| Category: | Bug report |
Priority: | High |
Status: | Feedback Requested |
| Project: | Severity: | Major |
Resolution: | Open |
|
| Component: | Reproducibility: | Always |
Assigned to: |
Hi Team,
Currently as per Maven repository latest updates, jasperreports library 6.11.0 references the 2.1 version of commons-digester.This library is not compatible/supporting our project(ATM Switch ) as some vulnerabilities were reported in it.
We request you to provide us an upgrade to the jasper library to support 3.1 version of commons-digester.
Below is the jasper report exception.
Exception in thread "AWT-EventQueue-0" java.lang.NoClassDefFoundError: org/apache/commons/digester/Rule
at net.sf.jasperreports.components.ComponentsExtensionsRegistryFactory.<clinit>(ComponentsExtensionsRegistryFactory.java:109)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Unknown Source)
at net.sf.jasperreports.engine.util.JRClassLoader.loadClassForRealName(JRClassLoader.java:173)
at net.sf.jasperreports.engine.util.JRClassLoader.loadClassForName(JRClassLoader.java:131)
at net.sf.jasperreports.engine.util.ClassUtils.instantiateClass(ClassUtils.java:60)
at net.sf.jasperreports.extensions.DefaultExtensionsRegistry.instantiateRegistry(DefaultExtensionsRegistry.java:298)
at net.sf.jasperreports.extensions.DefaultExtensionsRegistry.loadRegistries(DefaultExtensionsRegistry.java:274)
at net.sf.jasperreports.extensions.DefaultExtensionsRegistry.loadRegistries(DefaultExtensionsRegistry.java:194)
at net.sf.jasperreports.extensions.DefaultExtensionsRegistry.getRegistries(DefaultExtensionsRegistry.java:157)
at net.sf.jasperreports.extensions.DefaultExtensionsRegistry.getExtensions(DefaultExtensionsRegistry.java:129)
at net.sf.jasperreports.engine.util.JRStyledTextParser.<clinit>(JRStyledTextParser.java:86)
at net.sf.jasperreports.engine.fill.JRBaseFiller.<init>(JRBaseFiller.java:116)
at net.sf.jasperreports.engine.fill.JRVerticalFiller.<init>(JRVerticalFiller.java:79)
at net.sf.jasperreports.engine.fill.JRFiller.createBandReportFiller(JRFiller.java:251)
at net.sf.jasperreports.engine.fill.JRFiller.createReportFiller(JRFiller.java:272)
at net.sf.jasperreports.engine.fill.JRFiller.fill(JRFiller.java:114)
at net.sf.jasperreports.engine.JasperFillManager.fill(JasperFillManager.java:319)
at net.sf.jasperreports.engine.JasperFillManager.fillReport(JasperFillManager.java:850)
Thanks
7 Comments:
Hi,
Could you please provide your response on this ticket.As it is blocking our work from proceeding further please help us with your inputs.
Thanks
Hi,
We have not made any tests with Digester 3, which appears to be a complete rewrite of Digester, as their authors say. If you can perform such test and help us with that, we would very much appreciate it.
Thank you,
Teodor
Hi Teodord,
We did try to test commons-digester3.1 with jasperreports, and while doing so, jasperreports is referring the path org/apache/commons/digester/ but the common-digester3.1 library has the path org/apache/commons/digester3 and hence we are getting the below exception.
Exception in thread "AWT-EventQueue-0" java.lang.NoClassDefFoundError: org/apache/commons/digester/Rule
at net.sf.jasperreports.components.ComponentsExtensionsRegistryFactory.<clinit>(ComponentsExtensionsRegistryFactory.java:109)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Unknown Source)
at net.sf.jasperreports.engine.util.JRClassLoader.loadClassForRealName(JRClassLoader.java:173)
at net.sf.jasperreports.engine.util.JRClassLoader.loadClassForName(JRClassLoader.java:131)
at net.sf.jasperreports.engine.util.ClassUtils.instantiateClass(ClassUtils.java:60)
at net.sf.jasperreports.extensions.DefaultExtensionsRegistry.instantiateRegistry(DefaultExtensionsRegistry.java:298)
at net.sf.jasperreports.extensions.DefaultExtensionsRegistry.loadRegistries(DefaultExtensionsRegistry.java:274)
at net.sf.jasperreports.extensions.DefaultExtensionsRegistry.loadRegistries(DefaultExtensionsRegistry.java:194)
at net.sf.jasperreports.extensions.DefaultExtensionsRegistry.getRegistries(DefaultExtensionsRegistry.java:157)
at net.sf.jasperreports.extensions.DefaultExtensionsRegistry.getExtensions(DefaultExtensionsRegistry.java:129)
at net.sf.jasperreports.engine.util.JRStyledTextParser.<clinit>(JRStyledTextParser.java:86)
at net.sf.jasperreports.engine.fill.JRBaseFiller.<init>(JRBaseFiller.java:116)
at net.sf.jasperreports.engine.fill.JRVerticalFiller.<init>(JRVerticalFiller.java:79)
at net.sf.jasperreports.engine.fill.JRFiller.createBandReportFiller(JRFiller.java:251)
at net.sf.jasperreports.engine.fill.JRFiller.createReportFiller(JRFiller.java:272)
at net.sf.jasperreports.engine.fill.JRFiller.fill(JRFiller.java:114)
at net.sf.jasperreports.engine.JasperFillManager.fill(JasperFillManager.java:319)
at net.sf.jasperreports.engine.JasperFillManager.fillReport(JasperFillManager.java:850)
Thanks
Hi,
Just to make sure we are all on the same page. Can you provide some links to known vulnerabilities of Digester 2.1?
We use an OWASP Maven plugin to check for vulnerabilities of dependencies used by JRL and Digested does not show up with any, at the moment.
Thank you,
Teodor
Hi Teodord,
Please find the attachment of the vulnerability VulnDB-106409 for Apache Commons Digester:2.1.
Thanks
Hi,
We are not familiar with these VulnDB vulnerabilities. It is not clear to me if this is a vulnerability of Digester or of BeanUtils. The description of the issue says something about BeanUtils...
So which one is it?
And where can we obtain more information about this vulnerability. How can we tell if this is solved by upgrading Digester? Where does it say so?
Thank you,
Teodor