jdom icon indicating copy to clipboard operation
jdom copied to clipboard

Published 20 hours ago verified publisher icon hunterhacker

Vulnerability warnings in maven repository

Open DeniseSl22 opened this issue 2 years ago • 4 comments

Dear @hunterhacker , I just noticed these two warnings here: image

DeniseSl22 avatar Apr 04 '22 19:04 DeniseSl22

Hi @DeniseSl22 - Good catch. I'll add it to my long list of things to do in my life. If you're in a hurry you could test with the Xerces 2.12.2 and see how well things work and submit a PR.

hunterhacker avatar Apr 04 '22 19:04 hunterhacker

@hunterhacker thank you for getting back to me so quickly! I know the feeling of long to-do lists. If I have time I will give it a PR a try (but can't make any promises).

DeniseSl22 avatar Apr 06 '22 08:04 DeniseSl22

What could be more important than this @hunterhacker ! ... plenty of things I'm sure, but would really appreciate if this could be addressed... any idea when you will be able to look into it?

TeamChocolate avatar Apr 29 '22 13:04 TeamChocolate

Both vulnerabilities seem to be build time vulnerabilities against Xerces 2.11 not required at runtime. Nothing to worry about IMO, but of course, I can foresee QSAs jumping out of joy with these nice new two entries in their reports.

I tried latest version 2.12.2 that dragged me to upgrade xml-apis to 1.3.04 and just 26 out of 1093 failed. With the existing libraries, only 13 out of 1093 fail, but perhaps that's something in my setup (built using JDK8).

I'm attaching attaching the JUnit reports for the existing an upgraded runs, so that you can gauge the caliber of the changes that might be involved in upgrading these libraries.

Existing version

Screen Shot 2022-04-29 at 15 25 41

New Xerces and XML-APIS

Screen Shot 2022-04-29 at 15 18 52

I can send a PR if you want those handy @hunterhacker .

ar avatar Apr 29 '22 18:04 ar