docusign
Bouncycastle vulnerabilities
Due to many vulnerabilities found in v.1.69 can you please upgrade that dependency to 1.78.1?
This is critical issue from the security perspective, we have a number of libraries alredy upgraded to latest version, but docusign fails with that latest version.
https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on/1.69
Hi @mariuszpala , thanks for notifying us about these. I'll let the dev team know about your request and they should follow up with an update.
Hi @mariuszpala, you can expect the fix to be there as RC version sometime next week on Maven.
Hi @mariuszpala ,
Happy to report that the fix is now included in latest docusign-esign-java SDK:
https://central.sonatype.com/artifact/com.docusign/docusign-esign-java.
Please check and revert so that we can close this github issue.
Thanks, Vinay
Thank you, there is one issue left. In Maven this project has no dependencies although there are many required, why the POM doesn't define any?
https://mvnrepository.com/artifact/com.docusign/docusign-esign-java/5.1.0
The list of the dependencies that library depends on should be rather defined in pom.xml and it also includes outdated version of libraries, e.g. java-jwt is already 4.4 but the library depends on v3.4.1. https://mvnrepository.com/artifact/com.auth0/java-jwt/4.4.0
Hi @mariuszpala
Query 1:
Thank you, there is one issue left. In Maven this project has no dependencies although there are many required, why the POM doesn't define any?
The absence of explicit dependencies in the POM file is due to the use of the Maven Shade Plugin in our build process. This plugin is responsible for creating an uber-jar that includes all required dependencies bundled into a single JAR file. As a result, dependencies are not listed directly in the POM file but are instead incorporated into the shaded JAR. This approach simplifies deployment and ensures that all necessary dependencies are included in the final artifact.
Query 2:
The list of the dependencies that library depends on should be rather defined in pom.xml and it also includes outdated version of libraries, e.g., java-jwt is already 4.4 but the library depends on v3.4.1.
We rely on the OWASP Dependency Check plugin to assess vulnerabilities, and it currently classifies the version 3.4.1 of java-jwt as non-vulnerable. Additionally, we have verified this through Sonatype and Snyk, and both tools also indicate that version 3.4.1 does not have known vulnerabilities. For further details, you can refer to the following links:
Hope this clarifies your queries.
Please confirm the same so that we can continue to close this issue.
Thank you, Vinay
Hi @mariuszpala ,
We haven't heard back from you regarding the resolution provided for this issue. As it has been some time without any response, we will be closing this issue for now.
If you have any further questions or if the problem persists, please feel free to reopen this issue or create a new one. We're always here to help!
Thank you for your understanding.
Best regards, Vinay C
Hi,
Concerning Query 1:
If you create a shaded JAR - is it available in Maven then? Because it is a bit problematic at the moment. We can reference the jar file but we have no clue what are the dependencies and which are required, referencing the shaded jar via some custom maven classifier would help us here significantly. Also the Maven building process does not interfere with the dependencies which can stay in the pom and that would be ideal solution for us.
Concerning Query 2:
We rely on the OWASP Dependency Check plugin to assess vulnerabilities, and it currently classifies the version 3.4.1 of java-jwt as non-vulnerable.
It indeed doesn't, but it's dependency do - just the the screenshot I attached - it uses highly vulnerable jackson-databind version:
https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.9.7