[
https://issues.apache.org/jira/browse/ARTEMIS-2630?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Justin Bertram updated ARTEMIS-2630:
------------------------------------
Summary: Vercode XSS in migration-guide (was: Vercode XSS in
migration-guild/gitbook.)
> Vercode XSS in migration-guide
> ------------------------------
>
> Key: ARTEMIS-2630
> URL: https://issues.apache.org/jira/browse/ARTEMIS-2630
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Affects Versions: 2.6.2
> Reporter: Stephen James Agneta
> Priority: Major
>
> VeraCode security scanner picks up a Cross Site Scripting error within
> gitbook.js and theme.js within the migration-guilde. I'm actually not
> suggesting that be fixed or even that it is a real security issue. I don't
> know.
> What does surprise me is that the documentation is distributed within the
> binary releases rather than just the source releases. I'm going to suggest
> that the binary releases just contain the binaries (and any files required
> for run-time) rather than also contain docs which are often picked up on
> security scans.
>
> I know this is somewhat of a religious issue in terms of binary releases with
> or without documentation. However the reality in the field is that binary
> releases are often simply deployed as is and thus documentation comes along
> for the ride and are constantly picked up by security scanners as an issue.
>
> I think the better part of valor is to not bundle the docs with binary
> releases. It's not worth the hassle. In any event, at least you will be aware
> of the issue. I know this issue exists from 2.6.2 on-ward.
>
> Thanks again,
> Steve
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
