Hi, Thank you very much, your code pushed me forward to the next error:
[ERROR] Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit (audit-dependencies) on project tika-fetcher-az-blob: Detected 1 vulnerable components: [ERROR] io.projectreactor.netty:reactor-netty-http:jar:1.1.12:compile; https://ossindex.sonatype.org/component/pkg:maven/io.projectreactor.netty/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1 [ERROR] * [CVE-2023-34062] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (7.5); https://ossindex.sonatype.org/vulnerability/CVE-2023-34062?component-type=maven&component-name=io.projectreactor.netty%2Freactor-netty-http&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1 [ERROR] [ERROR] Excluded coordinates: [ERROR] - io.netty:netty-handler:4.1.100.Final It is still about a vulnerable component… do you think it is safe to skip this one too? Thank you for your help Best, Simone > On 27 Nov 2023, at 20:29, Tilman Hausherr <[email protected]> wrote: > > Hi, > > Add this to the file tika-parent/pom.xml, after the H2 segment below (the new > stuff starts with the CVE-2023-39913 line), and keep 3.4.1. > > <!-- used only in tests and in tika-eval, and this problem > requires the use of the console. > https://github.com/h2database/h2database/issues/1294 --> > <exclude> > <groupId>com.h2database</groupId> > <artifactId>h2</artifactId> > <version>2.2.224</version> > </exclude> > <!-- CVE-2023-39913: Uima is used because ctakes is used in the > natural language process module. Serialization is only on data > that is configured in > tika-config.xml. We don't think we'd be vulnerable to crafted > user input. --> > <coordinate> > <groupId>org.apache.uima</groupId> > <artifactId>uimaj-core</artifactId> > <version>3.4.1</version> > </coordinate> > > > Tilman > > On 27.11.2023 13:58, Simone Gabbriellini wrote: >> Hello, >> >> I am trying to build Tika 2.9.1 on my ubuntu 18.04 and I received this error: >> >> [ERROR] Failed to execute goal >> org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit >> (audit-dependencies) on project tika-parser-nlp-module: Detected 1 >> vulnerable components: >> [ERROR] org.apache.uima:uimaj-core:jar:3.4.1:provided; >> https://ossindex.sonatype.org/component/pkg:maven/org.apache.uima/[email protected]?utm_source=3Dossindex-client&utm_medium=3Dintegration&utm_content >> >> <mailto:[email protected]?utm_source=3Dossindex-client&utm_medium=3Dintegration&utm_content>3D1.8.1 >> [ERROR] * [CVE-2023-39913] CWE-20: Improper Input Validation (8.8); >> https://ossindex.sonatype.org/vulnerability/CVE-2023-39913?component-type=3Dmaven&component-name=3Dorg.apache.uima%2Fuimaj-core&utm_source=3Dossindex-client&utm_medium=3Dintegration&utm_content=3D1.8.1 >> [ERROR]=20 >> [ERROR] Excluded coordinates: >> [ERROR] - xerces:xercesImpl:2.12.2 >> >> I have however updated uimaj to version 3.5.0, but it looks like `mvn clean >> install` is not picking that up and keeps reporting that error, so I am >> wondering if I need to make other update to some config file or something… >> Idk, should I remove uimaj 3.4.1 from my system? >> >> I am now installing using `mvn clean install -Dossindex.skip`, but wanted to >> be sure that the new uimaj 3.5.0 version will be linked properly… >> >> Thank you, >> Simone >
