CVE-2022-42920 in apache bcel

[karel1980]

Hi. Just wanted to let you know about this CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-42920.
The good news is renovate[bot] already bumped bcel to 6.6.1 on nov 3rd
Given the severity of this CVE you might want to release 2.7.4.

Cheers!

[iloveeclipse]

Should be irrelevant for spotbugs, we don't write anything using BCEL, we only read

To be clear, see

• Original BCEL bug https://issues.apache.org/jira/browse/BCEL-363
• BCEL fix: BCEL-363 Enforce MAX_CP_ENTRIES in ConstantPoolGen and ConstantPool.dump apache/commons-bcel#147

[karel1980]

I understand. I got here because this trips up build pipelines for projects using the owasp dependency checker plugin :) It's not a big deal, pinning bcel to 6.6.1 works fine as a workaround

[kelvinn]

Exact same boat here - looking forward to 2.7.4 :)

[karel1980]

@kelvinn We've verified that both adding the suppression for the owasp dependency checker and overriding the bcel version via dependencyManagement (in gradle) works.
HTH

[kiranprakash154]

Looks like the bcel was updated here

Looking forward to the release of 2.7.4, When will that be?

Thanks in advance!

[karel1980]

4.7.0 through 4.7.3 were released between May and October. So at the current rate it could be expected somewhere in December :) - no guarantees though.

[PrasannaKumarGowdru]

Hi @karel1980 Even we are getting same security vulnerability CVE-2022-42920 from latest spot bug version, please let us know when the new version of Spot Bug will be available to fix this issue ( Our Management team wants to know tentative date for this fix)

Thanks a lot in advance :)

[karel1980]

I hope this question was not directed at me :) I am not affiliated with the project

[liwamdaman]

A little late to this thread, but also was curious about the release of 4.7.4, related to this bcel version bump. Hoping it comes soon!

Perhaps @iloveeclipse you could let us know of a tentative release date? Thanks 😄

[binkley]

When will this be resolved?
I have tried force updating the bcel dependency to latest (6.7.0), however that produces complaints:

The following errors occurred during analysis:
  Exception analyzing demo.TheFooTest using detector edu.umd.cs.findbugs.detect.FindUseOfNonSerializableValue
    org.apache.bcel.classfile.ClassFormatException: Invalid method signature: java/lang/NullPointerException
      At org.apache.bcel.classfile.Utility.typeOfSignature(Utility.java:1284)

[JuditKnoll]

The currently latest, 6.7.0 bcel has a bug, which breaks the spotbugs build. There is already a fix PR for it (apache/commons-bcel#221), so hopefully it will be in the next bcel release. Until then you can use bcel 6.6.1 with spotbugs.

[smilysharma-kr]

how to use bcel 6.x along with spot bugs in gradle.. if I explicitly mention bcel, it is still referring to bcel 5.X

[hazendaz]

Please make sure if not already ticket is open on the gradle plugin to just override it to 6.6.1. If you can raise PR there, I can make a release happen to solve it.

[hazendaz]

Going to close as we fixed in this repo already, just not released and it can be overwritten by downstreams. For maven, it was done and released here. For gradle, I would suggest raising ticket over there to override it. I looked but don't see it but think @KengoTODA could quickly get a release similar to what I did with maven. That would then satisfy the issue but otherwise issues is addressed here so no point keeping ticket open.

[binkley]

@hazendaz Very happy to see this resolved -- and on my birthday, no less!
I overlong hesitated to recheck, and now looking again, the CVE error is gone from my builds.
Thank you.