upgrading jQuery due to CVE exposure

[gireeshpunathil]

I was trying to upgrade jQuery library which is a dependency of org.eclipse.pde.doc.user bundle, but could not follow the non-standard way of dependency build up. there is no direct reference of this dependency in the pom.xml, instead it is getting bundled due to:

https://github.com/eclipse-platform/eclipse.platform.common/blob/8ad033acbce12c3dbf921c0be1fee54004a4a849/bundles/org.eclipse.pde.doc.user/pdeOptions.txt#L88

the linked target is a html page that contain JS scripts which is leading to the jQuery bundling. As the page does not belong to us, we have no way telling them to upgrade! I tried linking page to JDK 17's api doc just to debug, but it didn't help. any pointers?

[laeubi]

I was trying to upgrade jQuery library which is a dependency of org.eclipse.pde.doc.user bundle

jquery is not a dependency but part of the javadoc included in the bundle.

As the page does not belong to us, we have no way telling them to upgrade! I tried linking page to JDK 17's api doc just to debug, but it didn't help. any pointers?

jquery is provided by the javadoc tool, so if we upgrade the JDK (that includes a fix) it will get a newer jquery version.

Beside that, before taking further actions it would be useful to link the CVE and analyze it if it actually apply to our use-case.

[gireeshpunathil]

https://nvd.nist.gov/vuln/detail/cve-2020-11022
https://nvd.nist.gov/vuln/detail/cve-2020-11023
https://nvd.nist.gov/vuln/detail/cve-2019-11358

ok - missed to provide the CVEs. our consumers reported that they hit these when they scanned their products which are based on eclipse

[gireeshpunathil]

jquery is not a dependency but part of the javadoc included in the bundle.

can you pls explain what you mean by jQuery is not a dependency? did you mean OSGi style dependency? eclipse SDK bundles the org.eclipse.pde.doc.user bundle, and it internally contain the jQuery library for its function. so I deem it as a dependency. Am I missing anything?

[laeubi]

CVE-2020-11022
CVE-2020-11023

Is likely irrelevant for javadoc unless we assume you can add custom code to javadoc pages (in wich case an attacker can literally do anything)

CVE-2019-11358

We do not use "Drupal, Backdrop CMS, and other products" so also not relevant for javadoc.

If one ist still concerned, it might work to simply replace the jquery version in the product, or even delete it (what might degrade some functions like search).

[gireeshpunathil]

thank you @laeubi for the security assessment! much appreciated.