My PR is based on master which was lagging behind the 3.4.x-fixes branch ( latest). This is sorted now since I updated my CXF-8432 to the latest upstream which is 3.4.x-fixes.
Apology for that. On 2021/03/15 20:00:09, Alan Mehio <[email protected]> wrote: > Dear all, > I am bugged with a new feature from Github which > see > https://developer.github.com/changes/2019-09-06-more-check-annotations-shown-in-files-changed-tab/ > > Even the file has not been changed by my PR, it add check to give action to > be taken. > The github feature is a beta version see Unchanged files with check > annotations Beta > under https://github.com/apache/cxf/pull/755/files#annotation_1154081169 > > The CodeQL rule or the file that is defined here > https://codeql.github.com/codeql-query-help/java/java-unsafe-hostname-verification/ > > and it is worth to look at it may be a security issue with the class SSLUtils > line 58 > verifier = new > DefaultHostnameVerifier(PublicSuffixMatcherLoader.getDefault()); > All complains is toward this class DefaultHostnameVerifier which is copied > from apache httpclient > https://github.com/apache/httpcomponents-client/blob/0940d35602f505a9c0026ea7ef353971af5e4ab8/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java > > It seems this feature is being implemented recently. Please help to sort this > issue since my pull has this failing check which has nothing to do with my > changes. In case I have missed anything, please help me to take a proper > action by me in order to pass this check > > Regards, > Alan > > >
