Woodstox:6.2.4 Security vulnerability in Dokka versions

[jeyanthanperiyasamy]

Describe the bug

There is a security vulnerability in Woodstox version used by Dokka. The latest versions of dokka 1.9.0, 1.8.20 etc. Both versions uses woodstox-core:6.2.4

https://www.mend.io/vulnerability-database/CVE-2022-40152

Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

Recommend fix:
Upgrade to version com.fasterxml.woodstox:woodstox-core:5.4.0,6.4.0. The reported vulnerability was not checked for vulnerability effectiveness and is suggested to be examined using Effective Usage Analysis.

Expected behaviour
Upgrade to version com.fasterxml.woodstox:woodstox-core:6.4.0.

Dokka configuration
Configuration of dokka used to reproduce the bug

Installation

• Operating system: macOS/Windows/Linux
• Build tool: Gradle v6.8.0/Maven/Cli/3rd party plugin
• Dokka version: 1.4.30

Additional context
Add any other context about the problem here

Are you willing to provide a PR?
Providing a PR can drastically speed up the process of fixing this bug

[kuju63]

Hi, all.

It vulnerability is caused by jackson-databind 2.12.7.1.It fixed version is 2.13.5. But jackson-databind 2.13 and after does not support Kotlin 1.4.
Why do need to support Kotlin 1.4? Kotlin 1.4 first release is August 2020.
Please ask me to need to support Kotlin 1.4.

dokka/gradle/libs.versions.toml

Lines 32 to 33 in 2b0a63f

	jackson = "2.12.7" # jackson 2.13.X does not support kotlin language version 1.4, check before updating
	jacksonDatabind = "2.12.7.1" # fixes CVE-2022-42003

If do not need to support Kotlin 1.4, you can fix it with the following changes.

- jackson = "2.12.7" # jackson 2.13.X does not support kotlin language version 1.4, check before updating
- jacksonDatabind = "2.12.7.1" # fixes CVE-2022-42003
+ jackson = "2.13.5"
+ jacksonDatabind = "2.13.5"

[jeyanthanperiyasamy]

@kuju63 my app is written in kotlin_version = '1.8.0' . so i believe i should be fine. . i use a dokka library inside my android library project for document generation . can you explain how to override this version inside my android project

[kuju63]

@jeyanthanperiyasamy
You can overwrite by using the Gradle feature to specify the version of the dependency at the configuration level. You can use jackson-databind 2.13.5　on dokka plugin by adding the following configuration:

configurations {
    "dokkaGfmPartialPlugin" {
        resolutionStrategy.force("com.fasterxml.jackson.core:jackson-databind:2.13.5")
    }
    "dokkaGfmPartialRuntime" {
        resolutionStrategy.force("com.fasterxml.jackson.core:jackson-databind:2.13.5")
    }
    "dokkaGfmPlugin" {
        resolutionStrategy.force("com.fasterxml.jackson.core:jackson-databind:2.13.5")
    }
    "dokkaGfmRuntime" {
        resolutionStrategy.force("com.fasterxml.jackson.core:jackson-databind:2.13.5")
    }
    "dokkaHtmlPartialPlugin" {
        resolutionStrategy.force("com.fasterxml.jackson.core:jackson-databind:2.13.5")
    }
    "dokkaHtmlPartialRuntime" {
        resolutionStrategy.force("com.fasterxml.jackson.core:jackson-databind:2.13.5")
    }
    "dokkaHtmlPlugin" {
        resolutionStrategy.force("com.fasterxml.jackson.core:jackson-databind:2.13.5")
    }
    "dokkaHtmlRuntime" {
        resolutionStrategy.force("com.fasterxml.jackson.core:jackson-databind:2.13.5")
    }
    "dokkaJavadocPartialPlugin" {
        resolutionStrategy.force("com.fasterxml.jackson.core:jackson-databind:2.13.5")
    }
    "dokkaJavadocPartialRuntime" {
        resolutionStrategy.force("com.fasterxml.jackson.core:jackson-databind:2.13.5")
    }
    "dokkaJavadocPlugin" {
        resolutionStrategy.force("com.fasterxml.jackson.core:jackson-databind:2.13.5")
    }
    "dokkaJavadocRuntime" {
        resolutionStrategy.force("com.fasterxml.jackson.core:jackson-databind:2.13.5")
    }
    "dokkaJekyllPartialPlugin" {
        resolutionStrategy.force("com.fasterxml.jackson.core:jackson-databind:2.13.5")
    }
    "dokkaJekyllPartialRuntime" {
        resolutionStrategy.force("com.fasterxml.jackson.core:jackson-databind:2.13.5")
    }
    "dokkaJekyllPlugin" {
        resolutionStrategy.force("com.fasterxml.jackson.core:jackson-databind:2.13.5")
    }
    "dokkaJekyllRuntime" {
        resolutionStrategy.force("com.fasterxml.jackson.core:jackson-databind:2.13.5")
    }
}

However, this will cause the dependencies to be override and may not work if your application depends to jackson-databind.

[whyoleg]

Hey!
Unfortunately we can't update the version right now because of compatibility with older Gradle verisions (which are still supported by Gradle and Kotlin Gradle Plugin).

In case you need to enforce usage of newer compatible Jackson version during Dokka execution you need to enforce it in 2 places:

1. in build script classpath (because Dokka Gradle Plugin depends on it) - this configuration will depend on how your build is structured.

• in case you are using buildSrc/build-logic(or any other included build to manage convention plugins or shared configuration) you need to add this to it's build.gradle/build.gradle.kts:

dependencies {
    implementation(enforcedPlatform("com.fasterxml.jackson:jackson-bom:2.13.5"))
}

• in other cases, you can add this to projects build.gradle/build.gradle.kts where Dokka Gradle Plugin is applied:

buildscript {
    dependencies {
        classpath(enforcedPlatform("com.fasterxml.jackson:jackson-bom:2.13.5"))
    }
}

2. in Dokka execution - add this to all modules where Dokka is configured:

dependencies {
    dokkaRuntime(enforcedPlatform("com.fasterxml.jackson:jackson-bom:2.13.5"))
    dokkaPlugin(enforcedPlatform("com.fasterxml.jackson:jackson-bom:2.13.5"))
}

Note: this is via Kotlin Gradle DSL, for groovy same or similar code should work. In some cases, Gradle can not generate dokkaRuntime/dokkPlugin accessors - in this case it's possible to just quote them like "dokkaRuntime"

Maximum available Jackson version here depends on your Gradle version (and as so on embedded Kotlin version used in Gradle: https://docs.gradle.org/current/userguide/compatibility.html#kotlin), I've tested that at my side even 2.15.3 works (with Gradle 8.6).

Hopefully during implementation of new Dokka Gradle Plugin this will be resolved in some way and there will be no vulnerability reports.