Security vulnerability in tabula-1.0.5-jar-with-dependencies.jar

Question

Security vulnerability in tabula-1.0.5-jar-with-dependencies.jar

Closed this issue 5 months ago · 4 comments

gsonOutdated commented 5 months ago

Summary

There is at least one vulnerable package in tabula-1.0.5-jar-with-dependencies.jar
GHSA-4jrv-ppp4-jm57

Did you read the FAQ?

I have read the FAQ

Did you search GitHub Discussions?

I have searched the discussions

(Optional) PDF URL

No response

About your environment

Python 3.12.2
Pip 24.0
tabula-py 2.9.0

What did you do when you faced the problem?

I created a docker image.

Code

FROM python@sha256:849ed6079c9f797ca9c1b7d6aea1c00aea3ac35110cbd0d6003f15950017ea8d
RUN pip install --no-cache-dir tabula-py==2.9.0

Expected behavior

The dependencies are all up to date.

Actual behavior

There are vulnerabilities in some of the packages.

Related issues

No response

Answer 1 · 2024-02-20T16:40:30.000Z

Thanks for reporting. This issue is tabula-java's one. I'm willing to update when they release the fixed version, but unfortunately tabula-py can't fix it directly.

Could you ask at tabula-java issue?

Answer 2 · 2024-02-21T14:28:15.000Z

Tabula-java did update gson to a newer version in one of their commits, but they haven't created a new release with it's inclusion.

I created a report on their repository, tho I don't know if they'll make a new release.

Meanwhile, you could build the jar file from their latest commit since it works just fine.
This could be done with a container for example:

FROM maven@sha256:9c29c889b0e108c2bd7386c337e5648726e3e8db2e8cb4746e17eef2a608ca30

RUN apk add --no-cache git=2.43.0-r0 --repository=https://dl-cdn.alpinelinux.org/alpine/v3.19/main
RUN git clone https://github.com/tabulapdf/tabula-java.git
RUN sed -i 's/1.0.6-SNAPSHOT/1.0.5/' /tabula-java/pom.xml
WORKDIR /tabula-java
RUN mvn clean compile assembly:single

I'm running sed because in the latest commit, the version is set to create a file named 1.0.6-SNAPSHOT instead of 1.0.5 which tabula-py is using. Change this as you please.

So until everything is fixed, I have forked the repository and built the jar file myself to replace the one that is installed through pip.

Answer 3 · 2024-02-21T15:20:21.000Z

As you read in the FAQ, you can use your own jar. See https://tabula-py.readthedocs.io/en/latest/faq.html#i-want-to-use-a-different-tabula-jar-file

Answer 4 · 2024-02-21T21:36:33.000Z

Anyway, this is a tabula-java issue and there's a workaround for using the master branch of tabula-java. I'll bump tabula-java once the next version is released.
Will close the issue.