Update this line
<reactor.netty.version>1.1.12</reactor.netty.version>
to
<reactor.netty.version>1.1.13</reactor.netty.version>
netty itself is now at 4.1.101.Final
Tilman
On 27.11.2023 20:45, Simone Gabbriellini wrote:
Hi,
Thank you very much, your code pushed me forward to the next error:
[ERROR] Failed to execute goal
org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit
(audit-dependencies) on project tika-fetcher-az-blob: Detected 1
vulnerable components:
[ERROR] io.projectreactor.netty:reactor-netty-http:jar:1.1.12:compile;
https://ossindex.sonatype.org/component/pkg:maven/io.projectreactor.netty/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] * [CVE-2023-34062] CWE-22: Improper Limitation of a
Pathname to a Restricted Directory ('Path Traversal') (7.5);
https://ossindex.sonatype.org/vulnerability/CVE-2023-34062?component-type=maven&component-name=io.projectreactor.netty%2Freactor-netty-http&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR]
[ERROR] Excluded coordinates:
[ERROR] - io.netty:netty-handler:4.1.100.Final
It is still about a vulnerable component… do you think it is safe to
skip this one too?
Thank you for your help
Best,
Simone
On 27 Nov 2023, at 20:29, Tilman Hausherr <[email protected]> wrote:
Hi,
Add this to the file tika-parent/pom.xml, after the H2 segment below
(the new stuff starts with the CVE-2023-39913 line), and keep 3.4.1.
<!-- used only in tests and in tika-eval, and this
problem requires the use of the console.
https://github.com/h2database/h2database/issues/1294 -->
<exclude>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<version>2.2.224</version>
</exclude>
<!-- CVE-2023-39913: Uima is used because ctakes is used
in the
natural language process module. Serialization is only on
data that is configured in
tika-config.xml. We don't think we'd be vulnerable to
crafted user input. -->
<coordinate>
<groupId>org.apache.uima</groupId>
<artifactId>uimaj-core</artifactId>
<version>3.4.1</version>
</coordinate>
Tilman
On 27.11.2023 13:58, Simone Gabbriellini wrote:
Hello,
I am trying to build Tika 2.9.1 on my ubuntu 18.04 and I received
this error:
[ERROR] Failed to execute goal
org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit
(audit-dependencies) on project tika-parser-nlp-module: Detected 1
vulnerable components:
[ERROR] org.apache.uima:uimaj-core:jar:3.4.1:provided;
https://ossindex.sonatype.org/component/pkg:maven/org.apache.uima/[email protected]?utm_source=3Dossindex-client&utm_medium=3Dintegration&utm_content3D1.8.1
[ERROR] * [CVE-2023-39913] CWE-20: Improper Input Validation (8.8);
https://ossindex.sonatype.org/vulnerability/CVE-2023-39913?component-type=3Dmaven&component-name=3Dorg.apache.uima%2Fuimaj-core&utm_source=3Dossindex-client&utm_medium=3Dintegration&utm_content=3D1.8.1
[ERROR]=20
[ERROR] Excluded coordinates:
[ERROR] - xerces:xercesImpl:2.12.2
I have however updated uimaj to version 3.5.0, but it looks like
`mvn clean install` is not picking that up and keeps reporting that
error, so I am wondering if I need to make other update to some
config file or something… Idk, should I remove uimaj 3.4.1 from my
system?
I am now installing using `mvn clean install -Dossindex.skip`,
but wanted to be sure that the new uimaj 3.5.0 version will be
linked properly…
Thank you,
Simone
