search

mulesoft / mule-migration-assistant

Migration Framework
BSD 3-Clause "New" or "Revised" License
26 stars 35 forks source link

Update dependency com.puppycrawl.tools:checkstyle to v8.29 [SECURITY] #737

Closed renovate-06-kbuild[bot] closed 4 months ago

renovate-06-kbuild[bot] commented 9 months ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
com.puppycrawl.tools:checkstyle (source) 8.0 -> 8.29 age adoption passing confidence

[!WARNING] Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2019-9658

Checkstyle prior to 8.18 loads external DTDs by default, which can potentially lead to denial of service attacks or the leaking of confidential information.

CVE-2019-10782

Due to an incomplete fix for CVE-2019-9658, checkstyle was still vulnerable to XML External Entity (XXE) Processing.

Impact

User: Build Maintainers

This vulnerability probably doesn't impact Maven/Gradle users as, in most cases, these builds are processing files that are trusted, or pre-vetted by a pull request reviewer before being run on internal CI infrastructure.

User: Static Analysis as a Service

If you operate a site/service that parses "untrusted" Checkstyle XML configuration files, you are vulnerable to this and should patch.

Note from the discoverer of the original CVE-2019-9658:

While looking at a few companies that run Checkstyle/PMD/ect... as a service I notice that it's a common pattern to run the static code analysis tool inside of a Docker container with the following flags:

--net=none \
--privileged=false \
--cap-drop=ALL

Running the analysis in Docker has the advantage that there should be no sensitive local file information that XXE can exfiltrate from the container. Additionally, these flags prevent vulnerabilities in static analysis tools like Checkstyle from being used to exfiltrate data via XXE or to perform SSRF. - Jonathan Leitschuh

Patches

Has the problem been patched? What versions should users upgrade to?

Patched, will be released with version 8.29 at 26 Jan 2020.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

No workaround are available

References

For more information

If you have any questions or comments about this advisory:

Configuration

📅 Schedule: Branch creation - "" in timezone America/Argentina/Buenos_Aires, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Renovate Bot.

renovate-06-kbuild[bot] commented 9 months ago

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

Warning: custom changes will be lost.

renovate-06-kbuild[bot] commented 4 months ago

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (8.29). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.