scala-compiler contains jQuery below 3.5.0 which has XSS vulnerabilities

[hjmeijer]

reproduction steps

Create a minimal project using scala-compiler and add the sbt-dependency-check plugin:

cat <<EOF > build.sbt
scalaVersion := "2.13.2"
libraryDependencies +=  "org.scala-lang" % "scala-compiler" % "2.13.2"
dependencyCheckAssemblyAnalyzerEnabled := Some(false)
EOF
mkdir project
cat <<EOF > project/plugins.sbt
addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % "2.0.0")
EOF

Run the plugin:

$ sbt dependencyCheck 
[info] Loading global plugins from /home/hj/.sbt/1.0/plugins
[info] Loading settings from plugins.sbt ...
[info] Loading project definition from /tmp/someproject/project
[info] Loading settings from build.sbt ...
[info] Set current project to someproject (in build file:/tmp/someproject/)
[info] Applying project settings to DependencyCheck settings
[info] Running check for someproject
[info] Adding compile dependencies to check.
[info] 	scala-compiler-2.13.2.jar
[info] 	scala-library-2.13.2.jar
[info] 	scala-reflect-2.13.2.jar
[info] 	jline-3.14.1.jar
[info] 	jna-5.3.1.jar
[info] Adding runtime dependencies to check.
[info] 	scala-compiler-2.13.2.jar
[info] 	scala-library-2.13.2.jar
[info] 	scala-reflect-2.13.2.jar
[info] 	jline-3.14.1.jar
[info] 	jna-5.3.1.jar
00:00  INFO: Vulnerability found: jquery below 3.5.0
00:00  INFO: Vulnerability found: jquery below 3.5.0
[success] Total time: 8 s, completed May 4, 2020 9:47:04 AM

problem

Dependencycheck reports (in target/scala-2.13/dependency-check-report.html) indicate vulnerabilities in jquery below 3.5.0:

Regex in its jQuery.htmlPrefilter sometimes may introduce XSS (RETIREJS)
Severity: medium
info - https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

expectation

No vulnerabilities in scala-compiler.

[SethTisue]

thank you for calling this to our attention!

PR: scala/scala#8963

[dwijnand]

PR merged. Will be branch merged into 2.13.x eventually.