Skip to content

Remove JDOM dependency #145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
aalsanie wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Remove JDOM dependency #145

aalsanie wants to merge 4 commits into from

Conversation

@aalsanie
Copy link

@aalsanie aalsanie commented Dec 22, 2025

@psiinon
Copy link
Member

psiinon commented Dec 22, 2025
edited
Loading

Logo
Checkmarx One – Scan Summary & Details9cb90f25-26f3-4952-8b5c-ec9443d50aa3

New Issues (3)

Checkmarx found the following issues in this Pull Request

Severity Issue Source File / Package Checkmarx Insight
HIGH Improper_Restriction_of_Stored_XXE_Ref /subprojects/zap-clientapi/src/main/java/org/zaproxy/clientapi/core/ClientApiMain.java: 139
detailsThe loads and parses XML using parse, at line 213 of /subprojects/zap-clientapi/src/main/java/org/zaproxy/clientapi/core/AlertsFile.java. This...
ID: 3413re42ASScwEJ4OVgQKvGAWzY%3D
Attack Vector
HIGH Improper_Restriction_of_XXE_Ref /subprojects/zap-clientapi/src/main/java/org/zaproxy/clientapi/core/ClientApi.java: 335
detailsThe loads and parses XML using parse, at line 298 of /subprojects/zap-clientapi/src/main/java/org/zaproxy/clientapi/core/ClientApi.java. This ...
ID: vHzwCI5avOGEY1r%2BVIGYBBDG7QA%3D
Attack Vector
MEDIUM Missing_HSTS_Header /subprojects/zap-clientapi/src/main/java/org/zaproxy/clientapi/core/ClientApi.java: 328
detailsThe web-application does not define an HSTS header, leaving it vulnerable to attack.
ID: 11j8aaphazQJTYBpSFhbOadG6Bc%3D
Attack Vector
Fixed Issues (3)

Great job! The following issues were fixed in this Pull Request

Severity Issue Source File / Package
HIGH CVE-2021-33813 Maven-org.jdom:jdom-1.1.3
HIGH Improper_Restriction_of_Stored_XXE_Ref /subprojects/zap-clientapi/src/main/java/org/zaproxy/clientapi/core/ClientApiMain.java: 214
HIGH Improper_Restriction_of_XXE_Ref /subprojects/zap-clientapi/src/main/java/org/zaproxy/clientapi/core/ClientApi.java: 465

Use @Checkmarx to reach out to us for assistance.

Just send a PR comment with @Checkmarx followed by a natural language request.

Examples: @Checkmarx how are you able to help me? @Checkmarx rescan this PR

@aalsanie
Copy link
Author

aalsanie commented Dec 22, 2025

@thc202 comments addressed in this new PR.
Thanks for the review

@aalsanie aalsanie changed the title Remove JDOM dependency ClientApi 2.0.0 Dec 23, 2025
@thc202 thc202 changed the title ClientApi 2.0.0 Remove JDOM dependency Dec 24, 2025
@thc202
Copy link
Member

thc202 commented Dec 24, 2025

There's no need for a 2.0 version and refactorings.

@aalsanie
Copy link
Author

aalsanie commented Dec 24, 2025
edited
Loading

There's no need for a 2.0 version and refactorings.

The clientApi is tightly coupled upon private methods that are used as well in ClientMainApi. This will cause you maintainability issues in the future. Your CLI class became a god object doing things like: parsing text, task routing, scans, ops, validation etc

@thc202
Copy link
Member

thc202 commented Dec 24, 2025

Please, focus on the removal of the JDOM dependency in this pull request. If you want to do 2.0/refactorings ask in the dev group.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aalsanie @psiinon @thc202