From a7749a3691891dda3bc2d572bfc5aff720fd8fa7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miguel=20Gonza=CC=81lez?= Date: Thu, 22 Aug 2024 09:39:02 +0200 Subject: [PATCH 1/2] Suppress security alerts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The unsafe classes warning due to the usage of org.apache.commons.digester3.Digester can be dismissed, as we're already disabling DTD features in DigesterUtils. Signed-off-by: Miguel González --- .../com/codicesoftware/plugins/hudson/ChangeSetReader.java | 4 ++++ .../plugins/hudson/commands/parsers/FindOutputParser.java | 2 ++ .../plugins/hudson/commands/parsers/LogOutputParser.java | 2 ++ 3 files changed, 8 insertions(+) diff --git a/src/main/java/com/codicesoftware/plugins/hudson/ChangeSetReader.java b/src/main/java/com/codicesoftware/plugins/hudson/ChangeSetReader.java index 4ff2aad..0d35b53 100644 --- a/src/main/java/com/codicesoftware/plugins/hudson/ChangeSetReader.java +++ b/src/main/java/com/codicesoftware/plugins/hudson/ChangeSetReader.java @@ -24,6 +24,8 @@ */ public class ChangeSetReader extends ChangeLogParser { + // DigesterUtils will return a secured Digester unless there's a UNSAFE property in ChangeSetReader set to "true" + @SuppressWarnings("lgtm[jenkins/unsafe-classes]") @Override public ChangeSetList parse( Run run, RepositoryBrowser browser, File changelogFile) @@ -36,6 +38,8 @@ public ChangeSetList parse( } } + // DigesterUtils will return a secured Digester unless there's a UNSAFE property in ChangeSetReader set to "true" + @SuppressWarnings("lgtm[jenkins/unsafe-classes]") public ChangeSetList parse( Run run, RepositoryBrowser browser, Reader reader) throws IOException, SAXException { diff --git a/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/FindOutputParser.java b/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/FindOutputParser.java index 00db885..1ec75de 100755 --- a/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/FindOutputParser.java +++ b/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/FindOutputParser.java @@ -21,6 +21,8 @@ public class FindOutputParser { // Utility classes shouldn't have default constructors private FindOutputParser() { } + // DigesterUtils will return a secured Digester unless there's a UNSAFE property in FindOutputParser set to "true" + @SuppressWarnings("lgtm[jenkins/unsafe-classes]") @Nonnull public static List parseReader( @Nonnull final ObjectSpecType specType, diff --git a/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/LogOutputParser.java b/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/LogOutputParser.java index 475a167..545b2d3 100755 --- a/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/LogOutputParser.java +++ b/src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/LogOutputParser.java @@ -19,6 +19,8 @@ public final class LogOutputParser { // Utility classes shouldn't have default constructors private LogOutputParser() { } + // DigesterUtils will return a secured Digester unless there's a UNSAFE property in LogOutputParser set to "true" + @SuppressWarnings("lgtm[jenkins/unsafe-classes]") public static List parseFile( FilePath path, String repoName, String server) throws IOException, ParseException { List csetList = new ArrayList<>(); From 1f2cd7a715c16e68f1fadcf5189ba18ee14edc2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miguel=20Gonza=CC=81lez?= Date: Thu, 22 Aug 2024 10:00:38 +0200 Subject: [PATCH 2/2] Remove alert in `DigesterUtils.createDigester()` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Miguel González --- src/main/java/com/codicesoftware/plugins/DigesterUtils.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/main/java/com/codicesoftware/plugins/DigesterUtils.java b/src/main/java/com/codicesoftware/plugins/DigesterUtils.java index ccfa7cc..63207fa 100644 --- a/src/main/java/com/codicesoftware/plugins/DigesterUtils.java +++ b/src/main/java/com/codicesoftware/plugins/DigesterUtils.java @@ -11,6 +11,9 @@ private DigesterUtils() { // private as it is an utility class } + // This method disables features that are known to allow XML External Entity (XXE) attacks + // unless forced to be insecure + @SuppressWarnings("lgtm[jenkins/unsafe-classes]") public static Digester createDigester(boolean secure) throws SAXException { Digester digester = new Digester(); if (secure) {