search

OWASP / java-html-sanitizer

Takes third-party HTML and produces HTML that is safe to embed in your web application. Fast and easy to configure.
Other
850 stars 214 forks source link

Guava 32.0.0-jre fixes multiple CVE's #282

Closed melloware closed 1 year ago

melloware commented 1 year ago

Fixes at least these two CVE's

    <suppress>
        <notes>
            <![CDATA[file name: guava.jar PrimeFaces does not use the temp directory functionality that is vulnerable]]></notes>
        <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
        <cve>CVE-2020-8908</cve>
    </suppress>
    <suppress>
       <notes><![CDATA[file name: guava.jar PrimeFaces does not use the temp directory functionality that is vulnerable]]></notes>
       <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
       <cve>CVE-2023-2976</cve>
    </suppress>
tandraschko commented 1 year ago

can't we just remove guava?

melloware commented 1 year ago

Yep there is another PR here to remove it entirely. I just put this up in case they wanted a quick fix before a more thorough review of the other PR