Gradle: Gradle Includes Vulnerable XercesImpl Jar. Upgrade when patched version available on Maven Central.
This is a spin off of:
https://github.com/gradle/gradle/issues/5598
The gradle lib/plugins directories includes a Xerces Impl jar with known security vulnerabilities.
lib/plugins/xercesImpl-2.11.0.jar
Expected Behavior
This jar should be upgraded when a fixed version becomes available on Maven Central. The CVSS threshold should be lowered (if possible) to flag similar issues.
The ticket tracking the the release of an updated Xerces jar is:
https://issues.apache.org/jira/browse/XERCESJ-1695
Current Behavior
The CVSS score of Xerces is ~7.5-7.8, so it is currently missed by the OWASP scanning. OWASP scanning is only flagging issues >= 8.0.
Context
No functional issues.
My company's internal security scanning has identified these vulnerabilities in the copy of Gradle we are using internally.
Steps to Reproduce (for bugs)
See notes above regarding expected / current behavior.
Your Environment
N/A
iamahern
All 3 comments
What a hostile response on the Xerces issue tracker, I hope this is not coming from one of the maintainers.
oehme
on 18 Jun 2018
I hope not; it is quite surprising. I created a separate ticket to request someone just manually upload it - going to see where that goes.
Additionally, I have dusted off my ant build guide and got a build script together to allow their build to script publish the jar directly to a maven repository to remove that excuse. I am planning to start chasing that as a patch on the mailing list depending on how my other query is handled.
iamahern
on 18 Jun 2018
@oehme - Xerces 2.12 is now available:
https://mvnrepository.com/artifact/xerces/xercesImpl/2.12.0
iamahern
on 28 Jun 2018
Related issues
bmuschko
路
38Comments
johnzielke
路
52Comments
big-guy
路
44Comments
ijuma
路
40Comments
bsideup
路
115Comments
Most helpful comment
@oehme - Xerces 2.12 is now available:
https://mvnrepository.com/artifact/xerces/xercesImpl/2.12.0