Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[EPIC]: Review security-related PRs created by Dependabot #28388

Closed
10 tasks done
jcastro-dotcms opened this issue Apr 30, 2024 · 0 comments · Fixed by #28445, #25873, #25449 or #29006
Closed
10 tasks done

[EPIC]: Review security-related PRs created by Dependabot #28388

jcastro-dotcms opened this issue Apr 30, 2024 · 0 comments · Fixed by #28445, #25873, #25449 or #29006
Assignees
@jcastro-dotcms @jdotcms
Labels
Epic QA : Not Needed Team : Falcon Type : Task

Comments

@jcastro-dotcms
Copy link
Contributor

jcastro-dotcms commented Apr 30, 2024
edited by dsilvam
Loading

Parent Issue

No response

Task

Review the PRs generated by Dependabot related to upgrading libraries used by dotCMS to a safer newer version. We need to make sure that (1) the suggested version is still the right one, and (2) vulnerable versions of such libraries are not being pulled as part of transitive dependencies.

Dependabot PRs
Beta Give feedback

Proposed Objective

Core Features

Proposed Priority

Priority 2 - Important

Acceptance Criteria

It's important to analyze what specific parts of the system rely on the upgraded libraries so that we can test accordingly.

External Links... Slack Conversations, Support Tickets, Figma Designs, etc.

No response

Assumptions & Initiation Needs

No response

Quality Assurance Notes & Workarounds

Because of the high number of reported vulnerabilities and their respective code fixes, both IQA and QA tasks will require an important amount of effort. In this particular case, there are several parts of dotCMS that will need to be tested:

  • Features dealing with generating XML files, such as Push Publishing.
  • Quartz Job scheduling.
  • GraphQL query executions.
  • Initialization of Custom Portlets and their respective CRUD operations.
  • Ideally, smoke testing of as many features as possible.

Sub-Tasks & Estimates

No response
@fmontes fmontes changed the title [Security] : Review security-related PRs created by Dependabot [EPIC]: Review security-related PRs created by Dependabot May 2, 2024
@fmontes fmontes added the Epic label May 2, 2024
jcastro-dotcms added a commit that referenced this issue May 6, 2024
@jcastro-dotcms
build(deps) #28388 : [EPIC]: Review security-related PRs created by D…
2b03f1d 
…ependabot
This was linked to pull requests May 6, 2024
build(deps) #28388 : [EPIC]: Review security-related PRs created by Dependabot #28445
Merged
chore(core): Bump org.apache.xmlgraphics:batik-transcoder from 1.16 to 1.17 in /bom/application #25873
Merged
github-merge-queue bot pushed a commit that referenced this issue May 6, 2024
@jcastro-dotcms
build(deps) #28388 : [EPIC]: Review security-related PRs created by D…
36cd9a3 
…ependabot (#28445)
@jcastro-dotcms jcastro-dotcms reopened this May 7, 2024
@jcastro-dotcms jcastro-dotcms linked a pull request May 10, 2024 that will close this issue
Bump h2 from 1.3.176 to 2.2.220 in /bom/application #25449
Merged
jcastro-dotcms added a commit that referenced this issue Jun 25, 2024
@jcastro-dotcms
chore(security) #28388 : XML External Entity (XXE) Injection in JDOM
70e5a16
@jcastro-dotcms jcastro-dotcms linked a pull request Jun 25, 2024 that will close this issue
chore(security) #28388 : XML External Entity (XXE) Injection in JDOM #29006
Merged
github-merge-queue bot pushed a commit that referenced this issue Jun 26, 2024
@jcastro-dotcms
chore(security) #28388 : XML External Entity (XXE) Injection in JDOM (#…
7f3a48f 
…29006)

### Proposed Changes
* Removes the use of the JDOM library altogether.
* The classes using the JDOM library living under the
`dotCMS/src/main/java/org/apache/velocity/anakia/` and
`dotcms-integration/src/test/java/com/ettrema/` packages were removed
altogether as well.
* As per Steve Bolton's suggestion, we're now using the JAXB library to
handle XML data representing Portlets in dotCMS. This includes both the
Portlets defined in the `/WEB-INF/portlet.xml` and
`/WEB-INF/portlet-ext.xml` files, and the database.
* Additional Javadoc and code refactoring was done.
* The `dotcms-postman/src/main/resources/postman/PortletResource.json`
Postman suite was refactored to use JWT, organized into folders, and
reviewed t make sure that the REST Endpoint is tested as much as
possible.
@github-actions github-actions bot mentioned this issue Jun 26, 2024
Merged
oidacra pushed a commit that referenced this issue Jun 26, 2024
@jcastro-dotcms @oidacra
chore(security) #28388 : XML External Entity (XXE) Injection in JDOM (#…
6ea088c 
…29006)

### Proposed Changes
* Removes the use of the JDOM library altogether.
* The classes using the JDOM library living under the
`dotCMS/src/main/java/org/apache/velocity/anakia/` and
`dotcms-integration/src/test/java/com/ettrema/` packages were removed
altogether as well.
* As per Steve Bolton's suggestion, we're now using the JAXB library to
handle XML data representing Portlets in dotCMS. This includes both the
Portlets defined in the `/WEB-INF/portlet.xml` and
`/WEB-INF/portlet-ext.xml` files, and the database.
* Additional Javadoc and code refactoring was done.
* The `dotcms-postman/src/main/resources/postman/PortletResource.json`
Postman suite was refactored to use JWT, organized into folders, and
reviewed t make sure that the REST Endpoint is tested as much as
possible.
@dsilvam dsilvam closed this as completed Jul 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jcastro-dotcms jcastro-dotcms

@jdotcms jdotcms

Labels
Epic QA : Not Needed Team : Falcon Type : Task
Projects
dotCMS - Product Planning
Status: Done
Milestone
No milestone
5 participants
@fmontes @dsilvam @jcastro-dotcms @jdotcms @damen-dotcms