You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@flex.apache.org by Piotr Zarzycki <pi...@gmail.com> on 2022/08/14 10:26:04 UTC
BlazeDS release
Hi All,
In this thread I will be reporting updates related to release of BlazeDS. I
looked into Chris's branch and I would like to exclude Proxy module from
upcoming release. Please let me know in this thread whether you have
anything against it.
Meanwhile I have following error on the console during build - Anyone know
what that means ?
One or more dependencies were identified with known vulnerabilities in
flex-messaging-common:
serializer-2.7.2.jar (pkg:maven/xalan/serializer@2.7.2,
cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169
xalan-2.7.2.jar (pkg:maven/xalan/xalan@2.7.2,
cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169
See the dependency-check report for more details.
[*INFO*]
*------------------------------------------------------------------------*
[*INFO*] *Reactor Summary for Apache Flex - BlazeDS 4.8.0-SNAPSHOT:*
[*INFO*]
[*INFO*] Apache Flex - BlazeDS ..............................
*SUCCESS* [ 5.914
s]
[*INFO*] flex-messaging-archetypes ..........................
*SUCCESS* [ 1.409
s]
[*INFO*] blazeds-spring-boot-example-archetype ..............
*SUCCESS* [ 4.430
s]
[*INFO*] flex-messaging-common ..............................
*FAILURE* [ 2.155
s]
[*INFO*] flex-messaging-core ................................ *SKIPPED*
[*INFO*] flex-messaging-proxy ............................... *SKIPPED*
[*INFO*] flex-messaging-remoting ............................ *SKIPPED*
[*INFO*] flex-messaging-opt ................................. *SKIPPED*
[*INFO*] flex-messaging-opt-tomcat .......................... *SKIPPED*
[*INFO*] flex-messaging-opt-tomcat-base ..................... *SKIPPED*
[*INFO*]
*------------------------------------------------------------------------*
[*INFO*] *BUILD FAILURE*
[*INFO*]
*------------------------------------------------------------------------*
[*INFO*] Total time: 14.115 s
[*INFO*] Finished at: 2022-08-14T12:24:30+02:00
[*INFO*]
*------------------------------------------------------------------------*
[*ERROR*] Failed to execute goal
org.owasp:dependency-check-maven:7.1.0:check *(default)* on project
flex-messaging-common:
[*ERROR*]
[*ERROR*] *One or more dependencies were identified with vulnerabilities
that have a CVSS score greater than or equal to '4.0': *
[*ERROR*]
[*ERROR*] *serializer-2.7.2.jar: CVE-2022-34169(9.8)*
[*ERROR*] *xalan-2.7.2.jar: CVE-2022-34169(9.8)*
[*ERROR*]
[*ERROR*] *See the dependency-check report for more details.*
Thanks,
--
Piotr Zarzycki
Re: [EXTERNAL] BlazeDS release
Posted by Piotr Zarzycki <pi...@gmail.com>.
Hi Spiros,
Thanks! I will look into that soon.
pon., 5 wrz 2022 o 10:58 spiros <ag...@novusnet.gr> napisał(a):
> Hi ,
> This library used by 4 classes ( only the org.apache.xpath.CachedXPathAPI);
>
> 1. flex.messaging.config.ApacheXPathClientConfigurationParser.java
> (common).
> 2. flex.messaging.config.ApacheXPathServerConfigurationParser.java (core).
> 3. flex.messaging.io.amf.MessageGenerator.java (core-test)
> 4. flex.messaging.io.amfx.DeserializationConfirmation.java (core-test)
>
>
>
> The 1 and 2 classes add support to xml for java JRE 1.4 you can see the:
> flex.messaging.config.ServicesDependencies.java (common) line 219 -236
> function static ConfigurationParser getConfigurationParser(String
> className) for first.
> And
> flex.messaging.config.FlexConfigurationManager.java (core) line 105-118
> function private ConfigurationParser getConfigurationParser(ServletConfig
> servletConfig)
>
> for the classes 3 and 4 (test) :
> the class flex.messaging.config.XPathServerConfigurationParser.java
> (common) is a guide to modify the code
>
> My suggestion :
> -Remove support for JRE 1.4 -too old
> -delete classes 1,2
> -modify classes 3,4 ,
> Optionally modify classes :flex.messaging.config.ServicesDependencies.java
> and flex.messaging.config.FlexConfigurationManager.java
>
>
>
> Spiros
>
>
>
>
> -----Original Message-----
> From: Piotr Zarzycki [mailto:piotrzarzycki21@gmail.com]
> Sent: Tuesday, August 30, 2022 9:57 AM
> To: dev@flex.apache.org
> Subject: Re: [EXTERNAL] BlazeDS release
>
> Maybe there is some replacement for both of that ? What do you think ?
>
> pt., 26 sie 2022 o 12:53 Piotr Zarzycki <pi...@gmail.com>
> napisał(a):
>
> > Hi guys,
> >
> > Unfortunately both version of these plugins doesn't have newer versions.
> > The latest one are serializer-2.7.2and xalan-2.7.2 and we are using it.
> > Any suggestions?
> >
> > Thanks,
> > Piotr
> >
> > pon., 22 sie 2022 o 10:44 Piotr Zarzycki <pi...@gmail.com>
> > napisał(a):
> >
> >> Hi Chris and All,
> >>
> >> I will try to upgrade dependencies myself this week. I will let you know
> >> here how it goes.
> >>
> >> Thanks,
> >> Piotr
> >>
> >> wt., 16 sie 2022 o 14:46 Christofer Dutz <ch...@c-ware.de>
> >> napisał(a):
> >>
> >>> Well …
> >>>
> >>> you might not, but a malicious attacker might.
> >>> I think the last few releases of BlazeDS, that I did in the past were
> >>> reacting to CVEs reported in the XML processing part of BlazeDS. Here,
> for
> >>> example, a malicious attacker could embed xml using xml-entities that
> >>> referenced protected resources on the server and the BlazeDS server
> just
> >>> resolved them exposing this protected information.
> >>>
> >>> However, I think I remember I turned off the xml processing of external
> >>> resources per default. I probably this problem would not apply in very
> many
> >>> cases.
> >>>
> >>> However, this seems to be a pretty new vulnerability, as I wasn’t
> >>> getting it when I started the branch. So, I would advise to look, if a
> >>> newer version is available and simply switch to that. If you need help
> with
> >>> that … give me a ping. Should be a matter of 5 minutes.
> >>>
> >>> Chris
> >>>
> >>>
> >>> From: Tom Chiverton <tc...@extravision.com>
> >>> Date: Tuesday, 16 August 2022 at 12:20
> >>> To: dev@flex.apache.org <de...@flex.apache.org>, Brian Raymes <
> >>> brian.raymes@teotech.com>
> >>> Subject: Re: [EXTERNAL] BlazeDS release
> >>> The issue there is when processing malicious XSLT.
> >>>
> >>> We don't pass untrusted XSLT to it ?
> >>>
> >>> Tom
> >>>
> >>> On 15/08/2022 22:36, Brian Raymes wrote:
> >>> > Seems like those dependencies need to be replaced due to
> >>> vulnerabilities, as the Apache Xalan project has been retired:
> >>> >
> >>> > https://github.com/advisories/GHSA-9339-86wc-4qgf
> >>> >
> >>> >
> >>> >
> >>> > -----Original Message-----
> >>> > From: Piotr Zarzycki <pi...@gmail.com>
> >>> > Sent: Sunday, August 14, 2022 3:26 AM
> >>> > To: dev@flex.apache.org
> >>> > Subject: [EXTERNAL] BlazeDS release
> >>> >
> >>> > Hi All,
> >>> >
> >>> > In this thread I will be reporting updates related to release of
> >>> BlazeDS. I looked into Chris's branch and I would like to exclude Proxy
> >>> module from upcoming release. Please let me know in this thread
> whether you
> >>> have anything against it.
> >>> >
> >>> > Meanwhile I have following error on the console during build - Anyone
> >>> know what that means ?
> >>> >
> >>> > One or more dependencies were identified with known vulnerabilities
> in
> >>> > flex-messaging-common:
> >>> >
> >>> >
> >>> > serializer-2.7.2.jar (pkg:maven/xalan/serializer@2.7.2,
> >>> > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169
> >>> >
> >>> > xalan-2.7.2.jar (pkg:maven/xalan/xalan@2.7.2,
> >>> > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169
> >>> >
> >>> >
> >>> >
> >>> > See the dependency-check report for more details.
> >>> >
> >>> >
> >>> >
> >>> > [*INFO*]
> >>> >
> >>>
> *------------------------------------------------------------------------*
> >>> >
> >>> > [*INFO*] *Reactor Summary for Apache Flex - BlazeDS 4.8.0-SNAPSHOT:*
> >>> >
> >>> > [*INFO*]
> >>> >
> >>> > [*INFO*] Apache Flex - BlazeDS ..............................
> >>> > *SUCCESS* [ 5.914
> >>> > s]
> >>> >
> >>> > [*INFO*] flex-messaging-archetypes ..........................
> >>> > *SUCCESS* [ 1.409
> >>> > s]
> >>> >
> >>> > [*INFO*] blazeds-spring-boot-example-archetype ..............
> >>> > *SUCCESS* [ 4.430
> >>> > s]
> >>> >
> >>> > [*INFO*] flex-messaging-common ..............................
> >>> > *FAILURE* [ 2.155
> >>> > s]
> >>> >
> >>> > [*INFO*] flex-messaging-core ................................
> *SKIPPED*
> >>> >
> >>> > [*INFO*] flex-messaging-proxy ...............................
> *SKIPPED*
> >>> >
> >>> > [*INFO*] flex-messaging-remoting ............................
> *SKIPPED*
> >>> >
> >>> > [*INFO*] flex-messaging-opt .................................
> *SKIPPED*
> >>> >
> >>> > [*INFO*] flex-messaging-opt-tomcat ..........................
> *SKIPPED*
> >>> >
> >>> > [*INFO*] flex-messaging-opt-tomcat-base .....................
> *SKIPPED*
> >>> >
> >>> > [*INFO*]
> >>> >
> >>>
> *------------------------------------------------------------------------*
> >>> >
> >>> > [*INFO*] *BUILD FAILURE*
> >>> >
> >>> > [*INFO*]
> >>> >
> >>>
> *------------------------------------------------------------------------*
> >>> >
> >>> > [*INFO*] Total time: 14.115 s
> >>> >
> >>> > [*INFO*] Finished at: 2022-08-14T12:24:30+02:00
> >>> >
> >>> > [*INFO*]
> >>> >
> >>>
> *------------------------------------------------------------------------*
> >>> >
> >>> > [*ERROR*] Failed to execute goal
> >>> > org.owasp:dependency-check-maven:7.1.0:check *(default)* on project
> >>> > flex-messaging-common:
> >>> >
> >>> > [*ERROR*]
> >>> >
> >>> > [*ERROR*] *One or more dependencies were identified with
> >>> vulnerabilities that have a CVSS score greater than or equal to '4.0':
> *
> >>> >
> >>> > [*ERROR*]
> >>> >
> >>> > [*ERROR*] *serializer-2.7.2.jar: CVE-2022-34169(9.8)*
> >>> >
> >>> > [*ERROR*] *xalan-2.7.2.jar: CVE-2022-34169(9.8)*
> >>> >
> >>> > [*ERROR*]
> >>> >
> >>> > [*ERROR*] *See the dependency-check report for more details.*
> >>> >
> >>> > Thanks,
> >>>
> >>> ______________________________________________________________________
> >>> This email has been scanned by the Symantec Email Security.cloud
> service.
> >>> For more information please visit http://www.symanteccloud.com
> >>> ______________________________________________________________________
> >>>
> >>
> >>
> >> --
> >>
> >> Piotr Zarzycki
> >>
> >
> >
> > --
> >
> > Piotr Zarzycki
> >
>
>
> --
>
> Piotr Zarzycki
>
>
--
Piotr Zarzycki
--
Piotr Zarzycki
RE: [EXTERNAL] BlazeDS release
Posted by spiros <ag...@novusnet.gr>.
Hi ,
This library used by 4 classes ( only the org.apache.xpath.CachedXPathAPI);
1. flex.messaging.config.ApacheXPathClientConfigurationParser.java (common).
2. flex.messaging.config.ApacheXPathServerConfigurationParser.java (core).
3. flex.messaging.io.amf.MessageGenerator.java (core-test)
4. flex.messaging.io.amfx.DeserializationConfirmation.java (core-test)
The 1 and 2 classes add support to xml for java JRE 1.4 you can see the:
flex.messaging.config.ServicesDependencies.java (common) line 219 -236 function static ConfigurationParser getConfigurationParser(String className) for first.
And
flex.messaging.config.FlexConfigurationManager.java (core) line 105-118 function private ConfigurationParser getConfigurationParser(ServletConfig servletConfig)
for the classes 3 and 4 (test) :
the class flex.messaging.config.XPathServerConfigurationParser.java (common) is a guide to modify the code
My suggestion :
-Remove support for JRE 1.4 -too old
-delete classes 1,2
-modify classes 3,4 ,
Optionally modify classes :flex.messaging.config.ServicesDependencies.java and flex.messaging.config.FlexConfigurationManager.java
Spiros
-----Original Message-----
From: Piotr Zarzycki [mailto:piotrzarzycki21@gmail.com]
Sent: Tuesday, August 30, 2022 9:57 AM
To: dev@flex.apache.org
Subject: Re: [EXTERNAL] BlazeDS release
Maybe there is some replacement for both of that ? What do you think ?
pt., 26 sie 2022 o 12:53 Piotr Zarzycki <pi...@gmail.com>
napisał(a):
> Hi guys,
>
> Unfortunately both version of these plugins doesn't have newer versions.
> The latest one are serializer-2.7.2and xalan-2.7.2 and we are using it.
> Any suggestions?
>
> Thanks,
> Piotr
>
> pon., 22 sie 2022 o 10:44 Piotr Zarzycki <pi...@gmail.com>
> napisał(a):
>
>> Hi Chris and All,
>>
>> I will try to upgrade dependencies myself this week. I will let you know
>> here how it goes.
>>
>> Thanks,
>> Piotr
>>
>> wt., 16 sie 2022 o 14:46 Christofer Dutz <ch...@c-ware.de>
>> napisał(a):
>>
>>> Well …
>>>
>>> you might not, but a malicious attacker might.
>>> I think the last few releases of BlazeDS, that I did in the past were
>>> reacting to CVEs reported in the XML processing part of BlazeDS. Here, for
>>> example, a malicious attacker could embed xml using xml-entities that
>>> referenced protected resources on the server and the BlazeDS server just
>>> resolved them exposing this protected information.
>>>
>>> However, I think I remember I turned off the xml processing of external
>>> resources per default. I probably this problem would not apply in very many
>>> cases.
>>>
>>> However, this seems to be a pretty new vulnerability, as I wasn’t
>>> getting it when I started the branch. So, I would advise to look, if a
>>> newer version is available and simply switch to that. If you need help with
>>> that … give me a ping. Should be a matter of 5 minutes.
>>>
>>> Chris
>>>
>>>
>>> From: Tom Chiverton <tc...@extravision.com>
>>> Date: Tuesday, 16 August 2022 at 12:20
>>> To: dev@flex.apache.org <de...@flex.apache.org>, Brian Raymes <
>>> brian.raymes@teotech.com>
>>> Subject: Re: [EXTERNAL] BlazeDS release
>>> The issue there is when processing malicious XSLT.
>>>
>>> We don't pass untrusted XSLT to it ?
>>>
>>> Tom
>>>
>>> On 15/08/2022 22:36, Brian Raymes wrote:
>>> > Seems like those dependencies need to be replaced due to
>>> vulnerabilities, as the Apache Xalan project has been retired:
>>> >
>>> > https://github.com/advisories/GHSA-9339-86wc-4qgf
>>> >
>>> >
>>> >
>>> > -----Original Message-----
>>> > From: Piotr Zarzycki <pi...@gmail.com>
>>> > Sent: Sunday, August 14, 2022 3:26 AM
>>> > To: dev@flex.apache.org
>>> > Subject: [EXTERNAL] BlazeDS release
>>> >
>>> > Hi All,
>>> >
>>> > In this thread I will be reporting updates related to release of
>>> BlazeDS. I looked into Chris's branch and I would like to exclude Proxy
>>> module from upcoming release. Please let me know in this thread whether you
>>> have anything against it.
>>> >
>>> > Meanwhile I have following error on the console during build - Anyone
>>> know what that means ?
>>> >
>>> > One or more dependencies were identified with known vulnerabilities in
>>> > flex-messaging-common:
>>> >
>>> >
>>> > serializer-2.7.2.jar (pkg:maven/xalan/serializer@2.7.2,
>>> > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169
>>> >
>>> > xalan-2.7.2.jar (pkg:maven/xalan/xalan@2.7.2,
>>> > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169
>>> >
>>> >
>>> >
>>> > See the dependency-check report for more details.
>>> >
>>> >
>>> >
>>> > [*INFO*]
>>> >
>>> *------------------------------------------------------------------------*
>>> >
>>> > [*INFO*] *Reactor Summary for Apache Flex - BlazeDS 4.8.0-SNAPSHOT:*
>>> >
>>> > [*INFO*]
>>> >
>>> > [*INFO*] Apache Flex - BlazeDS ..............................
>>> > *SUCCESS* [ 5.914
>>> > s]
>>> >
>>> > [*INFO*] flex-messaging-archetypes ..........................
>>> > *SUCCESS* [ 1.409
>>> > s]
>>> >
>>> > [*INFO*] blazeds-spring-boot-example-archetype ..............
>>> > *SUCCESS* [ 4.430
>>> > s]
>>> >
>>> > [*INFO*] flex-messaging-common ..............................
>>> > *FAILURE* [ 2.155
>>> > s]
>>> >
>>> > [*INFO*] flex-messaging-core ................................ *SKIPPED*
>>> >
>>> > [*INFO*] flex-messaging-proxy ............................... *SKIPPED*
>>> >
>>> > [*INFO*] flex-messaging-remoting ............................ *SKIPPED*
>>> >
>>> > [*INFO*] flex-messaging-opt ................................. *SKIPPED*
>>> >
>>> > [*INFO*] flex-messaging-opt-tomcat .......................... *SKIPPED*
>>> >
>>> > [*INFO*] flex-messaging-opt-tomcat-base ..................... *SKIPPED*
>>> >
>>> > [*INFO*]
>>> >
>>> *------------------------------------------------------------------------*
>>> >
>>> > [*INFO*] *BUILD FAILURE*
>>> >
>>> > [*INFO*]
>>> >
>>> *------------------------------------------------------------------------*
>>> >
>>> > [*INFO*] Total time: 14.115 s
>>> >
>>> > [*INFO*] Finished at: 2022-08-14T12:24:30+02:00
>>> >
>>> > [*INFO*]
>>> >
>>> *------------------------------------------------------------------------*
>>> >
>>> > [*ERROR*] Failed to execute goal
>>> > org.owasp:dependency-check-maven:7.1.0:check *(default)* on project
>>> > flex-messaging-common:
>>> >
>>> > [*ERROR*]
>>> >
>>> > [*ERROR*] *One or more dependencies were identified with
>>> vulnerabilities that have a CVSS score greater than or equal to '4.0': *
>>> >
>>> > [*ERROR*]
>>> >
>>> > [*ERROR*] *serializer-2.7.2.jar: CVE-2022-34169(9.8)*
>>> >
>>> > [*ERROR*] *xalan-2.7.2.jar: CVE-2022-34169(9.8)*
>>> >
>>> > [*ERROR*]
>>> >
>>> > [*ERROR*] *See the dependency-check report for more details.*
>>> >
>>> > Thanks,
>>>
>>> ______________________________________________________________________
>>> This email has been scanned by the Symantec Email Security.cloud service.
>>> For more information please visit http://www.symanteccloud.com
>>> ______________________________________________________________________
>>>
>>
>>
>> --
>>
>> Piotr Zarzycki
>>
>
>
> --
>
> Piotr Zarzycki
>
--
Piotr Zarzycki
Re: [EXTERNAL] BlazeDS release
Posted by Piotr Zarzycki <pi...@gmail.com>.
Maybe there is some replacement for both of that ? What do you think ?
pt., 26 sie 2022 o 12:53 Piotr Zarzycki <pi...@gmail.com>
napisał(a):
> Hi guys,
>
> Unfortunately both version of these plugins doesn't have newer versions.
> The latest one are serializer-2.7.2and xalan-2.7.2 and we are using it.
> Any suggestions?
>
> Thanks,
> Piotr
>
> pon., 22 sie 2022 o 10:44 Piotr Zarzycki <pi...@gmail.com>
> napisał(a):
>
>> Hi Chris and All,
>>
>> I will try to upgrade dependencies myself this week. I will let you know
>> here how it goes.
>>
>> Thanks,
>> Piotr
>>
>> wt., 16 sie 2022 o 14:46 Christofer Dutz <ch...@c-ware.de>
>> napisał(a):
>>
>>> Well …
>>>
>>> you might not, but a malicious attacker might.
>>> I think the last few releases of BlazeDS, that I did in the past were
>>> reacting to CVEs reported in the XML processing part of BlazeDS. Here, for
>>> example, a malicious attacker could embed xml using xml-entities that
>>> referenced protected resources on the server and the BlazeDS server just
>>> resolved them exposing this protected information.
>>>
>>> However, I think I remember I turned off the xml processing of external
>>> resources per default. I probably this problem would not apply in very many
>>> cases.
>>>
>>> However, this seems to be a pretty new vulnerability, as I wasn’t
>>> getting it when I started the branch. So, I would advise to look, if a
>>> newer version is available and simply switch to that. If you need help with
>>> that … give me a ping. Should be a matter of 5 minutes.
>>>
>>> Chris
>>>
>>>
>>> From: Tom Chiverton <tc...@extravision.com>
>>> Date: Tuesday, 16 August 2022 at 12:20
>>> To: dev@flex.apache.org <de...@flex.apache.org>, Brian Raymes <
>>> brian.raymes@teotech.com>
>>> Subject: Re: [EXTERNAL] BlazeDS release
>>> The issue there is when processing malicious XSLT.
>>>
>>> We don't pass untrusted XSLT to it ?
>>>
>>> Tom
>>>
>>> On 15/08/2022 22:36, Brian Raymes wrote:
>>> > Seems like those dependencies need to be replaced due to
>>> vulnerabilities, as the Apache Xalan project has been retired:
>>> >
>>> > https://github.com/advisories/GHSA-9339-86wc-4qgf
>>> >
>>> >
>>> >
>>> > -----Original Message-----
>>> > From: Piotr Zarzycki <pi...@gmail.com>
>>> > Sent: Sunday, August 14, 2022 3:26 AM
>>> > To: dev@flex.apache.org
>>> > Subject: [EXTERNAL] BlazeDS release
>>> >
>>> > Hi All,
>>> >
>>> > In this thread I will be reporting updates related to release of
>>> BlazeDS. I looked into Chris's branch and I would like to exclude Proxy
>>> module from upcoming release. Please let me know in this thread whether you
>>> have anything against it.
>>> >
>>> > Meanwhile I have following error on the console during build - Anyone
>>> know what that means ?
>>> >
>>> > One or more dependencies were identified with known vulnerabilities in
>>> > flex-messaging-common:
>>> >
>>> >
>>> > serializer-2.7.2.jar (pkg:maven/xalan/serializer@2.7.2,
>>> > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169
>>> >
>>> > xalan-2.7.2.jar (pkg:maven/xalan/xalan@2.7.2,
>>> > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169
>>> >
>>> >
>>> >
>>> > See the dependency-check report for more details.
>>> >
>>> >
>>> >
>>> > [*INFO*]
>>> >
>>> *------------------------------------------------------------------------*
>>> >
>>> > [*INFO*] *Reactor Summary for Apache Flex - BlazeDS 4.8.0-SNAPSHOT:*
>>> >
>>> > [*INFO*]
>>> >
>>> > [*INFO*] Apache Flex - BlazeDS ..............................
>>> > *SUCCESS* [ 5.914
>>> > s]
>>> >
>>> > [*INFO*] flex-messaging-archetypes ..........................
>>> > *SUCCESS* [ 1.409
>>> > s]
>>> >
>>> > [*INFO*] blazeds-spring-boot-example-archetype ..............
>>> > *SUCCESS* [ 4.430
>>> > s]
>>> >
>>> > [*INFO*] flex-messaging-common ..............................
>>> > *FAILURE* [ 2.155
>>> > s]
>>> >
>>> > [*INFO*] flex-messaging-core ................................ *SKIPPED*
>>> >
>>> > [*INFO*] flex-messaging-proxy ............................... *SKIPPED*
>>> >
>>> > [*INFO*] flex-messaging-remoting ............................ *SKIPPED*
>>> >
>>> > [*INFO*] flex-messaging-opt ................................. *SKIPPED*
>>> >
>>> > [*INFO*] flex-messaging-opt-tomcat .......................... *SKIPPED*
>>> >
>>> > [*INFO*] flex-messaging-opt-tomcat-base ..................... *SKIPPED*
>>> >
>>> > [*INFO*]
>>> >
>>> *------------------------------------------------------------------------*
>>> >
>>> > [*INFO*] *BUILD FAILURE*
>>> >
>>> > [*INFO*]
>>> >
>>> *------------------------------------------------------------------------*
>>> >
>>> > [*INFO*] Total time: 14.115 s
>>> >
>>> > [*INFO*] Finished at: 2022-08-14T12:24:30+02:00
>>> >
>>> > [*INFO*]
>>> >
>>> *------------------------------------------------------------------------*
>>> >
>>> > [*ERROR*] Failed to execute goal
>>> > org.owasp:dependency-check-maven:7.1.0:check *(default)* on project
>>> > flex-messaging-common:
>>> >
>>> > [*ERROR*]
>>> >
>>> > [*ERROR*] *One or more dependencies were identified with
>>> vulnerabilities that have a CVSS score greater than or equal to '4.0': *
>>> >
>>> > [*ERROR*]
>>> >
>>> > [*ERROR*] *serializer-2.7.2.jar: CVE-2022-34169(9.8)*
>>> >
>>> > [*ERROR*] *xalan-2.7.2.jar: CVE-2022-34169(9.8)*
>>> >
>>> > [*ERROR*]
>>> >
>>> > [*ERROR*] *See the dependency-check report for more details.*
>>> >
>>> > Thanks,
>>>
>>> ______________________________________________________________________
>>> This email has been scanned by the Symantec Email Security.cloud service.
>>> For more information please visit http://www.symanteccloud.com
>>> ______________________________________________________________________
>>>
>>
>>
>> --
>>
>> Piotr Zarzycki
>>
>
>
> --
>
> Piotr Zarzycki
>
--
Piotr Zarzycki
Re: [EXTERNAL] BlazeDS release
Posted by Piotr Zarzycki <pi...@gmail.com>.
Hi guys,
Unfortunately both version of these plugins doesn't have newer versions.
The latest one are serializer-2.7.2and xalan-2.7.2 and we are using it.
Any suggestions?
Thanks,
Piotr
pon., 22 sie 2022 o 10:44 Piotr Zarzycki <pi...@gmail.com>
napisał(a):
> Hi Chris and All,
>
> I will try to upgrade dependencies myself this week. I will let you know
> here how it goes.
>
> Thanks,
> Piotr
>
> wt., 16 sie 2022 o 14:46 Christofer Dutz <ch...@c-ware.de>
> napisał(a):
>
>> Well …
>>
>> you might not, but a malicious attacker might.
>> I think the last few releases of BlazeDS, that I did in the past were
>> reacting to CVEs reported in the XML processing part of BlazeDS. Here, for
>> example, a malicious attacker could embed xml using xml-entities that
>> referenced protected resources on the server and the BlazeDS server just
>> resolved them exposing this protected information.
>>
>> However, I think I remember I turned off the xml processing of external
>> resources per default. I probably this problem would not apply in very many
>> cases.
>>
>> However, this seems to be a pretty new vulnerability, as I wasn’t getting
>> it when I started the branch. So, I would advise to look, if a newer
>> version is available and simply switch to that. If you need help with that
>> … give me a ping. Should be a matter of 5 minutes.
>>
>> Chris
>>
>>
>> From: Tom Chiverton <tc...@extravision.com>
>> Date: Tuesday, 16 August 2022 at 12:20
>> To: dev@flex.apache.org <de...@flex.apache.org>, Brian Raymes <
>> brian.raymes@teotech.com>
>> Subject: Re: [EXTERNAL] BlazeDS release
>> The issue there is when processing malicious XSLT.
>>
>> We don't pass untrusted XSLT to it ?
>>
>> Tom
>>
>> On 15/08/2022 22:36, Brian Raymes wrote:
>> > Seems like those dependencies need to be replaced due to
>> vulnerabilities, as the Apache Xalan project has been retired:
>> >
>> > https://github.com/advisories/GHSA-9339-86wc-4qgf
>> >
>> >
>> >
>> > -----Original Message-----
>> > From: Piotr Zarzycki <pi...@gmail.com>
>> > Sent: Sunday, August 14, 2022 3:26 AM
>> > To: dev@flex.apache.org
>> > Subject: [EXTERNAL] BlazeDS release
>> >
>> > Hi All,
>> >
>> > In this thread I will be reporting updates related to release of
>> BlazeDS. I looked into Chris's branch and I would like to exclude Proxy
>> module from upcoming release. Please let me know in this thread whether you
>> have anything against it.
>> >
>> > Meanwhile I have following error on the console during build - Anyone
>> know what that means ?
>> >
>> > One or more dependencies were identified with known vulnerabilities in
>> > flex-messaging-common:
>> >
>> >
>> > serializer-2.7.2.jar (pkg:maven/xalan/serializer@2.7.2,
>> > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169
>> >
>> > xalan-2.7.2.jar (pkg:maven/xalan/xalan@2.7.2,
>> > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169
>> >
>> >
>> >
>> > See the dependency-check report for more details.
>> >
>> >
>> >
>> > [*INFO*]
>> >
>> *------------------------------------------------------------------------*
>> >
>> > [*INFO*] *Reactor Summary for Apache Flex - BlazeDS 4.8.0-SNAPSHOT:*
>> >
>> > [*INFO*]
>> >
>> > [*INFO*] Apache Flex - BlazeDS ..............................
>> > *SUCCESS* [ 5.914
>> > s]
>> >
>> > [*INFO*] flex-messaging-archetypes ..........................
>> > *SUCCESS* [ 1.409
>> > s]
>> >
>> > [*INFO*] blazeds-spring-boot-example-archetype ..............
>> > *SUCCESS* [ 4.430
>> > s]
>> >
>> > [*INFO*] flex-messaging-common ..............................
>> > *FAILURE* [ 2.155
>> > s]
>> >
>> > [*INFO*] flex-messaging-core ................................ *SKIPPED*
>> >
>> > [*INFO*] flex-messaging-proxy ............................... *SKIPPED*
>> >
>> > [*INFO*] flex-messaging-remoting ............................ *SKIPPED*
>> >
>> > [*INFO*] flex-messaging-opt ................................. *SKIPPED*
>> >
>> > [*INFO*] flex-messaging-opt-tomcat .......................... *SKIPPED*
>> >
>> > [*INFO*] flex-messaging-opt-tomcat-base ..................... *SKIPPED*
>> >
>> > [*INFO*]
>> >
>> *------------------------------------------------------------------------*
>> >
>> > [*INFO*] *BUILD FAILURE*
>> >
>> > [*INFO*]
>> >
>> *------------------------------------------------------------------------*
>> >
>> > [*INFO*] Total time: 14.115 s
>> >
>> > [*INFO*] Finished at: 2022-08-14T12:24:30+02:00
>> >
>> > [*INFO*]
>> >
>> *------------------------------------------------------------------------*
>> >
>> > [*ERROR*] Failed to execute goal
>> > org.owasp:dependency-check-maven:7.1.0:check *(default)* on project
>> > flex-messaging-common:
>> >
>> > [*ERROR*]
>> >
>> > [*ERROR*] *One or more dependencies were identified with
>> vulnerabilities that have a CVSS score greater than or equal to '4.0': *
>> >
>> > [*ERROR*]
>> >
>> > [*ERROR*] *serializer-2.7.2.jar: CVE-2022-34169(9.8)*
>> >
>> > [*ERROR*] *xalan-2.7.2.jar: CVE-2022-34169(9.8)*
>> >
>> > [*ERROR*]
>> >
>> > [*ERROR*] *See the dependency-check report for more details.*
>> >
>> > Thanks,
>>
>> ______________________________________________________________________
>> This email has been scanned by the Symantec Email Security.cloud service.
>> For more information please visit http://www.symanteccloud.com
>> ______________________________________________________________________
>>
>
>
> --
>
> Piotr Zarzycki
>
--
Piotr Zarzycki
Re: [EXTERNAL] BlazeDS release
Posted by Piotr Zarzycki <pi...@gmail.com>.
Hi Chris and All,
I will try to upgrade dependencies myself this week. I will let you know
here how it goes.
Thanks,
Piotr
wt., 16 sie 2022 o 14:46 Christofer Dutz <ch...@c-ware.de>
napisał(a):
> Well …
>
> you might not, but a malicious attacker might.
> I think the last few releases of BlazeDS, that I did in the past were
> reacting to CVEs reported in the XML processing part of BlazeDS. Here, for
> example, a malicious attacker could embed xml using xml-entities that
> referenced protected resources on the server and the BlazeDS server just
> resolved them exposing this protected information.
>
> However, I think I remember I turned off the xml processing of external
> resources per default. I probably this problem would not apply in very many
> cases.
>
> However, this seems to be a pretty new vulnerability, as I wasn’t getting
> it when I started the branch. So, I would advise to look, if a newer
> version is available and simply switch to that. If you need help with that
> … give me a ping. Should be a matter of 5 minutes.
>
> Chris
>
>
> From: Tom Chiverton <tc...@extravision.com>
> Date: Tuesday, 16 August 2022 at 12:20
> To: dev@flex.apache.org <de...@flex.apache.org>, Brian Raymes <
> brian.raymes@teotech.com>
> Subject: Re: [EXTERNAL] BlazeDS release
> The issue there is when processing malicious XSLT.
>
> We don't pass untrusted XSLT to it ?
>
> Tom
>
> On 15/08/2022 22:36, Brian Raymes wrote:
> > Seems like those dependencies need to be replaced due to
> vulnerabilities, as the Apache Xalan project has been retired:
> >
> > https://github.com/advisories/GHSA-9339-86wc-4qgf
> >
> >
> >
> > -----Original Message-----
> > From: Piotr Zarzycki <pi...@gmail.com>
> > Sent: Sunday, August 14, 2022 3:26 AM
> > To: dev@flex.apache.org
> > Subject: [EXTERNAL] BlazeDS release
> >
> > Hi All,
> >
> > In this thread I will be reporting updates related to release of
> BlazeDS. I looked into Chris's branch and I would like to exclude Proxy
> module from upcoming release. Please let me know in this thread whether you
> have anything against it.
> >
> > Meanwhile I have following error on the console during build - Anyone
> know what that means ?
> >
> > One or more dependencies were identified with known vulnerabilities in
> > flex-messaging-common:
> >
> >
> > serializer-2.7.2.jar (pkg:maven/xalan/serializer@2.7.2,
> > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169
> >
> > xalan-2.7.2.jar (pkg:maven/xalan/xalan@2.7.2,
> > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169
> >
> >
> >
> > See the dependency-check report for more details.
> >
> >
> >
> > [*INFO*]
> >
> *------------------------------------------------------------------------*
> >
> > [*INFO*] *Reactor Summary for Apache Flex - BlazeDS 4.8.0-SNAPSHOT:*
> >
> > [*INFO*]
> >
> > [*INFO*] Apache Flex - BlazeDS ..............................
> > *SUCCESS* [ 5.914
> > s]
> >
> > [*INFO*] flex-messaging-archetypes ..........................
> > *SUCCESS* [ 1.409
> > s]
> >
> > [*INFO*] blazeds-spring-boot-example-archetype ..............
> > *SUCCESS* [ 4.430
> > s]
> >
> > [*INFO*] flex-messaging-common ..............................
> > *FAILURE* [ 2.155
> > s]
> >
> > [*INFO*] flex-messaging-core ................................ *SKIPPED*
> >
> > [*INFO*] flex-messaging-proxy ............................... *SKIPPED*
> >
> > [*INFO*] flex-messaging-remoting ............................ *SKIPPED*
> >
> > [*INFO*] flex-messaging-opt ................................. *SKIPPED*
> >
> > [*INFO*] flex-messaging-opt-tomcat .......................... *SKIPPED*
> >
> > [*INFO*] flex-messaging-opt-tomcat-base ..................... *SKIPPED*
> >
> > [*INFO*]
> >
> *------------------------------------------------------------------------*
> >
> > [*INFO*] *BUILD FAILURE*
> >
> > [*INFO*]
> >
> *------------------------------------------------------------------------*
> >
> > [*INFO*] Total time: 14.115 s
> >
> > [*INFO*] Finished at: 2022-08-14T12:24:30+02:00
> >
> > [*INFO*]
> >
> *------------------------------------------------------------------------*
> >
> > [*ERROR*] Failed to execute goal
> > org.owasp:dependency-check-maven:7.1.0:check *(default)* on project
> > flex-messaging-common:
> >
> > [*ERROR*]
> >
> > [*ERROR*] *One or more dependencies were identified with vulnerabilities
> that have a CVSS score greater than or equal to '4.0': *
> >
> > [*ERROR*]
> >
> > [*ERROR*] *serializer-2.7.2.jar: CVE-2022-34169(9.8)*
> >
> > [*ERROR*] *xalan-2.7.2.jar: CVE-2022-34169(9.8)*
> >
> > [*ERROR*]
> >
> > [*ERROR*] *See the dependency-check report for more details.*
> >
> > Thanks,
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________
>
--
Piotr Zarzycki
Re: [EXTERNAL] BlazeDS release
Posted by Christofer Dutz <ch...@c-ware.de>.
Well …
you might not, but a malicious attacker might.
I think the last few releases of BlazeDS, that I did in the past were reacting to CVEs reported in the XML processing part of BlazeDS. Here, for example, a malicious attacker could embed xml using xml-entities that referenced protected resources on the server and the BlazeDS server just resolved them exposing this protected information.
However, I think I remember I turned off the xml processing of external resources per default. I probably this problem would not apply in very many cases.
However, this seems to be a pretty new vulnerability, as I wasn’t getting it when I started the branch. So, I would advise to look, if a newer version is available and simply switch to that. If you need help with that … give me a ping. Should be a matter of 5 minutes.
Chris
From: Tom Chiverton <tc...@extravision.com>
Date: Tuesday, 16 August 2022 at 12:20
To: dev@flex.apache.org <de...@flex.apache.org>, Brian Raymes <br...@teotech.com>
Subject: Re: [EXTERNAL] BlazeDS release
The issue there is when processing malicious XSLT.
We don't pass untrusted XSLT to it ?
Tom
On 15/08/2022 22:36, Brian Raymes wrote:
> Seems like those dependencies need to be replaced due to vulnerabilities, as the Apache Xalan project has been retired:
>
> https://github.com/advisories/GHSA-9339-86wc-4qgf
>
>
>
> -----Original Message-----
> From: Piotr Zarzycki <pi...@gmail.com>
> Sent: Sunday, August 14, 2022 3:26 AM
> To: dev@flex.apache.org
> Subject: [EXTERNAL] BlazeDS release
>
> Hi All,
>
> In this thread I will be reporting updates related to release of BlazeDS. I looked into Chris's branch and I would like to exclude Proxy module from upcoming release. Please let me know in this thread whether you have anything against it.
>
> Meanwhile I have following error on the console during build - Anyone know what that means ?
>
> One or more dependencies were identified with known vulnerabilities in
> flex-messaging-common:
>
>
> serializer-2.7.2.jar (pkg:maven/xalan/serializer@2.7.2,
> cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169
>
> xalan-2.7.2.jar (pkg:maven/xalan/xalan@2.7.2,
> cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169
>
>
>
> See the dependency-check report for more details.
>
>
>
> [*INFO*]
> *------------------------------------------------------------------------*
>
> [*INFO*] *Reactor Summary for Apache Flex - BlazeDS 4.8.0-SNAPSHOT:*
>
> [*INFO*]
>
> [*INFO*] Apache Flex - BlazeDS ..............................
> *SUCCESS* [ 5.914
> s]
>
> [*INFO*] flex-messaging-archetypes ..........................
> *SUCCESS* [ 1.409
> s]
>
> [*INFO*] blazeds-spring-boot-example-archetype ..............
> *SUCCESS* [ 4.430
> s]
>
> [*INFO*] flex-messaging-common ..............................
> *FAILURE* [ 2.155
> s]
>
> [*INFO*] flex-messaging-core ................................ *SKIPPED*
>
> [*INFO*] flex-messaging-proxy ............................... *SKIPPED*
>
> [*INFO*] flex-messaging-remoting ............................ *SKIPPED*
>
> [*INFO*] flex-messaging-opt ................................. *SKIPPED*
>
> [*INFO*] flex-messaging-opt-tomcat .......................... *SKIPPED*
>
> [*INFO*] flex-messaging-opt-tomcat-base ..................... *SKIPPED*
>
> [*INFO*]
> *------------------------------------------------------------------------*
>
> [*INFO*] *BUILD FAILURE*
>
> [*INFO*]
> *------------------------------------------------------------------------*
>
> [*INFO*] Total time: 14.115 s
>
> [*INFO*] Finished at: 2022-08-14T12:24:30+02:00
>
> [*INFO*]
> *------------------------------------------------------------------------*
>
> [*ERROR*] Failed to execute goal
> org.owasp:dependency-check-maven:7.1.0:check *(default)* on project
> flex-messaging-common:
>
> [*ERROR*]
>
> [*ERROR*] *One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '4.0': *
>
> [*ERROR*]
>
> [*ERROR*] *serializer-2.7.2.jar: CVE-2022-34169(9.8)*
>
> [*ERROR*] *xalan-2.7.2.jar: CVE-2022-34169(9.8)*
>
> [*ERROR*]
>
> [*ERROR*] *See the dependency-check report for more details.*
>
> Thanks,
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
Re: [EXTERNAL] BlazeDS release
Posted by Tom Chiverton <tc...@extravision.com>.
The issue there is when processing malicious XSLT.
We don't pass untrusted XSLT to it ?
Tom
On 15/08/2022 22:36, Brian Raymes wrote:
> Seems like those dependencies need to be replaced due to vulnerabilities, as the Apache Xalan project has been retired:
>
> https://github.com/advisories/GHSA-9339-86wc-4qgf
>
>
>
> -----Original Message-----
> From: Piotr Zarzycki <pi...@gmail.com>
> Sent: Sunday, August 14, 2022 3:26 AM
> To: dev@flex.apache.org
> Subject: [EXTERNAL] BlazeDS release
>
> Hi All,
>
> In this thread I will be reporting updates related to release of BlazeDS. I looked into Chris's branch and I would like to exclude Proxy module from upcoming release. Please let me know in this thread whether you have anything against it.
>
> Meanwhile I have following error on the console during build - Anyone know what that means ?
>
> One or more dependencies were identified with known vulnerabilities in
> flex-messaging-common:
>
>
> serializer-2.7.2.jar (pkg:maven/xalan/serializer@2.7.2,
> cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169
>
> xalan-2.7.2.jar (pkg:maven/xalan/xalan@2.7.2,
> cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169
>
>
>
> See the dependency-check report for more details.
>
>
>
> [*INFO*]
> *------------------------------------------------------------------------*
>
> [*INFO*] *Reactor Summary for Apache Flex - BlazeDS 4.8.0-SNAPSHOT:*
>
> [*INFO*]
>
> [*INFO*] Apache Flex - BlazeDS ..............................
> *SUCCESS* [ 5.914
> s]
>
> [*INFO*] flex-messaging-archetypes ..........................
> *SUCCESS* [ 1.409
> s]
>
> [*INFO*] blazeds-spring-boot-example-archetype ..............
> *SUCCESS* [ 4.430
> s]
>
> [*INFO*] flex-messaging-common ..............................
> *FAILURE* [ 2.155
> s]
>
> [*INFO*] flex-messaging-core ................................ *SKIPPED*
>
> [*INFO*] flex-messaging-proxy ............................... *SKIPPED*
>
> [*INFO*] flex-messaging-remoting ............................ *SKIPPED*
>
> [*INFO*] flex-messaging-opt ................................. *SKIPPED*
>
> [*INFO*] flex-messaging-opt-tomcat .......................... *SKIPPED*
>
> [*INFO*] flex-messaging-opt-tomcat-base ..................... *SKIPPED*
>
> [*INFO*]
> *------------------------------------------------------------------------*
>
> [*INFO*] *BUILD FAILURE*
>
> [*INFO*]
> *------------------------------------------------------------------------*
>
> [*INFO*] Total time: 14.115 s
>
> [*INFO*] Finished at: 2022-08-14T12:24:30+02:00
>
> [*INFO*]
> *------------------------------------------------------------------------*
>
> [*ERROR*] Failed to execute goal
> org.owasp:dependency-check-maven:7.1.0:check *(default)* on project
> flex-messaging-common:
>
> [*ERROR*]
>
> [*ERROR*] *One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '4.0': *
>
> [*ERROR*]
>
> [*ERROR*] *serializer-2.7.2.jar: CVE-2022-34169(9.8)*
>
> [*ERROR*] *xalan-2.7.2.jar: CVE-2022-34169(9.8)*
>
> [*ERROR*]
>
> [*ERROR*] *See the dependency-check report for more details.*
>
> Thanks,
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
RE: [EXTERNAL] BlazeDS release
Posted by Brian Raymes <br...@teotech.com>.
Seems like those dependencies need to be replaced due to vulnerabilities, as the Apache Xalan project has been retired:
https://github.com/advisories/GHSA-9339-86wc-4qgf
-----Original Message-----
From: Piotr Zarzycki <pi...@gmail.com>
Sent: Sunday, August 14, 2022 3:26 AM
To: dev@flex.apache.org
Subject: [EXTERNAL] BlazeDS release
Hi All,
In this thread I will be reporting updates related to release of BlazeDS. I looked into Chris's branch and I would like to exclude Proxy module from upcoming release. Please let me know in this thread whether you have anything against it.
Meanwhile I have following error on the console during build - Anyone know what that means ?
One or more dependencies were identified with known vulnerabilities in
flex-messaging-common:
serializer-2.7.2.jar (pkg:maven/xalan/serializer@2.7.2,
cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169
xalan-2.7.2.jar (pkg:maven/xalan/xalan@2.7.2,
cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169
See the dependency-check report for more details.
[*INFO*]
*------------------------------------------------------------------------*
[*INFO*] *Reactor Summary for Apache Flex - BlazeDS 4.8.0-SNAPSHOT:*
[*INFO*]
[*INFO*] Apache Flex - BlazeDS ..............................
*SUCCESS* [ 5.914
s]
[*INFO*] flex-messaging-archetypes ..........................
*SUCCESS* [ 1.409
s]
[*INFO*] blazeds-spring-boot-example-archetype ..............
*SUCCESS* [ 4.430
s]
[*INFO*] flex-messaging-common ..............................
*FAILURE* [ 2.155
s]
[*INFO*] flex-messaging-core ................................ *SKIPPED*
[*INFO*] flex-messaging-proxy ............................... *SKIPPED*
[*INFO*] flex-messaging-remoting ............................ *SKIPPED*
[*INFO*] flex-messaging-opt ................................. *SKIPPED*
[*INFO*] flex-messaging-opt-tomcat .......................... *SKIPPED*
[*INFO*] flex-messaging-opt-tomcat-base ..................... *SKIPPED*
[*INFO*]
*------------------------------------------------------------------------*
[*INFO*] *BUILD FAILURE*
[*INFO*]
*------------------------------------------------------------------------*
[*INFO*] Total time: 14.115 s
[*INFO*] Finished at: 2022-08-14T12:24:30+02:00
[*INFO*]
*------------------------------------------------------------------------*
[*ERROR*] Failed to execute goal
org.owasp:dependency-check-maven:7.1.0:check *(default)* on project
flex-messaging-common:
[*ERROR*]
[*ERROR*] *One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '4.0': *
[*ERROR*]
[*ERROR*] *serializer-2.7.2.jar: CVE-2022-34169(9.8)*
[*ERROR*] *xalan-2.7.2.jar: CVE-2022-34169(9.8)*
[*ERROR*]
[*ERROR*] *See the dependency-check report for more details.*
Thanks,
--
Piotr Zarzycki