docs: define schema locations in XML examples by chadlwilson · Pull Request #8254 · dependency-check/DependencyCheck (original) (raw)

Perhaps could do with a double-check/review that none of the internal XML parsing has ability to open schemas from external URLs and its otherwise configuring factories/builders correctly. I imagine not an issue, given that'd probably be a security issue in its own right.

FYI @jeremylong @nhumblot Sadly this suspicion was right and there's at least one bug on master created by this (in some setups). This is because the sax parsers do actually process the schema location hints I've added, and currently forcibly allow both file and https external schema access (if the system property is not set).

Suppressions validation additionally has a custom entity resolver that essentially remaps https references to local resource loaded schemas, however hints parsing doesn't have this resolver.

So in a JVM environment that has disabled external schema access system wide, base hints parsing fails (e.g seemingly in Gradle environments with the Gradle plugin this property can be set to disallow https loading).

The tests currently seem to obscure some of these real world problems as it seems an old xerces version is on the classpath which is being used in preference to the JDK bundled xerces, which adds additional complexity to tidy up, as modern bundled xerces has more secure defaults.

I'm not 100% sure why it is working for suppressions so I might have missed something in the above analysis but I'll submit a PR to resolve this, avoid interfering with system properties - and improve the testing.