[ https://issues.apache.org/jira/browse/JAMES-3033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17029608#comment-17029608 ]
René Cordier commented on JAMES-3033: ------------------------------------- https://github.com/linagora/james-project/pull/3073 is solving the issue by upgrading the checkstyle dependency to 8.29 and enforcing the imports to the following rule : {code:java} import statics; import java.*; import javax.*; import org.*; import com.*; import the rest; {code} > Vulnerability found in dependency com.puppycrawl.tools:checkstyle > ----------------------------------------------------------------- > > Key: JAMES-3033 > URL: https://issues.apache.org/jira/browse/JAMES-3033 > Project: James Server > Issue Type: Improvement > Reporter: René Cordier > Priority: Major > Labels: security > > Due to an incomplete fix for > [CVE-2019-9658|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9658], > checkstyle is still vulnerable to XML External Entity (XXE) Processing, thus > ending up to this [CWE-611: Improper Restriction of XML External Entity > Reference|https://cwe.mitre.org/data/definitions/611.html] > The issue is not very severe : > * checkstyle is run at compile time, runtime James behavior is not impacted > (thus do not qualify as an Apache CVE) > * However automated CIs may be exposed to malicious pull requests with > crafted XML content leveraging the CVE pre-requisite. Even there, executing > the compilation within a docker container with limited rights might be a good > risk mitigation. Relying on "priviledge mode" or using a writable docker > socket might not. > We might still want to fix it regarding our CI use. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org