[jboss-jira] [JBoss JIRA] (DROOLS-5212) Latest Drools-compiler version has dependency of xstream-1.4.11.1.jar which causing HIGH vulnerability CVE-2013-7285
Priti Rane (Jira)
issues at jboss.org
Fri Apr 3 08:39:53 EDT 2020
[ https://issues.redhat.com/browse/DROOLS-5212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14020273#comment-14020273 ]
Priti Rane commented on DROOLS-5212:
------------------------------------
Thanks for replying. While doing analysis, I also found that it is already implemented in drools compiler. I think Anchor engine is just scanning the jar used and using cva vulnerability database against that jar to provide the analysis report. It doesn't check whether the security framework is implemented or not. Anyways thanks for your help. You can close this issue.
> Latest Drools-compiler version has dependency of xstream-1.4.11.1.jar which causing HIGH vulnerability CVE-2013-7285
> --------------------------------------------------------------------------------------------------------------------
>
> Key: DROOLS-5212
> URL: https://issues.redhat.com/browse/DROOLS-5212
> Project: Drools
> Issue Type: Enhancement
> Reporter: Priti Rane
> Assignee: Mario Fusco
> Priority: Major
>
> All drools compiler versions after 7.21.0.Final are using xstream version 1.14.11.1. We are using anchore engine for vulnerability scan and it is giving HIGH vulnerability CVE-2013-7285 - https://nvd.nist.gov/vuln/detail/CVE-2013-7285. There is a workaround to implement the security framework. However we are using kie-ci jar which has the drools-compiler dependency. So to resolve this , we have to implement the workaround in drools-compiler source code and build the jar and use it. But this solution is not maintainable.
> Is there any plans to implement the security framework in next version of drools-compiler ?
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the jboss-jira
mailing list