[
https://issues.apache.org/jira/browse/JAMES-3033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17028736#comment-17028736
]
René Cordier commented on JAMES-3033:
-------------------------------------
Updated the description according to your first comment, thank you for the good
feedback.
Regarding the checkstyle rules, yes I'm trying to see a way to adapt it so we
don't need to change our code and our rules still apply like before (the trick
seems more like with imports)
> Vulnerability found in dependency com.puppycrawl.tools:checkstyle
> -----------------------------------------------------------------
>
> Key: JAMES-3033
> URL: https://issues.apache.org/jira/browse/JAMES-3033
> Project: James Server
> Issue Type: Improvement
> Reporter: René Cordier
> Priority: Minor
> Labels: security
>
> Due to an incomplete fix for
> [CVE-2019-9658|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9658],
> checkstyle is still vulnerable to XML External Entity (XXE) Processing, thus
> ending up to this [CWE-611: Improper Restriction of XML External Entity
> Reference|https://cwe.mitre.org/data/definitions/611.html]
> It is not urgent to upgrade though as :
> * checkstyle is run at compile time, runtime James behavior is not impacted
> (thus do not qualify as an Apache CVE)
> * However automated CIs may be exposed to malicious pull requests with
> crafted XML content leveraging the CVE pre-requisite. Even there, executing
> the compilation within a docker container with limited rights might be a good
> risk mitigation. Relying on "priviledge mode" or using a writable docker
> socket might not.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
