[BUILD-1011] Dismiss false positive about Woodstox/Stax2-api (Magnolia 5.7.x) Created: 13/Feb/23 Updated: 16/Feb/23 Resolved: 14/Feb/23 |
|
| Status: | Closed |
| Project: | Build |
| Component/s: | None |
| Affects Version/s: | BOM 5.7.25 |
| Fix Version/s: | None |
| Type: | Task | Priority: | Neutral |
| Reporter: | Federico Grilli | Assignee: | Federico Grilli |
| Resolution: | Done | Votes: | 0 |
| Labels: | security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Template: |
|
||||
| Acceptance criteria: |
Empty
|
||||
| Task DoR: |
Empty
|
||||
| Team: | |||||
| Work Started: | |||||
| Description |
|
Woodstox is "the gold standard Stax XML "pull" API (javax.xml.stream) implementation", see https://github.com/FasterXML/woodstox Looks like this is a false positive according to https://nvd.nist.gov/vuln/detail/CVE-2022-40152, as it affects versions up to (excluding) 6.4.0, the latter being the version present in Magnolia 5.7.x webapps. The library is pulled in transitively via an older Tika-parsers and ultimately JackRabbit version. We couldn't update to a major JackRabbit/Tika version in a EEoL maintenance branch anyway. One or more dependencies were identified with known vulnerabilities in magnolia-enterprise-pro-webapp: ... magnolia-empty-webapp-5.7.27-SNAPSHOT.war: stax2-api-4.2.1.jar (pkg:maven/org.codehaus.woodstox/stax2-api@4.2.1, cpe:2.3:a:fasterxml:woodstox:4.2.1:*:*:*:*:*:*:*) : CVE-2022-40152 inherited via [INFO] | | | +- org.apache.tika:tika-parsers:jar:1.28.4:compile [INFO] | | | | +- xerces:xercesImpl:jar:2.8.1:test [INFO] | | | | +- com.fasterxml.woodstox:woodstox-core:jar:6.4.0:compile [INFO] | | | | | \- org.codehaus.woodstox:stax2-api:jar:4.2.1:compile |