diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..f642b29 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,19 @@ +# =========================== +# Log4j 1.x – Non-Exploitable +# =========================== +# Rationale: +# vnu.jar uses only the Log4j ConsoleAppender. None of the vulnerable +# components (JMSAppender, SocketServer, Chainsaw, JDBCAppender, etc.) +# are present, configured, or reachable. No logging configuration is +# user-controlled. Therefore, these CVEs are not exploitable in our use +# case (CLI mode only, no network listeners, no untrusted input passed +# into logging). +# +# Allowed for this image only. + +CVE-2023-26464 # Log4j 1.x – insecure deserialization paths; not exploitable because ConsoleAppender only +CVE-2022-23302 # Log4j JMSSink; not used, no JMS classes loaded +CVE-2021-4104 # Log4j JMSAppender remote code execution; not used +CVE-2022-23307 # Log4j Chainsaw vulnerability; Chainsaw not present/configured +CVE-2022-23305 # Log4j SocketServer vulnerability; server not used +CVE-2019-17571 # Log4j SocketServer class; not reachable, ConsoleAppender only diff --git a/Dockerfile b/Dockerfile index 51c80ee..483bb60 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,12 +4,15 @@ RUN apk --no-cache add openjdk21 FROM base AS build-vnu -RUN apk add git python3 +RUN apk add git python3 apache-ant RUN git clone -n https://github.com/validator/validator.git \ && cd validator \ - && git checkout 84a1b28ff4cc28b7e9a31784688dbee6366b3467 \ - && JAVA_HOME=/usr/lib/jvm/java-21-openjdk python checker.py update-shallow dldeps build jar + && git checkout 73476a51eaa3edc43acd5466b48bddcba77c7844 \ + && sed -i 's/jetty-version" value="11.0.20"/jetty-version" value="11.0.25"/' build/build.xml \ + && sed -i 's/commons-fileupload-version" value="2.0.0-M2"/commons-fileupload-version" value="2.0.0-M4"/' build/build.xml \ + && sed -i 's/9.2.25.v20180606/9.4.56.v20240826/' langdetect/pom.xml \ + && JAVA_HOME=/usr/lib/jvm/java-21-openjdk python checker.py dldeps build jar FROM base