Skip to content
This repository was archived by the owner on Oct 10, 2024. It is now read-only.

Update dependency com.puppycrawl.tools:checkstyle to v8.29 [SECURITY]#948

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability
Open

Update dependency com.puppycrawl.tools:checkstyle to v8.29 [SECURITY]#948
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jan 30, 2023
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
com.puppycrawl.tools:checkstyle (source) 8.18 -> 8.29 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2019-10782

Due to an incomplete fix for CVE-2019-9658, checkstyle was still vulnerable to XML External Entity (XXE) Processing.

Impact

User: Build Maintainers

This vulnerability probably doesn't impact Maven/Gradle users as, in most cases, these builds are processing files that are trusted, or pre-vetted by a pull request reviewer before being run on internal CI infrastructure.

User: Static Analysis as a Service

If you operate a site/service that parses "untrusted" Checkstyle XML configuration files, you are vulnerable to this and should patch.

Note from the discoverer of the original CVE-2019-9658:

While looking at a few companies that run Checkstyle/PMD/ect... as a service I notice that it's a common pattern to run the static code analysis tool inside of a Docker container with the following flags:

--net=none \
--privileged=false \
--cap-drop=ALL

Running the analysis in Docker has the advantage that there should be no sensitive local file information that XXE can exfiltrate from the container. Additionally, these flags prevent vulnerabilities in static analysis tools like Checkstyle from being used to exfiltrate data via XXE or to perform SSRF.
- Jonathan Leitschuh

Patches

Has the problem been patched? What versions should users upgrade to?

Patched, will be released with version 8.29 at 26 Jan 2020.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

No workaround are available

References

For more information

If you have any questions or comments about this advisory:

Release Notes

checkstyle/checkstyle (com.puppycrawl.tools:checkstyle)

v8.29

Compare Source

v8.28

Compare Source

v8.27

Compare Source

v8.26

Compare Source

v8.25

Compare Source

v8.24

Compare Source

v8.23

v8.22

v8.21

v8.20

v8.19

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch 6 times, most recently from 8c80610 to bc513b7 Compare January 31, 2023 15:25
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from bc513b7 to d0b64fe Compare February 27, 2023 12:46
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from d0b64fe to 33dc911 Compare April 20, 2023 20:36
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from 33dc911 to 17c4768 Compare May 22, 2023 14:58
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from 17c4768 to 2de46f1 Compare May 30, 2023 17:36
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from 2de46f1 to 06f052e Compare June 18, 2023 16:43
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from 06f052e to 16b91e9 Compare July 5, 2023 16:19
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from 16b91e9 to 5b6f0f1 Compare September 4, 2023 14:08
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from 5b6f0f1 to 4e9488f Compare September 23, 2023 11:49
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch 2 times, most recently from 9ed263a to 9ae8231 Compare October 30, 2023 18:49
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from 9ae8231 to 37f5543 Compare November 29, 2023 16:01
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch 3 times, most recently from e6d782b to cf554aa Compare December 24, 2023 16:35
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch 2 times, most recently from c5ff8a5 to 34bfa11 Compare January 19, 2024 23:34
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from 34bfa11 to a1b43a2 Compare February 2, 2024 19:38
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from a1b43a2 to ede20fc Compare February 16, 2024 19:12
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from ede20fc to 40d0016 Compare February 29, 2024 23:01
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from 40d0016 to fd6e973 Compare April 20, 2024 11:52
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch 2 times, most recently from ffb7ebb to e2a03aa Compare June 25, 2024 18:42
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from e2a03aa to 6ffbde4 Compare June 27, 2024 19:29
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from 6ffbde4 to d9a3273 Compare July 12, 2024 23:41
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from d9a3273 to e0d2ba5 Compare August 22, 2024 18:49
@renovate renovate bot force-pushed the renovate/maven-com.puppycrawl.tools-checkstyle-vulnerability branch from e0d2ba5 to 78d5458 Compare October 10, 2024 21:02
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants