Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix][owasp] Fix false positive google-http-client-gson-1.41.0.jar #15651

Merged
merged 1 commit into from
May 19, 2022
Merged

[fix][owasp] Fix false positive google-http-client-gson-1.41.0.jar #15651

merged 1 commit into from
May 19, 2022

Conversation

nicoloboschi
Copy link
Contributor

Motivation

google-http-client-gson-1.41.0.jar is getting confused with gson version < 2.8.9

the package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

CI failure: https://github.com/apache/pulsar/runs/6483813433?check_suite_focus=true#step:8:13

Modifications

  • Suppress that rule for that package
  • no-need-doc

@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label May 18, 2022
@nicoloboschi
Copy link
Contributor Author

/pulsarbot rerun-failure-checks

@Technoboy- Technoboy- closed this May 18, 2022
@Technoboy- Technoboy- closed this May 18, 2022
@Technoboy- Technoboy- reopened this May 18, 2022
@Technoboy- Technoboy- reopened this May 18, 2022
@Technoboy- Technoboy- closed this May 18, 2022
@Technoboy- Technoboy- reopened this May 18, 2022
@Technoboy- Technoboy- added this to the 2.11.0 milestone May 19, 2022
@nicoloboschi nicoloboschi merged commit cd0d429 into apache:master May 19, 2022
@nicoloboschi nicoloboschi deleted the owasp-fix-json-error branch May 19, 2022 08:26
nicoloboschi added a commit that referenced this pull request May 23, 2022
@nicoloboschi
[fix][owasp] Fix false positive google-http-client-gson-1.41.0.jar (#…
342f2c7 
…15651)

(cherry picked from commit cd0d429)
nicoloboschi added a commit to datastax/pulsar that referenced this pull request May 23, 2022
@nicoloboschi
[fix][owasp] Fix false positive google-http-client-gson-1.41.0.jar (a…
d33827b 
…pache#15651)

(cherry picked from commit cd0d429)
nicoloboschi added a commit to datastax/pulsar that referenced this pull request May 23, 2022
@nicoloboschi
[fix][owasp] Fix false positive google-http-client-gson-1.41.0.jar (a…
269d6f3 
…pache#15651)

(cherry picked from commit cd0d429)
(cherry picked from commit 342f2c7)
nicoloboschi added a commit to datastax/pulsar that referenced this pull request May 23, 2022
@nicoloboschi
[fix][owasp] Fix false positive google-http-client-gson-1.41.0.jar (a…
ee43c96 
…pache#15651)

(cherry picked from commit cd0d429)
(cherry picked from commit 342f2c7)
nicoloboschi added a commit that referenced this pull request May 24, 2022
@nicoloboschi
[fix][owasp] Fix false positive google-http-client-gson-1.41.0.jar (#…
959fd09 
…15651)

(cherry picked from commit cd0d429)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Technoboy- Technoboy- Technoboy- approved these changes

@lhotari lhotari lhotari approved these changes

Assignees

@nicoloboschi nicoloboschi

Labels
area/ci cherry-picked/branch-2.9 Archived: 2.9 is end of life cherry-picked/branch-2.10 doc-not-needed Your PR changes do not impact docs release/2.9.3 release/2.10.1
Projects
None yet
Milestone
2.11.0
Development

Successfully merging this pull request may close these issues.
3 participants
@nicoloboschi @lhotari @Technoboy-