opencsv Source
Brought to you by:
aruckerjones,
sconway
Menu
▾
▴
Source Merge Request #34: Upgrade Commons Text (rejected)
Merging...
Merged
Something went wrong. Please, merge manually
Checking if merge is possible...
Something went wrong. Please, merge manually
Damiano wants to merge 1 commit from /u/dalbani/opencsv/ to master, 2022-10-24
In particular due to the following critical security vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2022-42889.
| Commit | Date | |
|---|---|---|
| 2022-10-17 19:08:14 | Tree |
Damiano Albani
Request maintainers to please prioritize this upgrade of Apache Commons Text to 1.10.0 for fixing CVE-2022-42889
Or else, could you confirm that opencsv isn't vulnerable against CVE-2022-42889?
I'm no longer actively developing in the project, and Scott is the only one who performs releases, but I know the code. I wrote a significant portion of it, and I was the one who started using Apache Commons Text. opencsv does not use its string interpolation feature. As such, it is not affected by this vulnerability.
Nonetheless, a release ought not to be a problem, I should think.
Thank you for taking the time to respond, Andrew. And for confirming my observations.
I also hope that the proposed by Damiano Albani change will be merged soon.
Although transitive dependency can of course be overridden, the main benefit of releasing OpenCSV with an updated Commons Text dependency would be to prevent all the (static) vulnerability scanners from flagging OpenCSV as potentially vulnerable.
when is this change planned to be merged? And a new version released?
Don't have a schedule yet. Please note: opencsv does not use the vulnerable code. A release that includes the newer version of Commons Text is only so static vulnerability scanners stop throwing false positives.
Thanks for the update @aruckerjones
I agree with you that this vulnerability isn't affecting the core opencsv from your message above. However, most of the vulnerability scan tools are flagging opencsv lib as a threat. It also looks awkward to put an exclusion for the Apache Commons Text lib and include the one that doesn't have the vulnerability.
If its easy and straightforward, can you please prioritize the merge and release the new version?
Hey guys - sorry but I am going to reject this one because I already have the change merged in. I am about to head out to do some chores with the family but if nothing blows up I plan on doing a release this weekend with the fix.
Thanks for releasing the fixed new version.