search

stanfordnlp / CoreNLP

CoreNLP: A Java suite of core NLP tools for tokenization, sentence segmentation, NER, parsing, coreference, sentiment analysis, etc.
http://stanfordnlp.github.io/CoreNLP/
GNU General Public License v3.0
9.68k stars 2.7k forks source link

owasp check failed #1465

Open eduarddrenth opened 1 month ago

eduarddrenth commented 1 month ago

My build shows:

[ERROR] protobuf-java-3.19.6.jar: CVE-2024-7254(8.699999809265137)

Can you please update xthis dependency?

AngledLuffa commented 1 month ago

This will be in the next release

eduarddrenth commented 2 weeks ago

Some more: lucene CVE-2024-45772 and javax.json CVE-2023-7272.

For lucene dep I use version 9.12.0 now with stanford, seems to be working fine (but all I do is return new Sentence(form).lemmas(); so I might never touch lucene)

AngledLuffa commented 2 weeks ago

if i update javax.json to

https://repo1.maven.org/maven2/org/glassfish/jakarta.json/1.1.6/

do you know if that will solve your problems with that library? i have no idea what effect updating to 2.... would have

AngledLuffa commented 2 weeks ago

the lucene stuff is for a specific package which we're not sure too many people use (@manning wants me to delete it entirely)

AngledLuffa commented 2 weeks ago

for lucene, what about the 7.7.3 series? again i feel wary bumping the major version number without actually knowing anything about the package that uses it

https://mvnrepository.com/artifact/org.apache.lucene/lucene-core/7.7.3

but if that still has security problems then i guess it's time to do something bigger

eduarddrenth commented 2 weeks ago

Perhaps, but I think that version has the vulnerability as well. There will probably be some impact here. But it could be that the way Stanford uses lucene doesn't expose the vulnerability.

Op wo 9 okt. 2024 01:53 schreef John Bauer @.***>:

for lucene, what about the 7.7.3 series? again i feel wary bumping the major version number without actually knowing anything about the package that uses it

https://mvnrepository.com/artifact/org.apache.lucene/lucene-core/7.7.3

but if that still has security problems then i guess it's time to do something bigger

— Reply to this email directly, view it on GitHub https://github.com/stanfordnlp/CoreNLP/issues/1465#issuecomment-2401006780, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACN2KKCRYJD4BFIWT7WNREDZ2RWBBAVCNFSM6AAAAABORRMB2WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMBRGAYDMNZYGA . You are receiving this because you authored the thread.Message ID: @.***>