Re: [dev] Some Findings (0.13.0-SNAPSHOT)

Svante Schubert <svante.schubert -AT- gmail.com>
Fri, 6 Sep 2024 12:57:20 +0200

Hi Gerald,

I talked to Michael earlier and I can second his comments...

Just a few small additions to your three points:

1. I just removed the exception you mentioned to see what would happen!
;-)
First, remove the exception of the method and calling methods, until you
get to the root cause, then go back up and add via IDE autocompletion all
sub-exceptions in detail!
It led me to the following minimal patch:
https://github.com/svanteschubert/odftoolkit/commit/7d01fe068e26afdc5fc17f154ea835cdfdd1cc43
I added some JavaDoc, which is not minimal and the JavaDoc might be
improved!
But in general, you are right, the bundling of exceptions was a mistake
of my inexperienced youth, as I never used/required the differentiation of
exception.
Please don't hesitate to provide a patch so it meets your requirements.

As we unsplit the parent exception class into sub-exception it will not
be API incompatible, isn't it?
But we are still in the 0.*.* version therefore if you have a strong
scenario, we can still consider it. If it is an incompatible API change,
perhaps there are automated tools to adopt them.

This might be a nice scenario to test with an AI assistant, I started
quickly testing it with Cursor using the model of Claude Sonnet 3.5:
[image: image.png]
2. This sounds indeed like a bug or missing feature. Please don't
hesitate to provide a patch so it meets your requirements. :-)
3. If you run on the root level "*mvn dependency:tree -Dverbose*" and
perhaps pipe the input into a text file e.g. via "*mvn dependency:tree
-Dverbose > dependencies20240906 2>&1*"
You will notice:
1. That the toolkit does not use *nimbus-jose-jwt*, not even as an
indirect dependency. I assume your project uses it.
2. *commons-collections:jar:3.2.2* is used 10 times by several Apache
libraries, where you should report the security issue.
Currently, there is no issue publicly reported:
https://mvnrepository.com/artifact/commons-collections/commons-collections/3.2.2

Best regards,
Svante

PS: I was distracted by summer and/or tax, please write again to the list
(or directly to myself), if no one answers, sometimes I do forget.. :-)

On Fri, 6 Sept 2024 at 11:37, Michael Stahl <mst@libreoffice.org> wrote:

hi Gerald,

On 28/08/2024 11:39, Winter, Gerald (eck*cellent IT) wrote:

Hello,

I'm working with ODFToolkit and I have got some findings that might or

might not be (known) bugs. Please let me know if I should create Issues on
github.


- Many methods are declared with "throws Exception", for example

OdfTextDocument.newParagraph(). There is no (visible) IO Operation, it is
unclear why a generic Exception might be thrown that has to be catched.

sorry, no idea.

- TextSelection.replaceWith removes formatting when the matched text and

the text with formatting are identical. For example when only the letter
"x" is styled italic and TextNavigation("x", doc).next().replaceWith("y")
is called "y" will not be italic anymore

at first glance that sounds like a bug. please file with a reproducer.

- There are vulnerabilities in used libraries:

commons-collections:3.2.2, nimbus-jose-jwt:9.24.4

* commons-collections:3.2.2 is an indirect dependency used via several
other Apache libraries, but i can't find anything about a vulnerability
in that version?


https://commons.apache.org/proper/commons-collections/security-reports.html

   here it is claimed that a vulnerability was fixed in version 3.2.2,
unless one sets some "enableUnsafeSerialization" property to override
the defaults.

* i can find no hint that nimbus-jose-jwt:9.24.4 is used anywhere?


--
To unsubscribe e-mail to: dev+unsubscribe@odftoolkit.org
Problems?
https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.odftoolkit.org/dev/
Privacy Policy: https://www.documentfoundation.org/privacy


-- 
To unsubscribe e-mail to: dev+unsubscribe@odftoolkit.org
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.odftoolkit.org/dev/
Privacy Policy: https://www.documentfoundation.org/privacy

Context

[dev] Some Findings (0.13.0-SNAPSHOT) · Winter, Gerald (eck*cellent IT)
- Re: [dev] Some Findings (0.13.0-SNAPSHOT) · Michael Stahl
  - Re: [dev] Some Findings (0.13.0-SNAPSHOT) · Svante Schubert

Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.