[jira] [Resolved] (ARTEMIS-2630) Veracode XSS in migration-guide

Tue, 26 Oct 2021 08:39:24 -0700 


     [ 
https://issues.apache.org/jira/browse/ARTEMIS-2630?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Justin Bertram resolved ARTEMIS-2630.
-------------------------------------
    Resolution: Information Provided

False positives from security scanners on documentation resources are certainly 
an annoyance. However, for every user who _doesn't_ want the documentation 
bundled with the binary distribution I imagine there's another who does. Users 
who don't want these false positives should strip the documentation from the 
distribution, e.g.:
{noformat}
$ rm -Rf web/hacking-guide/
$ rm -Rf web/user-manual/
$ rm -Rf web/migration-guide/
$ rm -Rf web/api/{noformat}

> Veracode XSS in migration-guide
> -------------------------------
>
>                 Key: ARTEMIS-2630
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-2630
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>    Affects Versions: 2.6.2
>            Reporter: Stephen James Agneta
>            Priority: Major
>
> VeraCode security scanner picks up a Cross Site Scripting error within 
> gitbook.js and theme.js within the migration-guilde. I'm actually not 
> suggesting that be fixed or even that it is a real security issue. I don't 
> know.
> What does surprise me is that the documentation is distributed within the 
> binary releases rather than just the source releases. I'm going to suggest 
> that the binary releases just contain the binaries (and any files required 
> for run-time) rather than also contain docs which are often picked up on 
> security scans.
>  
> I know this is somewhat of a religious issue in terms of binary releases with 
> or without documentation. However the reality in the field is that binary 
> releases are often simply deployed as is and thus documentation comes along 
> for the ride and are constantly picked up by security scanners as an issue.
>  
> I think the better part of valor is to not bundle the docs with binary 
> releases. It's not worth the hassle. In any event, at least you will be aware 
> of the issue. I know this issue exists from 2.6.2 on-ward. 
>  
> Thanks again,
> Steve
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to