JFreeChart vulnerabilities

[tuspatil1]

Hi Team,

BlackDuck had reported following 4 vulnerabilities on JFreeChart version 1.0.19, Even the latest available version of JFreeChart is affected with all below mentioned CVE’s. CVE-2024-22949 (https://nvd.nist.gov/vuln/detail/CVE-2024-22949) CVE-2023-52070 (https://nvd.nist.gov/vuln/detail/CVE-2023-52070)
CVE-2024-23077 (https://nvd.nist.gov/vuln/detail/CVE-2024-23077)
CVE-2024-23076 (https://nvd.nist.gov/vuln/detail/CVE-2024-23076)

The site "https://nvd.nist.gov/vuln/detail/" mentions that these vulnerabilities are disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability.

Do we think these vulnerabilities have an impact on Jasper Reports (Community Edition)? Can you please let us know how TIBCO is addressing this?

Thanks, Tushar

[teodord]

We do not consider any of these reports as valid vulnerabilities.

Thank you, Teodor

[tuspatil1]

Thanks Teodor for your prompt response.

[tuspatil1]

Hi Teodor,

Does commercial version of jasperreports also dependent on JFreeChart library? As far as I know, commercial edition has HTML5(HighCharts) feature, but still basic charts are supported with JFreeChart. Right?

Thanks, Tushar

[teodord]

The commercial version has everything that the open source one has, plus some additional commercial modules such as HighCharts. Again, I would not be concerned about the above vulnerability reports, as they are not valid, but if you are, then you can simply not put JFreeChart into your application and do not put charts in your reports. Or you use the HighCharts component that comes with JasperReports Professional instead.

[tuspatil1]

Thanks Teodor.

We need the feature of charts; hence, we cannot remove JFreeChart. Can you please confirm whether all the charts supported through JFreeCharts are supported by HighCharts also, so that we can explore the option to go with the JasperReports commercial version?