search

finos / messageml-utils

MessageML is a markup language used by the Symphony Agent API for representing messages, including formatting (bold, italic, numbered and unnumbered lists etc.) and entity data representing structured objects.
https://docs.developers.symphony.com
Apache License 2.0
12 stars 28 forks source link

MML-298 Fix XXE in json-schema-validator #299

Closed ldrozdz closed 3 years ago

ldrozdz commented 3 years ago 
  ✗ XML External Entity (XXE) Injection [High Severity][https://snyk.io/vuln/SNYK-JAVA-ORGMOZILLA-1314295] in org.mozilla:rhino@1.7.7.1
    introduced by org.symphonyoss.symphony:messageml@0.9.70 > com.github.java-json-tools:json-schema-validator@2.2.10 > com.github.java-json-tools:json-schema-core@1.2.10 > org.mozilla:rhino@1.7.7.1
  This issue was fixed in versions: 1.7.12

Latest available json-schema-validator (2.2.14, released May 2020) ships with an unsafe Rhino version. Need to add an exclusion and pull in a safe Rhino version explicitly.

sonarcloud[bot] commented 3 years ago

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

symphony-youri commented 3 years ago

hey @ldrozdz looks like we missed this PR, @symphony-enrico is now longer working on messageml-utils, i'll update the .github files to make sure we get notifications on new PRs

we actually ignored rhino in the Snyk reports for the Agent as it used as a fallback for Nashorn (that is still there in the JDK versions we use) and probably not even used by the Agent in any case.