CVE-2011-4838 - Version 0.2.3

[EarthCitizen]

Sonar picks up a vulnerability in version 0.2.3:

Filename: rubygems-0.2.3.war/META-INF/maven/org.jruby.mains/jruby-mains/pom.xml | Reference: CVE-2011-4838 | CVSS Score: 7.8 | Category: CWE-20 Improper Input Validation | JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.

It seems like the current POM for 0.2.4-SNAPSHOT would fix this?

[mkristian]

@EarthCitizen I can cut a new release. but I am not aware that rubygems-servlets ever came bundled with a jruby-1.6.x version. so jruby-mains has maybe a dependency to jruby-1.6.x but we overwrite this by the pom.xml for the servlets.

I can dump versions of jruby-mains as well and satisfy Sonar :) but Sonar should IMO look for the versions used by the war not what is declared on each artifact without resolving the dependency-graph altogether.

[EarthCitizen]

@mkristian I am not sure how the OWASP scanner determines threat dependencies. I am guessing it does not consider what actually gets resolved and just looks directly at all the POMs.