Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency com.puppycrawl.tools:checkstyle to v8.29 [security] #413

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

chore(deps): update dependency com.puppycrawl.tools:checkstyle to v8.29 [security] #413

wants to merge 1 commit into from
+1 −1

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Jun 5, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
com.puppycrawl.tools:checkstyle (source) 8.18 -> 8.29 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2019-10782

Due to an incomplete fix for CVE-2019-9658, checkstyle was still vulnerable to XML External Entity (XXE) Processing.

Impact

User: Build Maintainers

This vulnerability probably doesn't impact Maven/Gradle users as, in most cases, these builds are processing files that are trusted, or pre-vetted by a pull request reviewer before being run on internal CI infrastructure.

User: Static Analysis as a Service

If you operate a site/service that parses "untrusted" Checkstyle XML configuration files, you are vulnerable to this and should patch.

Note from the discoverer of the original CVE-2019-9658:

While looking at a few companies that run Checkstyle/PMD/ect... as a service I notice that it's a common pattern to run the static code analysis tool inside of a Docker container with the following flags:

--net=none \
--privileged=false \
--cap-drop=ALL

Running the analysis in Docker has the advantage that there should be no sensitive local file information that XXE can exfiltrate from the container. Additionally, these flags prevent vulnerabilities in static analysis tools like Checkstyle from being used to exfiltrate data via XXE or to perform SSRF.
- Jonathan Leitschuh

Patches

Has the problem been patched? What versions should users upgrade to?

Patched, will be released with version 8.29 at 26 Jan 2020.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

No workaround are available

References

For more information

If you have any questions or comments about this advisory:

Release Notes

checkstyle/checkstyle (com.puppycrawl.tools:checkstyle)

v8.29

v8.28

v8.27

v8.26

v8.25

v8.24

v8.23

v8.22

v8.21

v8.20

v8.19

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch 3 times, most recently from 6824091 to 2c77e87 Compare June 12, 2024 13:22
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch 2 times, most recently from edc50b1 to 16ba750 Compare July 11, 2024 09:33
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from 16ba750 to f26c099 Compare August 28, 2024 12:57
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch 16 times, most recently from e99e166 to dae2158 Compare September 3, 2024 06:14
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch 5 times, most recently from 29402b4 to 5811a2f Compare October 29, 2024 13:11
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch 8 times, most recently from f6df041 to bdc224c Compare November 1, 2024 10:37
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch 2 times, most recently from 4a5a52d to 6ccfb2f Compare November 12, 2024 15:17
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from 6ccfb2f to 5e9c376 Compare November 12, 2024 15:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants