Uploaded image for project: 'mod-gobi'
  1. mod-gobi
  2. MODGOBI-182

BigDecimal multiply without scala

    XMLWordPrintable

Details

    • Thunderjet
    • Related dependency upgrade
    • Nolana (R3 2022)

    Description

      mod-gobi adds org.scala-lang:scala-library:2.13.8 dependency that comes with a Remote Code Execution (RCE) vulnerability:

      https://nvd.nist.gov/vuln/detail/CVE-2022-36944

      mod-gobi uses scala to run scala.math.BigDecimal.$times.

      However, Scala implements this by calling java.math.BigDecimal.multiply:

      https://github.com/scala/scala/blob/v2.13.8/src/library/scala/math/BigDecimal.scala#L488-L490

      There is no need to bloat mod-gobi with scala-library, please directly call java.math.BigDecimal and remove the scala-library dependency.

      TestRail: Results

        Attachments

          Issue Links

            relates to

            Bug - A problem which impairs or prevents the functions of the product. MODGOBI-183 Mapper.multiply ignores a single value

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MODGOBI-184 RMB 35.0.3, jackson 2.14.0, folio-isbn-util 1.4.0

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

            Task - A task that needs to be done. MODGOBI-185 Release mod-gobi-2.5.1 for Nolana Bug Fix#1

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed
            to be improved by

            Task - A task that needs to be done. MODEXPS-186 Describe way how to check dependency vulnerabilities during RMB versions upgrade

            • TBD - To be determined
            • Closed

            Activity

              People

                Nosko Serhii Nosko
                julianladisch Julian Ladisch
                Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases