[
https://issues.apache.org/jira/browse/JAMES-3033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17029608#comment-17029608
]
René Cordier commented on JAMES-3033:
-------------------------------------
https://github.com/linagora/james-project/pull/3073 is solving the issue by
upgrading the checkstyle dependency to 8.29 and enforcing the imports to the
following rule :
{code:java}
import statics;
import java.*;
import javax.*;
import org.*;
import com.*;
import the rest;
{code}
> Vulnerability found in dependency com.puppycrawl.tools:checkstyle
> -----------------------------------------------------------------
>
> Key: JAMES-3033
> URL: https://issues.apache.org/jira/browse/JAMES-3033
> Project: James Server
> Issue Type: Improvement
> Reporter: René Cordier
> Priority: Major
> Labels: security
>
> Due to an incomplete fix for
> [CVE-2019-9658|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9658],
> checkstyle is still vulnerable to XML External Entity (XXE) Processing, thus
> ending up to this [CWE-611: Improper Restriction of XML External Entity
> Reference|https://cwe.mitre.org/data/definitions/611.html]
> The issue is not very severe :
> * checkstyle is run at compile time, runtime James behavior is not impacted
> (thus do not qualify as an Apache CVE)
> * However automated CIs may be exposed to malicious pull requests with
> crafted XML content leveraging the CVE pre-requisite. Even there, executing
> the compilation within a docker container with limited rights might be a good
> risk mitigation. Relying on "priviledge mode" or using a writable docker
> socket might not.
> We might still want to fix it regarding our CI use.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
