Skip to content

Commit

Permalink
Merge pull request #77 from jenkinsci/miguel/fix-security-alerts/pote…
Browse files Browse the repository at this point in the history
…ntially-unsafe-classes

Dismiss unsafe class alerts about org.apache.commons.digester3.Digester
  • Loading branch information
pablobayarri authored Aug 22, 2024
2 parents cc3976a + 1f2cd7a commit 17203a7
Show file tree
Hide file tree
Showing 4 changed files with 11 additions and 0 deletions.
3 changes: 3 additions & 0 deletions src/main/java/com/codicesoftware/plugins/DigesterUtils.java
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ private DigesterUtils() {
// private as it is an utility class
}

// This method disables features that are known to allow XML External Entity (XXE) attacks
// unless forced to be insecure
@SuppressWarnings("lgtm[jenkins/unsafe-classes]")
public static Digester createDigester(boolean secure) throws SAXException {
Digester digester = new Digester();
if (secure) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@
*/
public class ChangeSetReader extends ChangeLogParser {

// DigesterUtils will return a secured Digester unless there's a UNSAFE property in ChangeSetReader set to "true"
@SuppressWarnings("lgtm[jenkins/unsafe-classes]")
@Override
public ChangeSetList parse(
Run run, RepositoryBrowser<?> browser, File changelogFile)
Expand All @@ -36,6 +38,8 @@ public ChangeSetList parse(
}
}

// DigesterUtils will return a secured Digester unless there's a UNSAFE property in ChangeSetReader set to "true"
@SuppressWarnings("lgtm[jenkins/unsafe-classes]")
public ChangeSetList parse(
Run<?, ?> run, RepositoryBrowser<?> browser, Reader reader)
throws IOException, SAXException {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ public class FindOutputParser {
// Utility classes shouldn't have default constructors
private FindOutputParser() { }

// DigesterUtils will return a secured Digester unless there's a UNSAFE property in FindOutputParser set to "true"
@SuppressWarnings("lgtm[jenkins/unsafe-classes]")
@Nonnull
public static List<ChangeSet> parseReader(
@Nonnull final ObjectSpecType specType,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ public final class LogOutputParser {
// Utility classes shouldn't have default constructors
private LogOutputParser() { }

// DigesterUtils will return a secured Digester unless there's a UNSAFE property in LogOutputParser set to "true"
@SuppressWarnings("lgtm[jenkins/unsafe-classes]")
public static List<ChangeSet> parseFile(
FilePath path, String repoName, String server) throws IOException, ParseException {
List<ChangeSet> csetList = new ArrayList<>();
Expand Down

0 comments on commit 17203a7

Please sign in to comment.