jsoup:0.0.1.rc19: CVE-2015-6748

Question

jsoup:0.0.1.rc19: CVE-2015-6748

kewilson opened this issue 5 years ago · comments

From owasp.dependencycheck gradle plugin:
https://www.owasp.org/index.php/OWASP_Dependency_Check

openhtmltopdf-jsoup-dom-converter-0.0.1-RC19.jar:
ids:(com.openhtmltopdf:openhtmltopdf-jsoup-dom-converter:0.0.1-RC19, cpe:/a:jsoup:

guava-20.0.jar:
ids:(com.google.guava:guava:20.0, cpe:/a:google:guava:20.0) : CVE-2018-10237

danfickle · Answer 1 · Sat Mar 23 2019 15:47:46 GMT+0800 (China Standard Time)

Hi @kewilson,

Thanks for the report. However, I couldn’t find any evidence that jsoup depends on guava either now or in the past. At version 1.9.1 it had no non-test dependencies and still doesn’t. Do you have any more details?

Additionally, since this is a one file module, with very few users, I was thinking of deleting it and instead post it as a code sample on the wiki. What do you think?

kewilson · Answer 2 · Tue Mar 26 2019 18:10:26 GMT+0800 (China Standard Time)

Hi @danfickle .. apologies for the delayed response. If you believe providing that functionality in some other way is best that's your call. I'll try to track down the entry point of guava into the report, I found that odd myself.

danfickle · Answer 3 · Tue Apr 02 2019 13:31:45 GMT+0800 (China Standard Time)

OK, I've marked the module deprecated (for removal) and changed the integration guide to use JSoup's W3CDom helper class (which does the same thing) instead. I'll do one more release with the module (with the latest JSoup) before removing as I wouldn't like to leave the last listed version of a module having a possible security issue.