Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency com.puppycrawl.tools:checkstyle to v8.29 [SECURITY] #948

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency com.puppycrawl.tools:checkstyle to v8.29 [SECURITY] #948

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jan 30, 2023
edited

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
com.puppycrawl.tools:checkstyle (source) 8.18 -> 8.29 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2019-10782

Due to an incomplete fix for CVE-2019-9658, checkstyle was still vulnerable to XML External Entity (XXE) Processing.

Impact

User: Build Maintainers

This vulnerability probably doesn't impact Maven/Gradle users as, in most cases, these builds are processing files that are trusted, or pre-vetted by a pull request reviewer before being run on internal CI infrastructure.

User: Static Analysis as a Service

If you operate a site/service that parses "untrusted" Checkstyle XML configuration files, you are vulnerable to this and should patch.

Note from the discoverer of the original CVE-2019-9658:

While looking at a few companies that run Checkstyle/PMD/ect... as a service I notice that it's a common pattern to run the static code analysis tool inside of a Docker container with the following flags:

--net=none \
--privileged=false \
--cap-drop=ALL

Running the analysis in Docker has the advantage that there should be no sensitive local file information that XXE can exfiltrate from the container. Additionally, these flags prevent vulnerabilities in static analysis tools like Checkstyle from being used to exfiltrate data via XXE or to perform SSRF.
- Jonathan Leitschuh

Patches

Has the problem been patched? What versions should users upgrade to?

Patched, will be released with version 8.29 at 26 Jan 2020.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

No workaround are available

References

For more information

If you have any questions or comments about this advisory:

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch 6 times, most recently from 8c80610 to bc513b7 Compare January 31, 2023 15:25
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from bc513b7 to d0b64fe Compare February 27, 2023 12:46
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from d0b64fe to 33dc911 Compare April 20, 2023 20:36
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from 33dc911 to 17c4768 Compare May 22, 2023 14:58
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from 17c4768 to 2de46f1 Compare May 30, 2023 17:36
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from 2de46f1 to 06f052e Compare June 18, 2023 16:43
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from 06f052e to 16b91e9 Compare July 5, 2023 16:19
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from 16b91e9 to 5b6f0f1 Compare September 4, 2023 14:08
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from 5b6f0f1 to 4e9488f Compare September 23, 2023 11:49
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch 2 times, most recently from 9ed263a to 9ae8231 Compare October 30, 2023 18:49
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from 9ae8231 to 37f5543 Compare November 29, 2023 16:01
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch 3 times, most recently from e6d782b to cf554aa Compare December 24, 2023 16:35
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch 2 times, most recently from c5ff8a5 to 34bfa11 Compare January 19, 2024 23:34
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from 34bfa11 to a1b43a2 Compare February 2, 2024 19:38
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from a1b43a2 to ede20fc Compare February 16, 2024 19:12
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from ede20fc to 40d0016 Compare February 29, 2024 23:01
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from 40d0016 to fd6e973 Compare April 20, 2024 11:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants