[
https://issues.redhat.com/browse/DROOLS-5212?page=com.atlassian.jira.plug...
]
Priti Rane commented on DROOLS-5212:
------------------------------------
Thanks for replying. While doing analysis, I also found that it is already implemented in
drools compiler. I think Anchor engine is just scanning the jar used and using cva
vulnerability database against that jar to provide the analysis report. It doesn't
check whether the security framework is implemented or not. Anyways thanks for your help.
You can close this issue.
Latest Drools-compiler version has dependency of xstream-1.4.11.1.jar
which causing HIGH vulnerability CVE-2013-7285
--------------------------------------------------------------------------------------------------------------------
Key: DROOLS-5212
URL:
https://issues.redhat.com/browse/DROOLS-5212
Project: Drools
Issue Type: Enhancement
Reporter: Priti Rane
Assignee: Mario Fusco
Priority: Major
All drools compiler versions after 7.21.0.Final are using xstream version 1.14.11.1. We
are using anchore engine for vulnerability scan and it is giving HIGH vulnerability
CVE-2013-7285 -
https://nvd.nist.gov/vuln/detail/CVE-2013-7285. There is a workaround to
implement the security framework. However we are using kie-ci jar which has the
drools-compiler dependency. So to resolve this , we have to implement the workaround in
drools-compiler source code and build the jar and use it. But this solution is not
maintainable.
Is there any plans to implement the security framework in next version of drools-compiler
?
--
This message was sent by Atlassian Jira
(v7.13.8#713008)