Security binary scan reports XZ Utils library but unable to detect the version

DanBloomberg / leptonica

Leptonica is an open source library containing software that is broadly useful for image processing and image analysis applications. The official github repository for Leptonica is: danbloomberg/leptonica. See leptonica.org for more documentation.

Other

1.72k stars 384 forks source link

Security binary scan reports XZ Utils library but unable to detect the version #706

Closed nandlalkumar closed 8 months ago

nandlalkumar commented 11 months ago

In binary scan, the version of XZ Utils used in version 1.82.0 is not detected. Could you please update in read-me file about the open-source packages used in the component? Also could you please let me the version of the XZ Utils library version used in the version 1.82.0

zdenop commented 11 months ago

The XZ is no (direct) leptonica dependency => there is no reason why it should be in readme.

DanBloomberg commented 8 months ago

This is a runtime issue -- it does not affect the build. By default, leptonica will NOT run any program, such as xzgv, because it is a security hazard in a production environment.

If xzgv has been installed, and if LeptDebugOK has been set to TRUE, and if the variable var_DISPLAY_PROG has been set to run xzgv, then at runtime a call to pixDisplay() will run xzgv and display the image.