[jboss-jira] [JBoss JIRA] (DROOLS-5212) Latest Drools-compiler version has dependency of xstream-1.4.11.1.jar which causing HIGH vulnerability CVE-2013-7285
Mario Fusco (Jira)
issues at jboss.org
Fri Apr 3 07:57:36 EDT 2020
[ https://issues.redhat.com/browse/DROOLS-5212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14020221#comment-14020221 ]
Mario Fusco commented on DROOLS-5212:
-------------------------------------
I'm not entirely understanding this. I believe we added that security framework with this commit https://github.com/kiegroup/drools/commit/ed0b742519bff8f82fa963af444e1f65e4e898ed but maybe I'm missing something? If you already have implemented a patch in drools-compiler to fix this issue (provided that it is not fixed already) it would be great if you could send a pull request to the drools repository with that fix.
> Latest Drools-compiler version has dependency of xstream-1.4.11.1.jar which causing HIGH vulnerability CVE-2013-7285
> --------------------------------------------------------------------------------------------------------------------
>
> Key: DROOLS-5212
> URL: https://issues.redhat.com/browse/DROOLS-5212
> Project: Drools
> Issue Type: Enhancement
> Reporter: Priti Rane
> Assignee: Mario Fusco
> Priority: Major
>
> All drools compiler versions after 7.21.0.Final are using xstream version 1.14.11.1. We are using anchore engine for vulnerability scan and it is giving HIGH vulnerability CVE-2013-7285 - https://nvd.nist.gov/vuln/detail/CVE-2013-7285. There is a workaround to implement the security framework. However we are using kie-ci jar which has the drools-compiler dependency. So to resolve this , we have to implement the workaround in drools-compiler source code and build the jar and use it. But this solution is not maintainable.
> Is there any plans to implement the security framework in next version of drools-compiler ?
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the jboss-jira
mailing list