Fixes httpclient vulnerability by replacing it with a newer alternative

[pedro93]

Security vulnerabilities have been found in apache-httpclient:commons-httpclient:3.1. Unfortunately, 3.1 is the latest version of this package.

The suggestion to resolve the vulnerability is to https://hc.apache.org/httpcomponents-client-5.1.x/ 

[jjoyce0510]

@li-kramgopa Can we pls get a review on this PR? This is causing severe vuln on dependent project scans.

Thanks! John

[karthikrg]

@jjoyce0510 why are your ci tests failing? Also can you please update the diff to remove the comment? You also need to update CHANGELOG and the version.

[karthikrg]

@mchen07 @evanw555 fyi ^

[jjoyce0510]

@pedro93 Please update the PR to address the above :)

[pedro93]

Already did, regarding the failing CI I may need some help from someone more familiar with project.

[mchen07]

can somebody provide link to the vulnerability issue this is trying to solve?

[nickibi]

@pedro93 @jjoyce0510 Can you please share the details about the security vulnerability? Within Linkedin, there are many other repos also use this dependency. We need to check with InfoSec team and ask for their recommendation. We are not sure the issue or impact at this moment. Moreover, if we are going to replace it, we need to get InfoSec confirmation on which version would be right one. Before that I don't think we could review this PR.

[pedro93]

Here is the doc: https://docs.google.com/document/d/1ycmmQsY73LUAguDjdJncpr_GQ8E1lMJwfsuIpd5sPl0/edit?usp=sharing Please let me know if you can't access it. Thanks!

[shirshanka]

Here's a pasted transcript from the doc.

apache-httpclient : commons-httpclient : 3.1

sonatype-2007-0004 Issue sonatype-2007-0004 Severity Sonatype CVSS 3: 7.5 CVE CVSS 2.0: 0.0 Weakness Sonatype CWE: 770 Source Sonatype Data Research Categories Data Explanation The Apache HttpComponents project, a library of low level Java components focused on HTTP and associated protocols, is vulnerable to a Denial of Service (DoS). The HttpParser class' readRawLine method performs unbound reads on HTTP POST data. If a new line character \n is not encountered, memory consumption is not limited, leading to a Denial of Service. Detection The application is vulnerable by using this component. Recommendation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. NOTE: Component commons-httpclient:commons-httpclient is not expected to have any further releases, including a fixed version. The component was relocated to org.apache.httpcomponents:httpclient. Therefore, users of the affected versions of commons-httpclient:commons-httpclient should consider upgrading to a non-vulnerable version of org.apache.httpcomponents:httpclient. Root Cause commons-httpclient-3.1.jarorg/apache/commons/httpclient/HttpParser.class[2.0-alpha3,) Advisories Project: http://hc.apache.org/index.html Project: https://issues.apache.org/jira/browse/HTTPCLIENT-644 Project: https://issues.apache.org/jira/browse/HTTPCORE-3 Project: https://issues.apache.org/jira/browse/HTTPCORE-4 CVSS Details Sonatype CVSS 3: 7.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

[pedro93]

Hello,

Pinging back on this PR. Have you had any chance to evaluate the changes?

Thank you.

[karthikrg]

@mchen07 can you check this please?

[karthikrg]

@pedro93 can you please rebase with master and upload a new diff?

[pedro93]

I merged master into this PR, is that not enough?