Do These Vulnerable Libraries Pose a Security Risk to Archi Users?

[connor-dawson]

I opened a question on the Archi forum and was told to post my question here.

We scanned the master branch of the archi repository with Mend SCA and found that there are vulnerabilities with the following libraries:

• jackson-databind-2.9.jar
• jdom2-2.0.6.jar
• bootstrap-3.3.2.min.js
• commons-io-2.6.jar
• commons-beanutils-1.9.3.jar

Are there plans to update these libraries to fixed versions? Do these libraries pose security risks for Archi users if they are not fixed?

Thank you

[Phillipus]

Hi, thanks for opening the issue.

I don't have access to Mend SCA so if you could post the reported vulnerabilities that would be useful. A potential vulnerability in one context may not be actually be one when a library is used in another context.

Having said that I have already updated these here:

https://github.com/archimatetool/archi/commit/ea557e75c775ff29cacb81ac58c528c1fc9c978d https://github.com/archimatetool/archi/commit/e1b8f43ce4101589bcb82004806a3fe25aec3109 https://github.com/archimatetool/archi/commit/71b6ff9478cab68437e028756a7f35397f67cfef https://github.com/archimatetool/archi/commit/4a2d698101d5f66cc747e3274510674d4bdcac48

So you could try scanning the master branch again.

[connor-dawson]

Hi Phillipus,

Thank you for the quick response.

I re-scanned the master branch with Mend and there were no vulnerabilities reported. My issue is resolved.

Thank you

[connor-dawson]

Is there a plan to include these changes in an upcoming release? I see the latest release was November 1st which includes the vulnerabilites.

[Phillipus]

These will be in the next version of Archi. When that will be is undecided as there is more work to do on the next version.