[jira] [Commented] (PDFBOX-4465) Your project apache/pdfbox is using buggy third-party libraries [WARNING]

Fri, 15 Feb 2019 09:23:28 -0800 


    [ 
https://issues.apache.org/jira/browse/PDFBOX-4465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16769526#comment-16769526
 ] 

Tilman Hausherr commented on PDFBOX-4465:
-----------------------------------------

That seems to be an automatic submission, and its algorithm should be improved 
to avoid producing unneeded work. For example, IO-516 is just about a comment. 
IO-570: just a checkstyle violation. LOGGING-163 is annoying but not a security 
issue.

IO-559 - this may be a security issue, but it will be fixed in 2.7 (not 
released). But commons-io is used only for testing so no danger that people 
pass some weird path.

We are using the maven owasp plugin so we get notified of security issues in 
the third party libraries we use.


> Your project apache/pdfbox is using buggy third-party libraries [WARNING]
> -------------------------------------------------------------------------
>
>                 Key: PDFBOX-4465
>                 URL: https://issues.apache.org/jira/browse/PDFBOX-4465
>             Project: PDFBox
>          Issue Type: Bug
>            Reporter: Kaifeng Huang
>            Priority: Major
>
> Hi, there!
>     We are a research team working on third-party library analysis. We have 
> found that some widely-used third-party libraries in your project have 
> major/critical bugs, which will degrade the quality of your project. We 
> highly recommend you to update those libraries to new versions.
>     We have attached the buggy third-party libraries and corresponding jira 
> issue links below for you to have more detailed information.
>       1. commons-logging commons-logging
>       version: 1.2
>       Jira issues:
>       BufferedReader is not closed properly
>       affectsVersions:1.1.1;1.2
>       
> https://issues.apache.org/jira/projects/LOGGING/issues/LOGGING-163?filter=allopenissues
>       2. commons-io commons-io
>       version: 2.6
>       Jira issues:
>       .gitattributes not correctly applied
>       affectsVersions:2.6
>       
> https://issues.apache.org/jira/projects/IO/issues/IO-516?filter=allopenissues
>       FilenameUtils.normalize should verify hostname syntax in UNC path
>       affectsVersions:2.6
>       
> https://issues.apache.org/jira/projects/IO/issues/IO-559?filter=allopenissues
>       Missing Javadoc in FilenameUtils causing Travis-CI build to fail
>       affectsVersions:2.6
>       
> https://issues.apache.org/jira/projects/IO/issues/IO-570?filter=allopenissues
> Sincerely~
> FDU Software Engineering Lab
> Feb 15th, 2019



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to