Closed AlexLi-Monster closed 4 years ago
chejerlakarthik
commented
4 years ago Hello @cdimascio @AlexLi-Monster and I work together and would like to make a contribution with this issue. Can you please let us know if that is okay and how do we go about it?
cdimascio
commented
4 years ago Absolutely! Contributions are very much welcomed. To submit a change, create a pull request.
This lib does not pull in commons.io as a direct dependency, so you'll need to identify the dep that pulls it in, then modify pom.xml.
Once you submit a PR with your change I'll review it, merge it, and release a new version.
cdimascio
commented
4 years ago If u need tips on how to contribute a change and submit a PR, check out this article https://opensource.com/article/19/7/create-pull-request-github
cdimascio
commented
4 years ago Some brief instructions to help build the lib and run the tests.
chejerlakarthik
commented
4 years ago Thanks for sharing the guidelines @cdimascio . I have submitted a PR #14
cdimascio
commented
4 years ago The changes are merged and available in v3.2.2.
The version is already available on Jcenter. It will be on MavenCentral within 24 hours
cdimascio
commented
4 years ago Thanks for your help @chejerlakarthik and @AlexLi-Monster
Hi,
During the vulnerability check of my application that I am using
openapi-spring-webflux-validator, we found there is a java deserialization remote code execution for library that is usedcommons-io:commons-io:2.4Found JIRA: https://issues.apache.org/jira/browse/IO-487 confirmed latest version
2.7has no issues: https://www.sourceclear.com/vulnerability-database/libraries/apache-commons-io/java/maven/lid-122/summaryso please consider to bump up the version of
commons-io:commons-io