Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test against upstream htmlunit-neko #2565

Closed
flavorjones opened this issue Jun 5, 2022 · 7 comments
Closed

test against upstream htmlunit-neko #2565

flavorjones opened this issue Jun 5, 2022 · 7 comments
Labels
topic/ci vendored/nekohtml

Comments

@flavorjones
Copy link
Member

I recently shipped a PR upstream: HtmlUnit/htmlunit-neko#13

If that gets accepted, then the pending tests from 7cec00e and 277db2e should start passing, and that's a good time to implement upstream testing against https://github.com/HtmlUnit/htmlunit-neko/
@flavorjones
Copy link
Member Author

Well, this is a bummer: htmlunit-neko dropped compatibility with Xerces in 2.68.0 (see HtmlUnit/htmlunit-neko#17 for some context), which means 2.67.0 is the latest version we can compile against without some work.

I've spiked a bit today on what's involved, and it's mostly refactoring the XML and HTML4 parser context java classes to not inherit from one another. I think I can do it with a little bit more work.

@rbri
Copy link

rbri commented Apr 12, 2023

Yust released version 3.1.0 of Neko. Feel free to contact me if i you need some support with updating.

This was referenced Apr 12, 2023
Merged
Draft
@flavorjones
Copy link
Member Author

@rbri Thank you for the offer! I saw the release, congrats!

I likely will need help (see my previous note), but it's not at the top of my list just yet. I've pushed my WIP branch to #2856, if you want to take a look and let me know if I'm on the right track or not that would be helpful.

@chadlwilson
Copy link
Contributor

chadlwilson commented May 7, 2023
edited
Loading

Would be fantastic to see some progress here, as nokogiri-java reports a vulnerability via gems/jruby/3.1.0/gems/nokogiri-1.14.3-java/lib/nokogiri/jruby/net/sourceforge/htmlunit/neko-htmlunit/2.63.0/neko-htmlunit-2.63.0.jar right now (not sure if actually exploitable via nokogiri, but a bit of an inconvenience all the same).

@flavorjones
Copy link
Member Author

@chadlwilson If you've got time and the motivation, please take a look at the WIP branch at #2856. I need help!

@chadlwilson
Copy link
Contributor

For what it's worth (and for anyone else who arrives here concerned about CVEs being reported against nokogiri java variant) the current CVEs reported against neko-htmlunit 2.63.0 jar I believe to be false positives. They instead only affect the wider htmlunit which is versioned and released alongside neko-htmlunit and unfortunately shares a component grouping within the NIST NVD - but is not used by nokogiri's Java variant.

My personal assessment is here alongside a discussion of why it's not so appropriate to blanket suppress these within tools such as OWASP Dependency Check: jeremylong/DependencyCheck#5656 (comment)

@flavorjones
Copy link
Member Author

Closing this because it feels like a bigger investment of time than I'm willing to make right now. However, if someone from the JRuby community wants to take this on I'd be happy to consult/support/help in any way I can.

@flavorjones flavorjones closed this as not planned Won't fix, can't repro, duplicate, stale Jul 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
topic/ci vendored/nekohtml
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@flavorjones @rbri @chadlwilson