skrape.it icon indicating copy to clipboard operation
skrape.it copied to clipboard
verified publisher icon skrapeit

[BUG] security vulnerabilities in libraries

Open Lastaapps opened this issue 1 year ago • 3 comments

Describe the bug Hi, I just included the version 1.3.0-alpha.2 skrape.it into my project, and IntelliJ reports that the package depends on vulnerable versions of quite a few libraries. When I try version 1.2.2, it's the same. I don't say that users of this library are directly vulnerable, but it's suspicious at least. All the vulnerabilities have quite a high score, so it would make sense just to make 1.2.3 release just with these libs bumped. Thanks for the great project!

image

All the vulnerabilities reported by IntelliJ

  • https://devhub.checkmarx.com/cve-details/CVE-2021-37533/
  • https://devhub.checkmarx.com/cve-details/CVE-2022-42889/
  • https://devhub.checkmarx.com/cve-details/CVE-2022-34169/
  • https://devhub.checkmarx.com/cve-details/CVE-2021-37714/
  • https://devhub.checkmarx.com/cve-details/CVE-2022-36033/
  • https://devhub.checkmarx.com/cve-details/CVE-2023-6378/

Lastaapps avatar May 28 '24 22:05 Lastaapps

A potential fix for anyone reading this is to just update the libraries on your side, this should be safe.

    implementation("ch.qos.logback:logback-core:1.4.12")
    implementation("ch.qos.logback:logback-classic:1.4.12")
    implementation("commons-net:commons-net:3.9.0")
    implementation("org.apache.commons:commons-text:1.10.0")
    implementation("org.jsoup:jsoup:1.15.3")
    implementation("xalan:xalan:2.7.3")

Lastaapps avatar May 28 '24 22:05 Lastaapps

Shouldn't we get this fixed? Anyone tracking this issue somewhere else?

jilvin avatar Jan 05 '25 03:01 jilvin

Issue https://github.com/skrapeit/skrape.it/issues/202 covers a subset of the vulnerabilities reported here in this issue. Fixing this issue should close https://github.com/skrapeit/skrape.it/issues/202 too.

jilvin avatar Jan 05 '25 03:01 jilvin