Security vulnerability in tabula-1.0.5-jar-with-dependencies.jar
Closed this issue · 4 comments
Summary
There is at least one vulnerable package in tabula-1.0.5-jar-with-dependencies.jar
GHSA-4jrv-ppp4-jm57
Did you read the FAQ?
- I have read the FAQ
Did you search GitHub Discussions?
- I have searched the discussions
(Optional) PDF URL
No response
About your environment
Python 3.12.2
Pip 24.0
tabula-py 2.9.0
What did you do when you faced the problem?
I created a docker image.
Code
FROM python@sha256:849ed6079c9f797ca9c1b7d6aea1c00aea3ac35110cbd0d6003f15950017ea8d
RUN pip install --no-cache-dir tabula-py==2.9.0
Expected behavior
The dependencies are all up to date.
Actual behavior
There are vulnerabilities in some of the packages.
Related issues
No response
Thanks for reporting. This issue is tabula-java's one. I'm willing to update when they release the fixed version, but unfortunately tabula-py can't fix it directly.
Could you ask at tabula-java issue?
Tabula-java did update gson to a newer version in one of their commits, but they haven't created a new release with it's inclusion.
I created a report on their repository, tho I don't know if they'll make a new release.
Meanwhile, you could build the jar file from their latest commit since it works just fine.
This could be done with a container for example:
FROM maven@sha256:9c29c889b0e108c2bd7386c337e5648726e3e8db2e8cb4746e17eef2a608ca30
RUN apk add --no-cache git=2.43.0-r0 --repository=https://dl-cdn.alpinelinux.org/alpine/v3.19/main
RUN git clone https://github.com/tabulapdf/tabula-java.git
RUN sed -i 's/1.0.6-SNAPSHOT/1.0.5/' /tabula-java/pom.xml
WORKDIR /tabula-java
RUN mvn clean compile assembly:single
I'm running sed because in the latest commit, the version is set to create a file named 1.0.6-SNAPSHOT instead of 1.0.5 which tabula-py is using. Change this as you please.
So until everything is fixed, I have forked the repository and built the jar file myself to replace the one that is installed through pip.
As you read in the FAQ, you can use your own jar. See https://tabula-py.readthedocs.io/en/latest/faq.html#i-want-to-use-a-different-tabula-jar-file
Anyway, this is a tabula-java issue and there's a workaround for using the master branch of tabula-java. I'll bump tabula-java once the next version is released.
Will close the issue.