[#12421] - We request Jasper Library upgrade which supports 3.1 version of commons-digester.

Category:
Bug report
Priority:
High
Status:
Feedback Requested
Project: Severity:
Major
Resolution:
Open
Component: Reproducibility:
Always
Assigned to:
0

Hi Team,

Currently as per Maven repository latest updates, jasperreports library 6.11.0 references the 2.1 version of commons-digester.This library is not compatible/supporting our project(ATM Switch ) as some vulnerabilities were reported in it.

We request you to provide us an upgrade to the jasper library to support 3.1 version of commons-digester.

Below is the jasper report exception.

Exception in thread "AWT-EventQueue-0" java.lang.NoClassDefFoundError: org/apache/commons/digester/Rule
at net.sf.jasperreports.components.ComponentsExtensionsRegistryFactory.<clinit>(ComponentsExtensionsRegistryFactory.java:109)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Unknown Source)
at net.sf.jasperreports.engine.util.JRClassLoader.loadClassForRealName(JRClassLoader.java:173)
at net.sf.jasperreports.engine.util.JRClassLoader.loadClassForName(JRClassLoader.java:131)
at net.sf.jasperreports.engine.util.ClassUtils.instantiateClass(ClassUtils.java:60)
at net.sf.jasperreports.extensions.DefaultExtensionsRegistry.instantiateRegistry(DefaultExtensionsRegistry.java:298)
at net.sf.jasperreports.extensions.DefaultExtensionsRegistry.loadRegistries(DefaultExtensionsRegistry.java:274)
at net.sf.jasperreports.extensions.DefaultExtensionsRegistry.loadRegistries(DefaultExtensionsRegistry.java:194)
at net.sf.jasperreports.extensions.DefaultExtensionsRegistry.getRegistries(DefaultExtensionsRegistry.java:157)
at net.sf.jasperreports.extensions.DefaultExtensionsRegistry.getExtensions(DefaultExtensionsRegistry.java:129)
at net.sf.jasperreports.engine.util.JRStyledTextParser.<clinit>(JRStyledTextParser.java:86)
at net.sf.jasperreports.engine.fill.JRBaseFiller.<init>(JRBaseFiller.java:116)
at net.sf.jasperreports.engine.fill.JRVerticalFiller.<init>(JRVerticalFiller.java:79)
at net.sf.jasperreports.engine.fill.JRFiller.createBandReportFiller(JRFiller.java:251)
at net.sf.jasperreports.engine.fill.JRFiller.createReportFiller(JRFiller.java:272)
at net.sf.jasperreports.engine.fill.JRFiller.fill(JRFiller.java:114)
at net.sf.jasperreports.engine.JasperFillManager.fill(JasperFillManager.java:319)
at net.sf.jasperreports.engine.JasperFillManager.fillReport(JasperFillManager.java:850)

Thanks

jasper library
avanthika2194's picture
Joined: Dec 13 2019 - 3:37am
Last seen: 4 weeks 1 day ago

7 Comments:

#1
  • Status:New» Assigned
  • Assigned:nobody» JoomlaBoard

Hi,

Could you please provide your response on this ticket.As it is blocking our work from proceeding further please help us with your inputs.

Thanks

#2
  • Status:Assigned» Feedback Requested
  • Assigned:JoomlaBoard» teodord

Hi,

We have not made any tests with Digester 3, which appears to be a complete rewrite of Digester, as their authors say. If you can perform such test and help us with that, we would very much appreciate it.

Thank you,
Teodor

#3
  • Status:Feedback Requested» Acknowledged

Hi Teodord,

We did try to test commons-digester3.1 with jasperreports, and while doing so, jasperreports is referring the path org/apache/commons/digester/ but the common-digester3.1 library has the path org/apache/commons/digester3 and hence we are getting the below exception.

Exception in thread "AWT-EventQueue-0" java.lang.NoClassDefFoundError: org/apache/commons/digester/Rule
at net.sf.jasperreports.components.ComponentsExtensionsRegistryFactory.<clinit>(ComponentsExtensionsRegistryFactory.java:109)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Unknown Source)
at net.sf.jasperreports.engine.util.JRClassLoader.loadClassForRealName(JRClassLoader.java:173)
at net.sf.jasperreports.engine.util.JRClassLoader.loadClassForName(JRClassLoader.java:131)
at net.sf.jasperreports.engine.util.ClassUtils.instantiateClass(ClassUtils.java:60)
at net.sf.jasperreports.extensions.DefaultExtensionsRegistry.instantiateRegistry(DefaultExtensionsRegistry.java:298)
at net.sf.jasperreports.extensions.DefaultExtensionsRegistry.loadRegistries(DefaultExtensionsRegistry.java:274)
at net.sf.jasperreports.extensions.DefaultExtensionsRegistry.loadRegistries(DefaultExtensionsRegistry.java:194)
at net.sf.jasperreports.extensions.DefaultExtensionsRegistry.getRegistries(DefaultExtensionsRegistry.java:157)
at net.sf.jasperreports.extensions.DefaultExtensionsRegistry.getExtensions(DefaultExtensionsRegistry.java:129)
at net.sf.jasperreports.engine.util.JRStyledTextParser.<clinit>(JRStyledTextParser.java:86)
at net.sf.jasperreports.engine.fill.JRBaseFiller.<init>(JRBaseFiller.java:116)
at net.sf.jasperreports.engine.fill.JRVerticalFiller.<init>(JRVerticalFiller.java:79)
at net.sf.jasperreports.engine.fill.JRFiller.createBandReportFiller(JRFiller.java:251)
at net.sf.jasperreports.engine.fill.JRFiller.createReportFiller(JRFiller.java:272)
at net.sf.jasperreports.engine.fill.JRFiller.fill(JRFiller.java:114)
at net.sf.jasperreports.engine.JasperFillManager.fill(JasperFillManager.java:319)
at net.sf.jasperreports.engine.JasperFillManager.fillReport(JasperFillManager.java:850)

Thanks

#4

Hi,

Just to make sure we are all on the same page. Can you provide some links to known vulnerabilities of Digester 2.1?
We use an OWASP Maven plugin to check for vulnerabilities of dependencies used by JRL and Digested does not show up with any, at the moment.

Thank you,
Teodor

#5

Hi Teodord,

Please find the attachment of the vulnerability VulnDB-106409 for Apache Commons Digester:2.1.

Thanks

AttachmentSize
Image icon vulnerability_image.png44.18 KB
#6
  • Status:Acknowledged» Feedback Requested
#7

Hi,

We are not familiar with these VulnDB vulnerabilities. It is not clear to me if this is a vulnerability of Digester or of BeanUtils. The description of the issue says something about BeanUtils...
So which one is it?
And where can we obtain more information about this vulnerability. How can we tell if this is solved by upgrading Digester? Where does it say so?

Thank you,
Teodor

Feedback