swagger-parser icon indicating copy to clipboard operation
swagger-parser copied to clipboard

Published 20 hours ago verified publisher icon swagger-api

Update json-schema-validator in swagger-compat-spec-parser

Open msymons opened this issue 8 years ago • 2 comments

Update swagger-compat-spec-parser to use json-schema-validator v2.2.8 to address CVSS 3.0 level 5.4 security threat which originates from libphonenumber dependency.

Note that json-schema-validator has had a change of groudId from com.github.fge to com.github.java-json-tools. v2.2.8 uses libphonenumber v8.0.0 (threat was addressed in v7.2.3).

The libphonenumber transitive dependency results in a security alert from Nexus IQ OSS security scanning software. There is no CVE ID. Just a Sonatype problem code:

sonatype-2015-0090 - libphonenumber - A Cross Site Scripting vulnerability was found which is exploitable by manipulating the inputs. Reference:

https://github.com/googlei18n/libphonenumber/pull/934

msymons avatar Jun 04 '17 15:06 msymons