Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Xerces2 dependency has security vulnerabilities. #920

Closed
newmacuser611 opened this issue Aug 12, 2019 · 2 comments · Fixed by #1121
Closed

Xerces2 dependency has security vulnerabilities. #920

newmacuser611 opened this issue Aug 12, 2019 · 2 comments · Fixed by #1121
Labels
component: maven
Projects
Current work items
Milestone
0.8.7

Comments

@newmacuser611
Copy link

Hi,

Jacoco depends on maven Reporting Impl 2.1, which depends on Doxia 1.1.2, which depends on Xerces 2.8.1, which has this CVE:

CVE-2012-0881: Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.

This is classified as a HIGH severity vulnerability.

Upgrading to Maven Reporting Impl 3.0 resolves this issue, as 3.0 uses Doxia 1.7, which has no dependency on Xerces at all.

Thanks.
@marchof
Copy link
Member

marchof commented Aug 13, 2019

See previous discussion about maven build time dependences in #641

@Godin
Copy link
Member

Godin commented Aug 17, 2019
edited

First of all there is absolutely no way to exploit CVE-2012-0881 via jacoco-maven-plugin because these transitive dependencies on doxia and xerces are actually not used at runtime. I'm omitting proof of this for the time being as a kind of exercise for potential contributors.

Also maven-reporting-impl can not be updated to 3.0, because it requires Java 6, whereas Maven 3.0 declares Java 5 as minimal required version and jacoco-maven-plugin declares Maven 3.0.

And here is other exercise - to me seems that possible to completely remove usage of maven-reporting-impl without losing any functionality.

marchof added a commit that referenced this issue Nov 7, 2020
@marchof
Remove Dependency on maven-reporting-impl
f073582 
This dependency is not really useful for JaCoCo reports and has several
transitive dependencies where security vulnerabilities have been
reported.

Fixes #641, #920
@marchof marchof mentioned this issue Nov 7, 2020
Merged
marchof added a commit that referenced this issue Nov 7, 2020
@marchof
Remove Dependency on maven-reporting-impl
b902dc5 
This dependency is not really useful for JaCoCo reports and has several
transitive dependencies where security vulnerabilities have been
reported.

Fixes #641, #920
@Godin Godin linked a pull request Nov 26, 2020 that will close this issue
Remove dependency on maven-reporting-impl #1121
Merged
@Godin Godin added this to the 0.8.7 milestone Dec 18, 2020
@Godin Godin added this to Candidates in Current work items via automation Dec 25, 2020
Current work items automation moved this from Candidates to Done Dec 25, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component: maven
Projects
Current work items
  
Done
Milestone
0.8.7
Development

Successfully merging a pull request may close this issue.

Remove dependency on maven-reporting-impl jacoco/jacoco
3 participants
@Godin @marchof @newmacuser611