Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Grobid Vulnerabilities #1059

Closed
sandeshbssuresh-agi opened this issue Nov 13, 2023 · 2 comments
Closed

Grobid Vulnerabilities #1059

sandeshbssuresh-agi opened this issue Nov 13, 2023 · 2 comments

Comments

@sandeshbssuresh-agi
Copy link

Dear Grobid Team,

We are thrilled by the remarkable achievements of Grobid in processing literature PDFs and are eager to delve deeper into its capabilities. While exploring Grobid, we've encountered some inquiries regarding its dependencies and the vulnerabilities associated with them.

Upon installing Grobid as a standalone application, we have observed certain vulnerabilities within the JAR files located in the 'grobid-installation\grobid-service\lib' directory. We've listed a few of these vulnerabilities for your reference along with the link of National Vulnerability Database (NVD):

i. hibernate-validator-5.4.3.Final [https://nvd.nist.gov/vuln/detail/CVE-2019-10219]
ii. scala-library-2.10.3 [https://nvd.nist.gov/vuln/detail/CVE-2017-15288]
iii. commons-text-1.8.jar [https://nvd.nist.gov/vuln/detail/CVE-2022-42889]
iv. snakeyaml-1.24.jar [https://nvd.nist.gov/vuln/detail/CVE-2022-38750]**
v. and others.

We attempted to update these JAR files to their latest versions manually, but this solution proved ineffective for all cases. Therefore, we would appreciate your insights into whether Grobid has any plans to address these vulnerability issues.

With regards,
Sandesh BS
@kermitt2
Copy link
Owner

Thank you very much @sandeshbssuresh-agi for reporting these vulnerabilities ! This is very appreciated, and we will do our best to fix them.

iii. and iv. should be already fixed in the current master thanks to upgrade of the dependencies.

i. is related to the version of Dropwizard we are using (web service framework). Upgrading will stop the compatibility with JDK 1.8 that we were trying to maintain, but it's probably time to move on to java 11 as minimum requirement. See PR #1031 for this.

ii. is more annoying because the related dependency ("stringmetric") has not been updated to a more recent scala version. It is used to compute string distances for the evaluation, so we could remove it from the core and service part.

In general, Grobid should be a service for internal ingestion/pipeline of PDF, not facing directly the web and users, so these vulnerabilities are not so problematic I think.

@sandeshbssuresh-agi
Copy link
Author

Your time and attention are valued; thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kermitt2 @sandeshbssuresh-agi