css4j / echosvg

SVG implementation in the Java™ Language, fork of Apache Batik, supporting level 4 selectors and colors.
Apache License 2.0
40 stars 2 forks source link

Create codeql-analysis.yml #37

Closed carlosame closed 2 years ago

carlosame commented 2 years ago

I won't merge this due to the false positives. It reports a "critical" XXE vulnerability which does not exist because a safe resolver is being used, and labels 29 assignments as "high-severity Implicit narrowing conversion in compound assignment" when I do not think that they have any security implication.

Floating point overflows aren't a problem, and integer overflows aren't an issue in Java as they are in C/C++. There is no pointer arithmetic and array indexes are guaranteed to be safe. So integer overflows cannot be exploited in the same way that they are in C/C++. Those have the potential of being a normal bug (very rarely a security bug) but certainly not a "high severity vulnerability".