CA Config Editor embeds vulnerable angular libraries

Description

When you check the io.wcm.caconfig.editor package for vulnerabilities with https://jeremylong.github.io/DependencyCheck/dependency-check-maven/ you get the following alerts:

The same happens for the most recent version as those libraries haven't been updated since 2019 (https://github.com/wcm-io/wcm-io-caconfig/tree/develop/editor/bundle/src/main/webapp/app-root/clientlibs/io.wcm.caconfig.editor.angularjs/js)

Linked issues

relates to

WTOOL-74

Introduce OWASP Dependency Check using dependency-check-maven plugin

Activity

Show:

David Ding May 17, 2021 at 2:30 PM

PR open for review:

Konrad Windszus May 12, 2021 at 12:24 PM
Edited

Sorry, my bad. Editing works but there is no button for editing. You just have to click on the description (weird UI)

Stefan Seifert May 12, 2021 at 9:57 AM

separate ticket for dependency-check-maven:

all “reporter” should have edit rights for the tickets, cross-checked it in the current config. strange it does not work for you.

Konrad Windszus May 11, 2021 at 8:01 AM

I would recommend including dependency-check-maven in the Maven build to get notifications about vulnerabilities.

Stefan Seifert May 11, 2021 at 7:59 AM

yes, we should definitely update those

Fixed

Details

Assignee

Unassigned

Reporter

Konrad Windszus

Components

Fix versions

Configuration Editor 1.8.2

Affects versions

Context-Aware Configuration Editor 1.7.6

Priority

Major

Created May 10, 2021 at 9:21 AM

Updated May 25, 2021 at 8:38 AM

Resolved May 25, 2021 at 8:38 AM

Configure