Mirrors/Stirling-PDF
1
0
Fork 0
mirror of https://github.com/Frooodle/Stirling-PDF.git synced 2026-03-04 02:20:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

deps (#5796)

Browse Source
This commit is contained in:
Anthony Stirling
2026-02-25 15:42:36 +00:00
committed by GitHub
parent 2bacb4dc81
commit c9e7d9d6c9
2 changed files with 19 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/core/build.gradle
View File

@@ -76,6 +76,8 @@ dependencies {
implementation "org.apache.pdfbox:xmpbox:$pdfboxVersion"
implementation 'org.verapdf:validation-model:1.28.2'
// CVE-2025-66453: Explicit rhino 1.7.15 to override verapdf's 1.7.13
implementation 'org.mozilla:rhino:1.7.15'
// veraPDF still uses javax.xml.bind, not the new jakarta namespace
implementation 'javax.xml.bind:jaxb-api:2.3.1'
@@ -89,6 +91,8 @@ dependencies {
exclude group: 'org.bouncycastle', module: 'bcprov-jdk15on'
exclude group: 'com.google.code.gson', module: 'gson'
}
// CVE-2022-25647: Explicit gson 2.8.9 to prevent unsafe deserialization (tabula would pull 2.8.7)
implementation 'com.google.code.gson:gson:2.8.9'
implementation 'org.apache.pdfbox:jbig2-imageio:3.0.4'
implementation 'com.opencsv:opencsv:5.12.0' // https://mvnrepository.com/artifact/com.opencsv/opencsv
implementation 'org.apache.poi:poi-ooxml:5.5.1'

15
build.gradle
View File

@@ -188,6 +188,21 @@ subprojects {
// google-java-format 1.34+ requires Guava 33.x (ImmutableSortedMapFauxverideShim);
// force it here so Spotless's FeatureClassLoader resolves the correct version.
resolutionStrategy.force 'com.google.guava:guava:33.4.8-jre'
// Security CVE fixes - hardcoded resolution strategy to ensure safe versions
// Primary fixes via explicit dependencies in app/core/build.gradle:
// - CVE-2022-25647: gson 2.8.9+ (explicit dependency overrides tabula 2.8.7)
// - CVE-2025-66453: rhino 1.7.15 (explicit dependency overrides verapdf 1.7.13)
// Fallback strategy force declarations for additional safety:
resolutionStrategy.force 'com.google.code.gson:gson:2.8.9'
resolutionStrategy.force 'org.mozilla:rhino:1.7.15'
// CVE-2025-48924: commons-lang3 3.20.0 DoS prevention
resolutionStrategy.force 'org.apache.commons:commons-lang3:3.20.0'
// CVE-2024-47554: commons-io 2.21.0 DoS prevention
resolutionStrategy.force 'commons-io:commons-io:2.21.0'
// Bouncycastle 1.83 (from bouncycastleVersion variable)
resolutionStrategy.force 'org.bouncycastle:bcprov-jdk18on:1.83'
resolutionStrategy.force 'org.bouncycastle:bcpkix-jdk18on:1.83'
}
dependencyManagement {