Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dismiss unsafe class alerts about org.apache.commons.digester3.Digester #77

Merged
merged 2 commits into from
Aug 22, 2024
Merged

Dismiss unsafe class alerts about org.apache.commons.digester3.Digester #77

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a7749a3
Suppress security alerts
mig42 Aug 22, 2024
1f2cd7a
Remove alert in `DigesterUtils.createDigester()`
mig42 Aug 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions src/main/java/com/codicesoftware/plugins/DigesterUtils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ private DigesterUtils() {
// private as it is an utility class
}

// This method disables features that are known to allow XML External Entity (XXE) attacks
// unless forced to be insecure
@SuppressWarnings("lgtm[jenkins/unsafe-classes]")
public static Digester createDigester(boolean secure) throws SAXException {
Digester digester = new Digester();
if (secure) {
Expand Down
4 changes: 4 additions & 0 deletions src/main/java/com/codicesoftware/plugins/hudson/ChangeSetReader.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@
*/
public class ChangeSetReader extends ChangeLogParser {

// DigesterUtils will return a secured Digester unless there's a UNSAFE property in ChangeSetReader set to "true"
@SuppressWarnings("lgtm[jenkins/unsafe-classes]")
@Override
public ChangeSetList parse(
Run run, RepositoryBrowser<?> browser, File changelogFile)
Expand All @@ -36,6 +38,8 @@ public ChangeSetList parse(
}
}

// DigesterUtils will return a secured Digester unless there's a UNSAFE property in ChangeSetReader set to "true"
@SuppressWarnings("lgtm[jenkins/unsafe-classes]")
public ChangeSetList parse(
Run<?, ?> run, RepositoryBrowser<?> browser, Reader reader)
throws IOException, SAXException {
Expand Down
2 changes: 2 additions & 0 deletions src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/FindOutputParser.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ public class FindOutputParser {
// Utility classes shouldn't have default constructors
private FindOutputParser() { }

// DigesterUtils will return a secured Digester unless there's a UNSAFE property in FindOutputParser set to "true"
@SuppressWarnings("lgtm[jenkins/unsafe-classes]")
@Nonnull
public static List<ChangeSet> parseReader(
@Nonnull final ObjectSpecType specType,
Expand Down
2 changes: 2 additions & 0 deletions src/main/java/com/codicesoftware/plugins/hudson/commands/parsers/LogOutputParser.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ public final class LogOutputParser {
// Utility classes shouldn't have default constructors
private LogOutputParser() { }

// DigesterUtils will return a secured Digester unless there's a UNSAFE property in LogOutputParser set to "true"
@SuppressWarnings("lgtm[jenkins/unsafe-classes]")
public static List<ChangeSet> parseFile(
FilePath path, String repoName, String server) throws IOException, ParseException {
List<ChangeSet> csetList = new ArrayList<>();
Expand Down