You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pdfbox.apache.org by "Tilman Hausherr (JIRA)" <ji...@apache.org> on 2017/07/11 17:10:00 UTC

[jira] [Comment Edited] (PDFBOX-3865) Add OWASP dependency-check to build

    [ https://issues.apache.org/jira/browse/PDFBOX-3865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16082501#comment-16082501 ] 

Tilman Hausherr edited comment on PDFBOX-3865 at 7/11/17 5:09 PM:
------------------------------------------------------------------

1.8 build fails because of CVE-2015-7940 in bcprov-jdk15-1.44.jar. That doesn't apply to us:
{quote}
The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."
{quote}
We're not using any crypto with elliptic curves. I'll create an exception.

How to do this is explained here:
https://jeremylong.github.io/DependencyCheck/general/suppression.html

The report mentioned is in the "target" directory. Creating the "suppression" file is really as easy as explained.


was (Author: tilman):
1.8 build fails because of CVE-2015-7940 in bcprov-jdk15-1.44.jar. That doesn't apply to us:
{quote}
The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."
{quote}
We're not using any crypto with elliptic curves. I'll create an exception.



> Add OWASP dependency-check to build
> -----------------------------------
>
>                 Key: PDFBOX-3865
>                 URL: https://issues.apache.org/jira/browse/PDFBOX-3865
>             Project: PDFBox
>          Issue Type: Task
>    Affects Versions: 1.8.13, 2.0.6, 3.0.0
>            Reporter: Tilman Hausherr
>            Assignee: Tilman Hausherr
>              Labels: build, maven
>             Fix For: 1.8.14, 2.0.7, 3.0.0
>
>
> https://github.com/jeremylong/dependency-check-gradle#current-release
> checks the build against known security issues. I tried it with a project that linked pdfbox 2.0.0 (has XXE vulnerability) and yes, the build stopped.
> Because the database needs 400MB in the repository we'll run it only in "pedantic" mode, i.e. for the jenkins builds.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: dev-help@pdfbox.apache.org