Closed goetzseb closed 1 year ago
As far as I can tell this is a false positive.
The description of the CVE adresses a rust library.
xml-rs crate before 0.8.14 for Rust and Crab https://nvd.nist.gov/vuln/detail/CVE-2023-34411
Also the matcher seems to broad and targets rust
cpe:2.3:a:xml_library_project:xml_library::::::rust::*
Other sources, the dependency check, https://github.com/jeremylong/DependencyCheck/issues/5770 also came to this conclusion.
Thank you @Fynnyan -- yes, it looks like weird mismatch for sure.
Now: if isorelax
library had an issue, it would only affect Woodstox if and when user enables RelaxNG validation which is not something that is every automatically enabled on specific input. So it would be unlikely to be applicable for most users.
But as-is, this looks like fully incorrect tagging.
Thank you both @Fynnyan and @cowtowncoder.
So I will stick to the suppressing the error in the dependency analysis.
Our build is currently broken due to a security vulnerability being reported by the OWASP check plugin. The reported issue is CVE-2023-34411. I admit that I am not quite familiar with addressing security issues, but it seems to me, that the issue is actually caused by isorelax library which seems to be some transitive dependency of woodstox. If this is the case, is there any countermeasure planned or can you give as some hint of how to address this issue?