[BUILD-1011] Dismiss false positive about Woodstox/Stax2-api (Magnolia 5.7.x) Created: 13/Feb/23  Updated: 16/Feb/23  Resolved: 14/Feb/23

Status: Closed
Project: Build
Component/s: None
Affects Version/s: BOM 5.7.25
Fix Version/s: None

Type: Task Priority: Neutral
Reporter: Federico Grilli Assignee: Federico Grilli
Resolution: Done Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relation
Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Team: Foundation
Work Started:

 Description   

Woodstox is "the gold standard Stax XML "pull" API (javax.xml.stream) implementation", see https://github.com/FasterXML/woodstox

Looks like this is a false positive according to https://nvd.nist.gov/vuln/detail/CVE-2022-40152, as it affects versions up to (excluding) 6.4.0, the latter being the version present in Magnolia 5.7.x webapps.
Apparently it is a mismatch with stax2-api version 4.2.1 having the woodstox name in the artifact's group id.

The library is pulled in transitively via an older Tika-parsers and ultimately JackRabbit version. We couldn't update to a major JackRabbit/Tika version in a EEoL maintenance branch anyway.

One or more dependencies were identified with known vulnerabilities in magnolia-enterprise-pro-webapp: 
...
magnolia-empty-webapp-5.7.27-SNAPSHOT.war: stax2-api-4.2.1.jar (pkg:maven/org.codehaus.woodstox/stax2-api@4.2.1, cpe:2.3:a:fasterxml:woodstox:4.2.1:*:*:*:*:*:*:*) : CVE-2022-40152 

inherited via

[INFO] |  |  |  +- org.apache.tika:tika-parsers:jar:1.28.4:compile
[INFO] |  |  |  |  +- xerces:xercesImpl:jar:2.8.1:test
[INFO] |  |  |  |  +- com.fasterxml.woodstox:woodstox-core:jar:6.4.0:compile
[INFO] |  |  |  |  |  \- org.codehaus.woodstox:stax2-api:jar:4.2.1:compile

Generated at Sun Feb 11 23:47:18 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.