You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Justin Bertram (Jira)" <ji...@apache.org> on 2020/02/24 16:21:00 UTC
[jira] [Assigned] (ARTEMIS-2630) Vercode XSS in
migration-guild/gitbook.
[ https://issues.apache.org/jira/browse/ARTEMIS-2630?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Justin Bertram reassigned ARTEMIS-2630:
---------------------------------------
Assignee: (was: Clebert Suconic)
> Vercode XSS in migration-guild/gitbook.
> ---------------------------------------
>
> Key: ARTEMIS-2630
> URL: https://issues.apache.org/jira/browse/ARTEMIS-2630
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Affects Versions: 2.6.2
> Reporter: Stephen James Agneta
> Priority: Major
>
> VeraCode security scanner picks up a Cross Site Scripting error within gitbook.js and theme.js within the migration-guilde. I'm actually not suggesting that be fixed or even that it is a real security issue. I don't know.
> What does surprise me is that the documentation is distributed within the binary releases rather than just the source releases. I'm going to suggest that the binary releases just contain the binaries (and any files required for run-time) rather than also contain docs which are often picked up on security scans.
>
> I know this is somewhat of a religious issue in terms of binary releases with or without documentation. However the reality in the field is that binary releases are often simply deployed as is and thus documentation comes along for the ride and are constantly picked up by security scanners as an issue.
>
> I think the better part of valor is to not bundle the docs with binary releases. It's not worth the hassle. In any event, at least you will be aware of the issue. I know this issue exists from 2.6.2 on-ward.
>
> Thanks again,
> Steve
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)