小贝子编程

vaadin jsoup安全警报



在这里引用的最近的安全警报中,我看到Vaadin 7可能存在安全问题,因为存在jsoup漏洞。因为其他因素,我无法升级。所以我想把jsoup直接包含在我的项目中。所以之前是通过vadin -server间接包含的,现在是直接包含的,并且vadin -server引用的版本因为与1.14.2冲突而省略了。这是解决安全问题的安全方法吗?

我正在使用vadin 7.7.17和maven。

我之所以问这个问题,很大程度上是因为Vaadin没有提供这个可能的解决方案,所以我认为它会失败。但是由于maven没有显示错误,我担心我错过了一些只会在一些奇怪的运行时行为中显示的东西。

这是通过mvn dependency:tree构建的依赖树。首先,原始版本,剥离:

[INFO] Scanning for projects...
[INFO] 
[INFO] ---------------------< com.mobiwms:vaadinwebsite >----------------------
[INFO] Building vaadinwebsite 4.0.31
[INFO] --------------------------------[ war ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ vaadinwebsite ---
[INFO] com.mobiwms:vaadinwebsite:war:4.0.31
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
[INFO] +- com.vaadin:vaadin-server:jar:7.7.17:compile
[INFO] |  +- com.vaadin:vaadin-sass-compiler:jar:0.9.13:compile
[INFO] |  |  +- org.w3c.css:sac:jar:1.3:compile
[INFO] |  |  - com.vaadin.external.flute:flute:jar:1.3.0.gg2:compile
[INFO] |  +- com.vaadin:vaadin-shared:jar:7.7.17:compile
[INFO] |  - org.jsoup:jsoup:jar:1.8.3:compile
[INFO] +- com.vaadin:vaadin-push:jar:7.7.17:compile
[INFO] |  - com.vaadin.external.atmosphere:atmosphere-runtime:jar:2.2.13.vaadin1:compile
[INFO] |     - com.vaadin.external.slf4j:vaadin-slf4j-jdk14:jar:1.6.1:compile
[INFO] +- com.vaadin:vaadin-client:jar:7.7.17:provided
... // Stripped out unrelated portions of hierarchy.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  4.758 s
[INFO] Finished at: 2021-10-27T18:59:19-04:00
[INFO] ------------------------------------------------------------------------

现在的新版本,精简:

[INFO] Scanning for projects...
[INFO] 
[INFO] ---------------------< com.mobiwms:vaadinwebsite >----------------------
[INFO] Building vaadinwebsite 4.0.31
[INFO] --------------------------------[ war ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ vaadinwebsite ---
[INFO] com.mobiwms:vaadinwebsite:war:4.0.31
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
[INFO] +- com.vaadin:vaadin-server:jar:7.7.17:compile
[INFO] |  +- com.vaadin:vaadin-sass-compiler:jar:0.9.13:compile
[INFO] |  |  +- org.w3c.css:sac:jar:1.3:compile
[INFO] |  |  - com.vaadin.external.flute:flute:jar:1.3.0.gg2:compile
[INFO] |  - com.vaadin:vaadin-shared:jar:7.7.17:compile
[INFO] +- com.vaadin:vaadin-push:jar:7.7.17:compile
[INFO] |  - com.vaadin.external.atmosphere:atmosphere-runtime:jar:2.2.13.vaadin1:compile
[INFO] |     - com.vaadin.external.slf4j:vaadin-slf4j-jdk14:jar:1.6.1:compile
[INFO] +- com.vaadin:vaadin-client:jar:7.7.17:provided
... // Stripped out unrelated portions of hierarchy.
[INFO] - org.jsoup:jsoup:jar:1.14.2:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  2.285 s
[INFO] Finished at: 2021-10-27T18:56:01-04:00
[INFO] ------------------------------------------------------------------------

这里不需要注意。Vaadin 7本身没有实际的问题,会受到潜在的Jsoup漏洞的影响。将依赖项更新到较新的版本更多的是为了强制应用程序开发人员使用较新的版本。较新版本的Jsoup有一些API更改,需要在Vaadin 7中进行小的代码更改。如果您的应用程序没有以不暴露漏洞的方式使用Jsoup,那么升级就不是绝对强制的。同时提醒,vadin 7比7.7.17更新的版本需要商业许可证才能获得扩展支持。

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium