In a recent security alert, referenced here, I see there might be security concerns with Vaadin 7 because of a jsoup vulnerability. Because of other factors, I cannot upgrade. So I thought about just including the jsoup directly in my project. So before it was included indirectly via vaadin-server, now it is included directly, and the version vaadin-server references is "omitted for conflict with 1.14.2". Is this a safe way to address this security concern?
I am using Vaadin 7.7.17 and maven.
I ask largely because Vaadin did not offer this as a possible solution, so I assumed it would fail. But since maven is showing no error, I am worried I am missing something that will only show up in some strange runtime behavior.
Here is the dependency tree built via mvn dependency:tree. First of all, the original version, stripped down:
[INFO] Scanning for projects...
[INFO]
[INFO] ---------------------< com.mobiwms:vaadinwebsite >----------------------
[INFO] Building vaadinwebsite 4.0.31
[INFO] --------------------------------[ war ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ vaadinwebsite ---
[INFO] com.mobiwms:vaadinwebsite:war:4.0.31
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
[INFO] +- com.vaadin:vaadin-server:jar:7.7.17:compile
[INFO] | +- com.vaadin:vaadin-sass-compiler:jar:0.9.13:compile
[INFO] | | +- org.w3c.css:sac:jar:1.3:compile
[INFO] | | \- com.vaadin.external.flute:flute:jar:1.3.0.gg2:compile
[INFO] | +- com.vaadin:vaadin-shared:jar:7.7.17:compile
[INFO] | \- org.jsoup:jsoup:jar:1.8.3:compile
[INFO] +- com.vaadin:vaadin-push:jar:7.7.17:compile
[INFO] | \- com.vaadin.external.atmosphere:atmosphere-runtime:jar:2.2.13.vaadin1:compile
[INFO] | \- com.vaadin.external.slf4j:vaadin-slf4j-jdk14:jar:1.6.1:compile
[INFO] +- com.vaadin:vaadin-client:jar:7.7.17:provided
... // Stripped out unrelated portions of hierarchy.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 4.758 s
[INFO] Finished at: 2021-10-27T18:59:19-04:00
[INFO] ------------------------------------------------------------------------
And now the new version, stripped down:
[INFO] Scanning for projects...
[INFO]
[INFO] ---------------------< com.mobiwms:vaadinwebsite >----------------------
[INFO] Building vaadinwebsite 4.0.31
[INFO] --------------------------------[ war ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ vaadinwebsite ---
[INFO] com.mobiwms:vaadinwebsite:war:4.0.31
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
[INFO] +- com.vaadin:vaadin-server:jar:7.7.17:compile
[INFO] | +- com.vaadin:vaadin-sass-compiler:jar:0.9.13:compile
[INFO] | | +- org.w3c.css:sac:jar:1.3:compile
[INFO] | | \- com.vaadin.external.flute:flute:jar:1.3.0.gg2:compile
[INFO] | \- com.vaadin:vaadin-shared:jar:7.7.17:compile
[INFO] +- com.vaadin:vaadin-push:jar:7.7.17:compile
[INFO] | \- com.vaadin.external.atmosphere:atmosphere-runtime:jar:2.2.13.vaadin1:compile
[INFO] | \- com.vaadin.external.slf4j:vaadin-slf4j-jdk14:jar:1.6.1:compile
[INFO] +- com.vaadin:vaadin-client:jar:7.7.17:provided
... // Stripped out unrelated portions of hierarchy.
[INFO] \- org.jsoup:jsoup:jar:1.14.2:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.285 s
[INFO] Finished at: 2021-10-27T18:56:01-04:00
[INFO] ------------------------------------------------------------------------
Just noting here. There is no actual problem in Vaadin 7 itself that would be impacted due potential Jsoup vulnerability in question. The dependency was updated to a newer version more in purpose to enforce application developers to use the newer version. Newer version of the Jsoup had some API changes that needed small code changes in Vaadin 7. If your application is not using Jsoup in the way that the vulnerability is not exposed, then the upgrade is not absolutely mandatory. Also reminding that Vaadin 7 versions newer than 7.7.17 require commercial license for extended support.