org.ini4j vulnerabilities #614
Description
Depandabot has reported two high-impact vulnerabilities in the no longer maintained org.ini4j maven package (0.5.4 is the last release): https://mvnrepository.com/artifact/org.ini4j/ini4j.
https://github.com/jolie/jolie/security/dependabot/12
https://github.com/jolie/jolie/security/dependabot/11
grep yields the following code-places where the library is currently used:
jolie/javaServices/coreJavaServices$ grep -nr "org\.ini4j" -C3
src/main/java/joliex/util/IniUtils.java-38-import jolie.runtime.FaultException;
src/main/java/joliex/util/IniUtils.java-39-import jolie.runtime.JavaService;
src/main/java/joliex/util/IniUtils.java-40-import jolie.runtime.Value;
src/main/java/joliex/util/IniUtils.java:41:import org.ini4j.Ini;
src/main/java/joliex/util/IniUtils.java-42-
src/main/java/joliex/util/IniUtils.java-43-/**
src/main/java/joliex/util/IniUtils.java-44- *
--
pom.xml-336- <version>3.0</version>
pom.xml-337- </dependency>
pom.xml-338- <dependency>
pom.xml:339: <groupId>org.ini4j</groupId>
pom.xml-340- <artifactId>ini4j</artifactId>
pom.xml-341- <version>0.5.4</version>
pom.xml-342- </dependency>
and
jolie/extensions/auto$ grep -nr "org\.ini4j" -C3
src/main/java/jolie/net/auto/AutoHelper.java-26-import jolie.runtime.Value;
src/main/java/jolie/net/auto/AutoHelper.java-27-import jolie.runtime.VariablePathBuilder;
src/main/java/jolie/net/auto/AutoHelper.java-28-import jolie.util.Helpers;
src/main/java/jolie/net/auto/AutoHelper.java:29:import org.ini4j.Ini;
src/main/java/jolie/net/auto/AutoHelper.java-30-
src/main/java/jolie/net/auto/AutoHelper.java-31-/**
src/main/java/jolie/net/auto/AutoHelper.java-32- * @author Claudio Guidi, Fabrizio Montesi
--
pom.xml-73- <version>${jolie.version}</version>
pom.xml-74- </dependency>
pom.xml-75- <dependency>
pom.xml:76: <groupId>org.ini4j</groupId>
pom.xml-77- <artifactId>ini4j</artifactId>
pom.xml-78- <version>0.5.4</version>
pom.xml-79- </dependency>