High CVE-2022-41852 for commons-jxpath version 1.3

[PookiPok]

Our company scanning discovers this High Sevf1 security issue http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41852 for the birt-runtime-4_15_0/plugins/org.apache.commons.jxpath_1.3.0.v200911051830.jar Is there a plan to fix this for the next BIRT release

[merks]

The description says:

DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

This is a dependency needed by the Eclipse Platform

https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/blob/724c0b5e727ef000963fe0799ca94e98333176f3/eclipse.platform.releng.prereqs.sdk/eclipse-sdk-prereqs.target#L779-L784

It is not something BIRT can address. Furthermore, the library authors have rejected the problem, have not provided a new version, and there is no viable alternative replacement.

[merks]

@speckyspooky @wimjongman

I was doing some analysis the other week, and it seems the BIRT org.eclipse.birt.osgi.runtime feature includes UI dependencies.

That seems odd to me. I would not expect a "runtime" to have UI dependencies...

[speckyspooky]

Yes, the OSGi-runtime shouldn't have UI-references, so I would agree your analysis.

[merks]

At some point in the not-too-distant future I would like to revisit the runtime definitions to ensure that they are sensible and truly only runtime. Certainly jxpath is not used by the runtime but only by the e4 part of the Eclipse IDE...

[wimjongman]

Yes, I agree.