vaadin安全警报

Question

在最近一次引用这里的安全警报中，我看到了Vaadin 7可能存在的安全问题，因为它存在jsoup漏洞。由于其他因素，我无法升级。所以我就想直接把“汤”放在我的项目里。因此，在通过vaadin-server间接包含它之前，现在直接包含它，并且版本vaadin-server引用“由于与1.14.2冲突而被省略”。这是解决这一安全问题的安全途径吗？

我使用的是Vaadin 7.7.17和maven。

我之所以提出这个问题，主要是因为Vaadin没有将此作为一种可能的解决方案，所以我认为它会失败。但是，由于maven没有出现错误，我担心我遗漏了一些只会出现在某些奇怪的运行时行为中的东西。

下面是通过mvn dependency:tree构建的依赖树。首先，原版，删减：

[INFO] Scanning for projects...
[INFO] 
[INFO] ---------------------< com.mobiwms:vaadinwebsite >----------------------
[INFO] Building vaadinwebsite 4.0.31
[INFO] --------------------------------[ war ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ vaadinwebsite ---
[INFO] com.mobiwms:vaadinwebsite:war:4.0.31
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
[INFO] +- com.vaadin:vaadin-server:jar:7.7.17:compile
[INFO] |  +- com.vaadin:vaadin-sass-compiler:jar:0.9.13:compile
[INFO] |  |  +- org.w3c.css:sac:jar:1.3:compile
[INFO] |  |  \- com.vaadin.external.flute:flute:jar:1.3.0.gg2:compile
[INFO] |  +- com.vaadin:vaadin-shared:jar:7.7.17:compile
[INFO] |  \- org.jsoup:jsoup:jar:1.8.3:compile
[INFO] +- com.vaadin:vaadin-push:jar:7.7.17:compile
[INFO] |  \- com.vaadin.external.atmosphere:atmosphere-runtime:jar:2.2.13.vaadin1:compile
[INFO] |     \- com.vaadin.external.slf4j:vaadin-slf4j-jdk14:jar:1.6.1:compile
[INFO] +- com.vaadin:vaadin-client:jar:7.7.17:provided
... // Stripped out unrelated portions of hierarchy.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  4.758 s
[INFO] Finished at: 2021-10-27T18:59:19-04:00
[INFO] ------------------------------------------------------------------------

现在，新的版本被删减了：

[INFO] Scanning for projects...
[INFO] 
[INFO] ---------------------< com.mobiwms:vaadinwebsite >----------------------
[INFO] Building vaadinwebsite 4.0.31
[INFO] --------------------------------[ war ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ vaadinwebsite ---
[INFO] com.mobiwms:vaadinwebsite:war:4.0.31
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
[INFO] +- com.vaadin:vaadin-server:jar:7.7.17:compile
[INFO] |  +- com.vaadin:vaadin-sass-compiler:jar:0.9.13:compile
[INFO] |  |  +- org.w3c.css:sac:jar:1.3:compile
[INFO] |  |  \- com.vaadin.external.flute:flute:jar:1.3.0.gg2:compile
[INFO] |  \- com.vaadin:vaadin-shared:jar:7.7.17:compile
[INFO] +- com.vaadin:vaadin-push:jar:7.7.17:compile
[INFO] |  \- com.vaadin.external.atmosphere:atmosphere-runtime:jar:2.2.13.vaadin1:compile
[INFO] |     \- com.vaadin.external.slf4j:vaadin-slf4j-jdk14:jar:1.6.1:compile
[INFO] +- com.vaadin:vaadin-client:jar:7.7.17:provided
... // Stripped out unrelated portions of hierarchy.
[INFO] \- org.jsoup:jsoup:jar:1.14.2:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  2.285 s
[INFO] Finished at: 2021-10-27T18:56:01-04:00
[INFO] ------------------------------------------------------------------------

Answer 1

只是在这里注意一下。Vaadin 7本身没有实际问题会受到影响，可能存在潜在的Jsoup漏洞。依赖项被更新为更新的版本，以强制应用程序开发人员使用更新的版本。新版本的Jsoup有一些API更改，需要在Vaadin 7中进行一些小的代码更改。如果您的应用程序没有以不暴露漏洞的方式使用Jsoup，那么升级就不是绝对强制性的。还提醒说，Vaadin 7版本比7.7.17更新，需要商业许可证来扩展支持。