You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@pdfbox.apache.org by "Tilman Hausherr (JIRA)" <ji...@apache.org> on 2019/02/15 17:23:00 UTC

[jira] [Commented] (PDFBOX-4465) Your project apache/pdfbox is using buggy third-party libraries [WARNING]

    [ https://issues.apache.org/jira/browse/PDFBOX-4465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16769526#comment-16769526 ] 

Tilman Hausherr commented on PDFBOX-4465:
-----------------------------------------

That seems to be an automatic submission, and its algorithm should be improved to avoid producing unneeded work. For example, IO-516 is just about a comment. IO-570: just a checkstyle violation. LOGGING-163 is annoying but not a security issue.

IO-559 - this may be a security issue, but it will be fixed in 2.7 (not released). But commons-io is used only for testing so no danger that people pass some weird path.

We are using the maven owasp plugin so we get notified of security issues in the third party libraries we use.


> Your project apache/pdfbox is using buggy third-party libraries [WARNING]
> -------------------------------------------------------------------------
>
>                 Key: PDFBOX-4465
>                 URL: https://issues.apache.org/jira/browse/PDFBOX-4465
>             Project: PDFBox
>          Issue Type: Bug
>            Reporter: Kaifeng Huang
>            Priority: Major
>
> Hi, there!
>     We are a research team working on third-party library analysis. We have found that some widely-used third-party libraries in your project have major/critical bugs, which will degrade the quality of your project. We highly recommend you to update those libraries to new versions.
>     We have attached the buggy third-party libraries and corresponding jira issue links below for you to have more detailed information.
> 	1. commons-logging commons-logging
> 	version: 1.2
> 	Jira issues:
> 	BufferedReader is not closed properly
> 	affectsVersions:1.1.1;1.2
> 	https://issues.apache.org/jira/projects/LOGGING/issues/LOGGING-163?filter=allopenissues
> 	2. commons-io commons-io
> 	version: 2.6
> 	Jira issues:
> 	.gitattributes not correctly applied
> 	affectsVersions:2.6
> 	https://issues.apache.org/jira/projects/IO/issues/IO-516?filter=allopenissues
> 	FilenameUtils.normalize should verify hostname syntax in UNC path
> 	affectsVersions:2.6
> 	https://issues.apache.org/jira/projects/IO/issues/IO-559?filter=allopenissues
> 	Missing Javadoc in FilenameUtils causing Travis-CI build to fail
> 	affectsVersions:2.6
> 	https://issues.apache.org/jira/projects/IO/issues/IO-570?filter=allopenissues
> Sincerely~
> FDU Software Engineering Lab
> Feb 15th, 2019



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: dev-help@pdfbox.apache.org