search

sul-dlss-labs / ld4p-marc21-to-xml

convert marc21 data into marcxml, with authority ids resolved to URIs via Symphony
Other
0 stars 1 forks source link

Resolve security vulnerabilities #39

Closed dazza-codes closed 7 years ago

dazza-codes commented 7 years ago

37 and #38 surface security vulnerabilities; find a way to resolve these, either using the features to skip some vulnerabilities that are commonly identified for backend databases (which apply to the database and not to the client code accessing the database) or update the dependencies to fix vulnerabilities that do apply to the code libraries.

jgreben commented 7 years ago

Closed by(?) https://github.com/sul-dlss/ld4p-marc21-to-xml/pull/41

I had to do something to resolve the dependency vulnerabilities to fix #29 but this needs review to see if it sufficiently fixes this issue.

dazza-codes commented 7 years ago

Agreed - if the updates in #41 are now passing the security vulnerability checks introduced in #38, this issue is resolved. However, it's strange that the validate task reports there are no dependencies that it can check, see https://travis-ci.org/sul-dlss/ld4p-marc21-to-xml/builds/250855211#L2677-L2679 where it reports:

[INFO] --- dependency-check-maven:1.4.5:check (default) @ xform-marc21-to-xml ---

[INFO] No dependencies were identified that could be analyzed by dependency-check

[INFO] ------------------------------------------------------------------------

I don't have time to look into this, but I don't feel comfortable closing this issue until we understand this and ensure that the security check is working properly.

jgreben commented 7 years ago

See https://github.com/sul-dlss/ld4p-marc21-to-xml/pull/42

dazza-codes commented 7 years ago

Should be fixed by #42