Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Port: Prevent XXE injection during CycloneDX validation and parsing #756

Merged
merged 5 commits into from
Jun 25, 2024
Merged

Port: Prevent XXE injection during CycloneDX validation and parsing #756

merged 5 commits into from
Jun 25, 2024

Commits on Jun 24, 2024

  1. Support ingestion of CycloneDX v1.6 BOMs 

    * Updates `cyclonedx-core-java` to version `9.0.3`
* ~Bumps Jackson to version `2.17.1` to resolve compatibility issues with `cyclonedx-core-java`~
    * Jackson was already updated
* Resolve various compilation errors due to refactoring in `cyclonedx-core-java`
* Add validator tests for all CycloneDX versions

Note that BOM exports will continue to use v1.5 for the time being. This avoids breaking users' workflows in case their tooling doesn't yet support v1.6.

Ports DependencyTrack/dependency-track#3863 from Dependency-Track v4.11.4.

Signed-off-by: nscuro <[email protected]>
    @nscuro
    nscuro committed Jun 24, 2024
    Configuration menu
    Copy the full SHA
    6cd2d4c View commit details
    Browse the repository at this point in the history

  2. Address minor change in schema validation output 

    Caused by updating the transitive dependency on https://github.com/networknt/json-schema-validator via `cyclonedx-core-java`.

Signed-off-by: nscuro <[email protected]>
    @nscuro
    nscuro committed Jun 24, 2024
    Configuration menu
    Copy the full SHA
    4a760c5 View commit details
    Browse the repository at this point in the history

  3. Fix failing test due to bom-schema1.4.json removal 

    Signed-off-by: nscuro <[email protected]>
    @nscuro
    nscuro committed Jun 24, 2024
    Configuration menu
    Copy the full SHA
    39ac8f7 View commit details
    Browse the repository at this point in the history

  4. Fix BOM validation failing when URL contains encoded [ and ] char… 

    …acters

Also drop dependency on outdated `xercesImpl`. `xercesImpl` does not support the `http://javax.xml.XMLConstants/property/accessExternalDTD` property that `cyclonedx-core-java` is using:

```
java.lang.IllegalArgumentException: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.
	at org.apache.xerces.jaxp.DocumentBuilderFactoryImpl.setAttribute(Unknown Source)
	at org.cyclonedx.parsers.XmlParser.createSecureDocument(XmlParser.java:339)
	at org.cyclonedx.parsers.XmlParser.extractAllNamespaceDeclarations(XmlParser.java:310)
	at org.cyclonedx.parsers.XmlParser.identifySchemaVersion(XmlParser.java:296)
	at org.cyclonedx.parsers.XmlParser.parse(XmlParser.java:97)
```

~The remaining code relying on `xerces` turned out to be unused, and was consequently removed as well.~ Code depending on `xercesImpl` was removed already.

Ports DependencyTrack/dependency-track#3866 from Dependency-Track v4.11.4.

Signed-off-by: nscuro <[email protected]>
    @nscuro
    nscuro committed Jun 24, 2024
    Configuration menu
    Copy the full SHA
    3e4ebeb View commit details
    Browse the repository at this point in the history

  5. Prevent XXE injection during CycloneDX validation and parsing 

    Ports DependencyTrack/dependency-track#3871 from Dependency-Track v4.11.4.

Signed-off-by: nscuro <[email protected]>
    @nscuro
    nscuro committed Jun 24, 2024
    Configuration menu
    Copy the full SHA
    00c1fbc View commit details
    Browse the repository at this point in the history