Vulnerabilities with jsoup in vscode-java

[ayoubhessoune]

Vulnerabilities in Dependencies in vscode-java

Description

vscode-java has security vulnerabilities in its dependencies, specifically jsoup . The affected and patched versions are as follows:

1. Jsoup

• Affected versions:
  • < 1.15.3
• Patched versions:
  • 1.15.3

GitHub Advisory Links

• jsoup: GHSA-gp7f-rwcx-9369

National Vulnerability Database

• jsoup: CVE-2022-36033

Request

Could these dependencies be updated to the patched versions in vscode-java v1.20.0 and above? Thank you.

[rgrunber]

I just had a look at this, and I don't think we can continue using Remark and jsoup.

jsoup is a dependency through Remark, which is now archived, and hasn't had an update. The problem is that jsoup 1.15.4 is binary incompatible with the last release of Remark. It continues to use the Whitelist class from 1.14.3 that is no longer present in 1.15.4.

I have seen forks of remark-java that fix the jsoup dependency, but I just don't think this is sustainable long term. We should probably consider moving to flexmark-java eclipse-jdtls/eclipse.jdt.ls#2214 .

We don't do backports for releases though. It would just be updated in the next available version (eg. 1.37.0).

[ayoubhessoune]

Can you Please give me an approximate timeframe for the release?
Thank you

[rgrunber]

We usually release once at the end of each month : https://github.com/redhat-developer/vscode-java/milestones?state=closed . With that said, according to the CVE, disabling SafeList.preserveRelativeLinks is an option to prevent this without upgrading. However, this has always been the case, since we don't set it, and it's disabled by default.

[ayoubhessoune]

Thank you