Dependency org.jsoup:jsoup, leading to CVE problem #118
Description
Hi, In /spring-boot-webmagic/webmagic-spring-boot-autoconfigure,there is a dependency org.jsoup:jsoup:1.13.1 that calls the risk method.
The scope of this CVE affected version is [,1.15.3)
After further analysis, in this project, the main Api called is org.jsoup.internal.StringUtil: resolve(java.lang.String,java.lang.String)Ljava.lang.String;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 10
in.hocg.boot.webmagic.autoconfiguration.processor.baidu.BaiduHotPageProcessor: process(us.codecraft.webmagic.Page)V /download/apache-maven-3.6.3/repository_mount/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar
us.codecraft.webmagic.selector.HtmlNode: xpath(java.lang.String)Lus.codecraft.webmagic.selector.Selectable; /download/apache-maven-3.6.3/repository_mount/org/ow2/asm/asm/5.0.4/asm-5.0.4.jar
us.codecraft.webmagic.selector.HtmlNode: selectElements(us.codecraft.webmagic.selector.BaseElementSelector)Lus.codecraft.webmagic.selector.Selectable; /download/apache-maven-3.6.3/repository_mount/org/ow2/asm/asm/5.0.4/asm-5.0.4.jar
us.codecraft.webmagic.selector.XpathSelector: selectElements(org.jsoup.nodes.Element)Ljava.util.List; /download/apache-maven-3.6.3/repository_mount/org/ow2/asm/asm/5.0.4/asm-5.0.4.jar
us.codecraft.xsoup.xevaluator.DefaultXPathEvaluator: evaluate(org.jsoup.nodes.Element)Lus.codecraft.xsoup.XElements; /download/apache-maven-3.6.3/repository_mount/org/ow2/asm/asm/5.0.4/asm-5.0.4.jar
org.jsoup.select.Collector: collect(org.jsoup.select.Evaluator,org.jsoup.nodes.Element)Lorg.jsoup.select.Elements; /download/apache-maven-3.6.3/repository_mount/org/ow2/asm/asm/5.0.4/asm-5.0.4.jar
org.jsoup.select.NodeTraversor: traverse(org.jsoup.select.NodeVisitor,org.jsoup.nodes.Node)V /download/apache-maven-3.6.3/repository_mount/org/ow2/asm/asm/5.0.4/asm-5.0.4.jar
us.codecraft.xsoup.xevaluator.FormattingVisitor: tail(org.jsoup.nodes.Node,int)V /download/apache-maven-3.6.3/repository_mount/org/ow2/asm/asm/5.0.4/asm-5.0.4.jar
org.jsoup.nodes.Node: absUrl(java.lang.String)Ljava.lang.String; /download/apache-maven-3.6.3/repository_mount/org/ow2/asm/asm/5.0.4/asm-5.0.4.jar
org.jsoup.internal.StringUtil: resolve(java.lang.String,java.lang.String)Ljava.lang.String;
Dependency tree--
[INFO] in.hocg.boot:webmagic-spring-boot-autoconfigure:jar:1.0.33
[INFO] +- in.hocg.boot:mybatis-plus-extensions-webmagic-spring-boot-starter:jar:1.0.33:compile
[INFO] | \- in.hocg.boot:mybatis-plus-extensions-webmagic-autoconfigure:jar:1.0.33:compile
[INFO] | +- in.hocg.boot:mybatis-plus-extensions-context:jar:1.0.33:compile
[INFO] | | \- io.swagger:swagger-annotations:jar:1.5.20:compile
[INFO] | \- in.hocg.boot:mybatis-plus-spring-boot-starter:jar:1.0.33:compile
[INFO] | +- in.hocg.boot:validation-spring-boot-starter:jar:1.0.33:compile
[INFO] | | +- in.hocg.boot:validation-spring-boot-autoconfigure:jar:1.0.33:compile
[INFO] | | | \- in.hocg.boot:validation-core:jar:1.0.33:compile
[INFO] | | \- org.springframework.boot:spring-boot-starter-validation:jar:2.2.6.RELEASE:compile
[INFO] | | +- org.springframework.boot:spring-boot-starter:jar:2.2.6.RELEASE:compile
[INFO] | | | +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] | | | \- org.yaml:snakeyaml:jar:1.25:runtime
[INFO] | | +- jakarta.validation:jakarta.validation-api:jar:2.0.2:compile
[INFO] | | +- org.apache.tomcat.embed:tomcat-embed-el:jar:9.0.33:compile
[INFO] | | \- org.hibernate.validator:hibernate-validator:jar:6.0.18.Final:compile
[INFO] | | +- org.jboss.logging:jboss-logging:jar:3.4.1.Final:compile
[INFO] | | \- com.fasterxml:classmate:jar:1.5.1:compile
[INFO] | +- in.hocg.boot:mybatis-plus-spring-boot-autoconfigure:jar:1.0.33:compile
[INFO] | \- com.baomidou:mybatis-plus-boot-starter:jar:3.5.1:compile
[INFO] | +- com.baomidou:mybatis-plus:jar:3.5.1:compile
[INFO] | | \- com.baomidou:mybatis-plus-extension:jar:3.5.1:compile
[INFO] | | +- com.baomidou:mybatis-plus-core:jar:3.5.1:compile
[INFO] | | | +- com.baomidou:mybatis-plus-annotation:jar:3.5.1:compile
[INFO] | | | +- com.github.jsqlparser:jsqlparser:jar:4.3:compile
[INFO] | | | \- org.mybatis:mybatis:jar:3.5.9:compile
[INFO] | | \- org.mybatis:mybatis-spring:jar:2.0.6:compile
[INFO] | \- org.springframework.boot:spring-boot-starter-jdbc:jar:2.2.6.RELEASE:compile
[INFO] | +- com.zaxxer:HikariCP:jar:3.4.2:compile
[INFO] | \- org.springframework:spring-jdbc:jar:5.2.5.RELEASE:compile
[INFO] | \- org.springframework:spring-tx:jar:5.2.5.RELEASE:compile
[INFO] +- in.hocg.boot:web-spring-boot-starter:jar:1.0.33:compile
[INFO] | \- in.hocg.boot:web-spring-boot-autoconfigure:jar:1.0.33:compile
[INFO] | \- in.hocg.boot:web-core:jar:1.0.33:compile
[INFO] +- us.codecraft:webmagic-core:jar:0.7.5:compile
[INFO] | +- org.apache.httpcomponents:httpclient:jar:4.5.12:compile
[INFO] | | +- org.apache.httpcomponents:httpcore:jar:4.4.13:compile
[INFO] | | \- commons-codec:commons-codec:jar:1.13:compile
[INFO] | +- org.apache.commons:commons-lang3:jar:3.9:compile
[INFO] | +- us.codecraft:xsoup:jar:0.3.2:compile
[INFO] | | +- org.jsoup:jsoup:jar:1.13.1:compile
[INFO] | | \- org.assertj:assertj-core:jar:3.13.2:compile
[INFO] | +- org.slf4j:slf4j-api:jar:1.7.30:compile
[INFO] | +- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] | +- com.jayway.jsonpath:json-path:jar:2.4.0:compile
[INFO] | | \- net.minidev:json-smart:jar:2.3:compile
[INFO] | | \- net.minidev:accessors-smart:jar:1.2:compile
[INFO] | | \- org.ow2.asm:asm:jar:5.0.4:compile
[INFO] | \- com.alibaba:fastjson:jar:1.2.75:compile
[INFO] +- us.codecraft:webmagic-extension:jar:0.7.5:compile
[INFO] | \- redis.clients:jedis:jar:3.1.0:compile
[INFO] | \- org.apache.commons:commons-pool2:jar:2.7.0:compile
[INFO] +- commons-io:commons-io:jar:2.7:compile
[INFO] +- org.springframework.boot:spring-boot-starter-log4j2:jar:2.2.6.RELEASE:compile
[INFO] | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.16.0:compile
[INFO] | | \- org.apache.logging.log4j:log4j-api:jar:2.16.0:compile
[INFO] | +- org.apache.logging.log4j:log4j-core:jar:2.16.0:compile
[INFO] | +- org.apache.logging.log4j:log4j-jul:jar:2.16.0:compile
[INFO] | \- org.slf4j:jul-to-slf4j:jar:1.7.30:compile
[INFO] +- in.hocg.boot:utils-base:jar:1.0.33:compile
[INFO] | +- in.hocg.boot:utils-annotation:jar:1.0.33:compile
[INFO] | +- cn.hutool:hutool-all:jar:5.3.10:compile
[INFO] | +- com.google.guava:guava:jar:28.1-jre:compile
[INFO] | | +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] | | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] | | +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] | | +- org.checkerframework:checker-qual:jar:2.8.1:compile
[INFO] | | +- com.google.errorprone:error_prone_annotations:jar:2.3.2:compile
[INFO] | | +- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] | | \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.18:compile
[INFO] | +- net.jodah:typetools:jar:0.6.3:compile
[INFO] | +- org.polyjdbc:polyjdbc:jar:0.7.6:compile
[INFO] | \- com.github.jsonzou:jmockdata:jar:4.3.0:compile
[INFO] +- org.springframework.boot:spring-boot-autoconfigure:jar:2.2.6.RELEASE:compile
[INFO] | \- org.springframework.boot:spring-boot:jar:2.2.6.RELEASE:compile
[INFO] | +- org.springframework:spring-core:jar:5.2.5.RELEASE:compile
[INFO] | | \- org.springframework:spring-jcl:jar:5.2.5.RELEASE:compile
[INFO] | \- org.springframework:spring-context:jar:5.2.5.RELEASE:compile
[INFO] | +- org.springframework:spring-aop:jar:5.2.5.RELEASE:compile
[INFO] | +- org.springframework:spring-beans:jar:5.2.5.RELEASE:compile
[INFO] | \- org.springframework:spring-expression:jar:5.2.5.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-configuration-processor:jar:2.2.6.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-autoconfigure-processor:jar:2.2.6.RELEASE:compile
[INFO] \- org.projectlombok:lombok:jar:1.18.12:compile
Suggested solutions:
Update dependency version
Thank you very much.