-
Notifications
You must be signed in to change notification settings - Fork 827
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
exclude vulnerable indirect dep xalan #2695
Conversation
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/186949072 The labels on this github issue will be updated when the story is started. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it makes sense to add comments in the build.gradle files explaining why the exclude is there? Seems important since it's keeping a CVE out of the package.
Wouldn't the build fail if we actually needed this dependency? Seems pretty low-risk to me. I know Spring has a lot of potential for runtime errors that are surprising, but perhaps not for this type of issue. |
After reading this gradle doc, I got the impression that the failure might happen at runtime instead of build time. But in any case, if all our tests are passing, it's pretty good evidence that exclude works. Usually, we should use exclude very sparingly, in this case the direct dep (the saml extension lib) has reached EOL, so it can't be bumped, so our options are limited. |
Sure, wouldn't hurt to add that in addition to commit message. |
- a vulnerable xalan version (2.7.2; CVE-2022-34169) is brought in by the saml library we use: org.springframework.security.extensions:spring-security-saml2-core which has reached EOL (we are replacing it for develop branch, but not 74.5.x branch). So this xalan would not be bumped by spring-security-saml2-core anymore. - so to address this CVE scan result (CVE-2022-34169), exclude this indirect dep, like develop branch does: 061bee9 - note: excluding a dep of a library we use carries the risk of failure if we trigger a code path in the library that depends on the dep. The fact all tests are passing + the fact that this exclude has been applied in develop branch for more than 1 year give us enough confidence that this exclude would not introduce a failure. [#186948853]
1986645
to
05bea28
Compare
[#186948853]