New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HIGH Security Vulnerability in hapi-fhir-test-utilities #3885
Comments
Heya! Greatly appreciate the report. The test utilities are test-scoped, and not shipped in production code. Since there seems to be no remediation immediately available, do you have any recommendations? Do you think it would be safe to just remove the dependency? |
Someone should look at hapi-fhir-server-openapi because the test utilities are not scoped to test only. That's how we stumbled onto this issue. I'll add a new issue to resolve this. The scanning tool we use apparently does not make distinctions between "test" and "production" dependencies, so we cannot make use of the test utilities package in our project. Since the test utilities has a dependency on HtmlUnit and HtmlUnit has the dependency on Xalan, the only thing I can think of is to find an alternative to HtmlUnit that does not contain a dependency on Xalan. I'm not familiar with these tools, but a quick Google search (htmlunit alternative java) identified https://github.com/dhamaniasad/HeadlessBrowsers with numerous suggestions. |
Whoops! That is definitely an oversight, that should be a test scoped dep for sure. |
I'll submit a patch to to fix this for 6.1.0
…On Mon, Aug 8, 2022, 7:30 AM James Agnew ***@***.***> wrote:
Whoops! That is definitely an oversight, that should be a test scoped dep
for sure.
—
Reply to this email directly, view it on GitHub
<#3885 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AANEA4JRSBXOOALB7GSG6FTVYEKWXANCNFSM55XISJVQ>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
FWIW I'd say let's just fix the scoping and that should be sufficient. We don't do any XSLT processing as a part of our build/test process so there is no risk of this being exploitable with that scope. |
This is fixed by #4306 if someone could review. |
Having a peek now. Looks like I.... did not fix this for 6.1.0 🤦🏻 |
hapi-fhir-test-utilities has a dependency on
net.sourceforge.htmlunit
which has a dependency onxalan:xalan
.xalan:xalan:2.7.2
has a HIGH security vulnerability and was last updated on July 24, 2014. seeResults from a WHITESOURCE security scan:
The text was updated successfully, but these errors were encountered: