array value
that can be encoded into a string the Base32 implementation does not reject it,
 and instead decodes it into an arbitrary 
value which can be re-encoded again using the same implementation. This allows for information 
exposure exploits 
such as tunneling additional information via seemingly valid base 32 strings.

can we try to exclude org.xmlresolver:xmlresolver when we import dependency Saxon-HE ?

romani avatar Jul 27 '22 14:07 romani