search

flipkart-incubator / zjsonpatch

This is an implementation of RFC 6902 JSON Patch written in Java
Apache License 2.0
523 stars 148 forks source link

Vulnerabilitie : High org.apache.commons:commons-collections4 #164

Closed AlexyNau closed 1 year ago

AlexyNau commented 1 year ago

Hello, I got this warning from IntelliJ with the version 0.4.13 :

Provides transitive vulnerable dependency org.apache.commons:commons-collections4:4.2 
Uncontrolled Recursion vulnerability pending CVSS allocation

IntellliJ redirects me to more information here : devhub.checkmarx.com/cve-details/Cx78f40514-81ff/ I quote :

The framework Apache Commons Collections before 4.3 is vulnerable to Stack Overflow. The function add() in the file src/main/java/org/apache/commons/collections4/list/SetUniqueList.java throws a StackOverflowError when the add() method is called with its own list. To resolve this issue - upgrade to version 4.3. Please note: the package name was changed to org.apache.commons:commons-collections4 on version 4.0.

It seems that the version used in the pom got a vulnerabilitie. Could you please fix this issue by maybe changing 

        <dependency>
            <groupId>org.apache.commons</groupId>
            <artifactId>commons-collections4</artifactId>
            <version>4.2</version>
        </dependency>

to

        <dependency>
            <groupId>org.apache.commons</groupId>
            <artifactId>commons-collections4</artifactId>
            <version>4.4</version>
        </dependency>

Thank you,

vishwakarma commented 1 year ago

Thanks @AlexyNau Would you like to send a PR for this?

vishwakarma commented 1 year ago

Looks like this PR https://github.com/flipkart-incubator/zjsonpatch/pull/157 will do

AlexyNau commented 1 year ago

Thanks, next time I will ;)

Should I close the issue by myslef when the next release will be created ?

vishwakarma commented 1 year ago

new version 0.4.14 released