Closed aoraki closed 4 months ago
I am going to address this via a source code contribution
Hi @aoraki,
I could see neither hutool-json or org.json:json used in Camunda 7 Platform. org.json is referenced in a dependencyManagement section in https://github.com/camunda/camunda-bpm-platform/blob/master/internal-dependencies/pom.xml#L170 but not used by any of the modules.
Hi @venetrius,
Can you remove the obsolete dependencies as part of your community work?
Best, Tassilo
Hi @venetrius, @tassilo, I raised this issue as a security scan was performed against the repo and identified a couple of vulnerabilities in the dependency. I didn’t realise that this dependency was unused, so thanks for bringing it to my attention.
I would like to make a source code contribution, and I’m only really starting out on that process. I’d like to make some nano-contributions first as a start. Removing obsolete dependencies might be a good one to get started with. If you identify the obsolete dependencies would I be able to make a contribution to remove them?
Thanks for your help.
On Mon 3 Jun 2024 at 15:01, tasso94 @.***> wrote:
Hi @venetrius https://github.com/venetrius,
Can you remove the obsolete dependencies as part of your community work?
Best, Tassilo
— Reply to this email directly, view it on GitHub https://github.com/camunda/camunda-bpm-platform/issues/4378#issuecomment-2145282472, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABYV2GDAG2CAVQ62XHS5TPDZFRZKTAVCNFSM6AAAAABILNMEPSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBVGI4DENBXGI . You are receiving this because you were mentioned.Message ID: @.***>
Hi @aoraki,
If you would like to create a pull request to remove org.json.json
from internal-dependencies/pom.xml
that would be welcomed!
That’s great @venetrius, I will gladly do that! Do I need to create a new issue on the repo to help track this change?
Thanks!
On Tue 4 Jun 2024 at 15:36, venetrius @.***> wrote:
Hi @aoraki https://github.com/aoraki,
If you would like to create a pull request to remove org.json.json from internal-dependencies/pom.xml that would be welcomed!
— Reply to this email directly, view it on GitHub https://github.com/camunda/camunda-bpm-platform/issues/4378#issuecomment-2147702948, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABYV2GDAPPD5OA2OZGZZHLLZFXGIPAVCNFSM6AAAAABILNMEPSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNBXG4YDEOJUHA . You are receiving this because you were mentioned.Message ID: @.***>
Yes, please do that and then I will close this one.
This is not a security issue. Unused dependency is removed in Remove org.json:json from internal-dependencies/pom.xml
Upgrade org.json:json to version 20231013 or later.
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 and org.json:json before version 20230227 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
CVE-2022-45688
WeaknessCWE-787