Stephen James Agneta created ARTEMIS-2630:
---------------------------------------------
Summary: Vercode XSS in migration-guild/gitbook.
Key: ARTEMIS-2630
URL: https://issues.apache.org/jira/browse/ARTEMIS-2630
Project: ActiveMQ Artemis
Issue Type: Bug
Components: ActiveMQ-Artemis-Native
Affects Versions: 2.6.2
Reporter: Stephen James Agneta
Assignee: Clebert Suconic
VeraCode security scanner picks up a Cross Site Scripting error within
gitbook.js and theme.js within the migration-guilde. I'm actually not
suggesting that be fixed or even that it is a real security issue. I don't know.
What does surprise me is that the documentation is distributed within the
binary releases rather than just the source releases. I'm going to suggest that
the binary releases just contain the binaries (and any files required for
run-time) rather than also contain docs which are often picked up on security
scans.
I know this is somewhat of a religious issue in terms of binary releases with
or without documentation. However the reality in the field is that binary
releases are often simply deployed as is and thus documentation comes along for
the ride and are constantly picked up by security scanners as an issue.
I think the better part of valor is to not bundle the docs with binary
releases. It's not worth the hassle. In any event, at least you will be aware
of the issue. I know this issue exists from 2.6.2 on-ward.
Thanks again,
Steve
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
