I get a warning from jenkins check vulnerability:
File Path C:\jenkins\workspace\Check vulnerability\myApp.war\WEB-INF\lib\ooxml-schemas-1.4.jar
SHA-1 147993bd2ef26de9e54728f6762011c8c6b8cda7
SHA-256 f8256738040d66ccb677814873674c1212464e00af491e9df490fc45decbd932
Description Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>ooxml-schemas</artifactId>
<version>1.4</version>
</dependency>
There are two CVE warnings: CVE-2017-12626, CVE-2017-5644
but both about Apache POI in versions prior to release 3.15 and 3.17 respectively
is there really a vulnerability in ooxml-schemas-1.4.jar? and is there any other way to remove duplicate styles from excel files without using this library?
Related
I am using slf4j in my project with the following :
implementation "org.slf4j:slf4j-api:${versions.slf4japi}" (1.7.32)
implementation "org.slf4j:slf4j-simple:${versions.slf4jsimple}" (1.7.32)
I am really confused because I don't have the log4j-1.2.17.jar in my project but in common-logging I have this dependency :
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
<optional>true</optional>
</dependency>
I am aware that they made a statement and I am nearly kind of sure that my project is concerned and I don't know how I can fix it ! Any help will be appreciated
First of all, as mentioned in the SLF4J post you have linked, Log4j 1 is not affected by CVE-2021-44228 (but is end of life and affected by other vulnerabilities). Additionally it is marked as optional dependency so by default not included when you depend on common-logging, see the POM Reference and Introduction to the Dependency Mechanism, which mentions this as well:
It may be helpful to think of optional dependencies as "excluded by default."
While searching for a free solution to implement a DOC(x)-to-PDF transformation for an internal business application, I stumbled upon the org.apache.poi.xwpf.converter.* packages.
I found some examples e.g.
http://www.programcreek.com/java-api-examples/index.php?api=org.apache.poi.xwpf.converter.pdf.PdfOptions
I saw the packages starting with "org.apache.poi..." so I thought "oh great, OSS". But after further search, I realized that source code isn't coming from Apache, rather from an obscure French company I never heard of, OpenSagres: http://www.opensagres.fr/
For example http://poi.apache.org/apidocs/index.html has nothing about those packages.
I then found the matching Javadoc API: http://oss.opensagres.fr/xdocreport/javadoc/1.0.3/org/apache/poi/xwpf/converter/core/package-summary.html
...as well as source code on GitHub:
https://github.com/opensagres/xdocreport/wiki/XWPFConverterPDFViaIText org.apache.poi.xwpf.converter.pdf provides...
<dependency>
<groupId>fr.opensagres.xdocreport</groupId>
<artifactId>org.apache.poi.xwpf.converter.pdf</artifactId>
<version>${XDOCREPORT_VERSION}</version>
</dependency>
https://github.com/opensagres/xdocreport/wiki/XWPFConverterXHTML org.apache.poi.xwpf.converter.xhtml provides...
<dependency>
<groupId>fr.opensagres.xdocreport</groupId>
<artifactId>org.apache.poi.xwpf.converter.xhtml</artifactId>
<version>XDOCREPORT_VERSION</version>
</dependency>
Jars are also available (for download) inside docx.converters-xxx-sample.zip archive file, packaged (under the "libs" folder) as:
org.apache.poi.xwpf.converter.core-1.0.4.jar
org.apache.poi.xwpf.converter.pdf-1.0.4.jar
org.apache.poi.xwpf.converter.xhtml-1.0.4.jar
And when you look at the source code, there is even a copyright for The XDocReport Team e.g. see
https://github.com/opensagres/xdocreport/blob/master/thirdparties-extension/org.apache.poi.xwpf.converter.core/src/main/java/org/apache/poi/xwpf/converter/core/AbstractXWPFConverter.java
Copyright (C) 2011-2015 The XDocReport Team <xdocreport#googlegroups.com>
How is that even possible? I mean, prefixing a package from a well-known entity which releases OSS should be restricted, no?
Moreover, even if not coming from Apache, I can't use this source code/library/whatever, because:
(it) depends on iText 2.1.7 due to licensing issue(s), see: iText 5.5.0 with XDocReport 1.0.4 which should not be used anymore (but can I really trust the commenter... as he's the author of the code??? https://stackoverflow.com/users/1622493/bruno-lowagie )
there's a version with iText 5.x (https://github.com/opensagres/xdocreport/tree/master/thirdparties-extension/org.apache.poi.xwpf.converter.pdf.itext5) but it's not free! see http://itextpdf.com/Pricing
So how am I supposed to do?
I'm making an application to analize some data and the result must be presented in excel files. In that sense I started to use Apache POI (3.11). Due to some reports consumes a lot of time and memory to be reproduce, I made an investigation and I found jxls, after some test I thought was the solution. But now I found a problem: can´t work both frameworks together.
I have to update Apache POI from 3.11 to 3.14, in order to work with jxls-2.3.0
I made an extra package in order to make my tests with jxls, not problem
I try to migrated one of my classes from Apache POI to jxls, and a I got this error: java.lang.IllegalStateException: Cannot load XLS transformer. Please make sure a Transformer implementation is in classpath. This is the code of my method:
private void prepareNewReport(File excelFile) {
List perforaciones = makePerforacionReport
.makePerforacionData(escenario);
try (InputStream is = ReportePerforacionTotalDialog.class
.getResourceAsStream("PerforacionTotal_template.xls")){
try (OutputStream os = new FileOutputStream(excelFile)) {
Context context = new Context();
context.putVar("perforaciones", perforaciones);
JxlsHelper.getInstance().processTemplate(is, os, context);
LOGGER.logger.log(Level.INFO, "Archivo de perfortacion generado con éxito");
}
} catch (IOException e) {
LOGGER.logger.log(Level.SEVERE, "Problemas buscando el archivo", e);
}
}
How could be this possible?. In the same project I have my test class, just another package and its working fine. As you can see it´s not so much different from the example in the jxls page and the imports are the same.
But even worst, when I tried to make clean & build of my project, then I got this other error:
java.lang.RuntimeException: com.sun.tools.javac.code.Symbol$CompletionFailure: class file for org.openxmlformats.schemas.officeDocument.x2006.docPropsVTypes.CTArray not found
I looked at every library that I importede in order to work with jxls and apache poi, and that´s rigth, that class is not there. Just to see if there a conflict among these two framewoks, I eliminated from the class path all libraries needed to use jxls. Clean & build again, and not problem, I have my .jar file to send to my customer, but incomplete.
I could try to replace all classes that use Apache POI, but that means a lot of work, since POI is used in my project to read excel files with data many times and to write another many files to excel. I planned to use jxls in order to take advantage of use templates.
I will apreciate any help or suggestion.
For the first error, it would appear that the JXLS transformer for Apache POI is missing in your classpath when running the application. Check the JXLS getting started info here: http://jxls.sourceforge.net/getting_started.html
As it is explained in Transformers section (see Main Concepts)) Jxls core module does not depend on any specific Java-Excel library and works with Excel exclusively through a predefined interface. Currently Jxls supplies two implementations of this interface in separate modules based on the well-known Apache POI and Java Excel API libraries.
If you're using maven, be sure to include in your pom.xml the jxls-poi dependency listed on the JXLS getting started page:
<dependency>
<groupId>org.jxls</groupId>
<artifactId>jxls-poi</artifactId>
<version>1.0.9</version>
</dependency>
For the second issue, org.openxmlformats.schemas.officeDocument.x2006.docPropsVTypes.CTArray is not in the apache POI ooxml schemas jar files for either 3.11 (poi-ooxml-schemas-3.11-20141221.jar) or 3.14 (poi-ooxml-schemas-3.14-20160307.jar). POI uses a stripped down set of ooxml schema classes, you will need to get the ooxml schemas complete jar from http://central.maven.org/maven2/org/apache/poi/ooxml-schemas/1.3/ or if you're using maven (or another build tool), get the dependency for your build from https://mvnrepository.com/artifact/org.apache.poi/ooxml-schemas/1.3
e.g for maven:
<!-- https://mvnrepository.com/artifact/org.apache.poi/ooxml-schemas -->
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>ooxml-schemas</artifactId>
<version>1.3</version>
</dependency>
Be sure to remove the poi-ooxml-schemas dependency from your maven pom.xml so that ooxml-schemas above takes precedence instead.
To insert image to excel using POI:XSSF
I am using maven poi dependency:
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>poi-ooxml</artifactId>
<version>3.8</version>
</dependency>
AND code as :
InputStream my_banner_image = new FileInputStream("input.png");
byte[] bytes = IOUtils.toByteArray(my_banner_image);
int my_picture_id = wb.addPicture(bytes, Workbook.PICTURE_TYPE_PNG);
I am getting these errors:
1) The method toByteArray(InputStream) is undefined for the type IOUtils
2) PICTURE_TYPE_PNG cannot be resolved or is not a field
Any help would be appriciated. Thanks.
Promoting a comment to an answer:
The method you want to use is very much present in Apache POI 3.11, and you can see full details about it in the POI Javadocs.
As detailed on the POI Components page, defining a Maven dependency on poi-ooxml will pull in the main poi component jar, which is where the IOUtils class lives, so that bit is fine
What you have in this case (based on comments) is a second, older copy of POI on your classpath. You need to remove this older POI jar (or POI jars), in common with most Java projects Apache POI will only work properly if all of the POI jars are from the same version, and no old ones are present.
Because it's a fairly common problem - lots of frameworks ship old copies of POI for example - there's a POI FAQ entry on this very thing. If you can't find the old jar by hand, you can use the code given there to work out where the old jar is to remove it.
Also, one other thing to bear in mind - many many projects provide a class called IOUtils - make sure the one you have imported into your code is org.apache.poi.util.IOUtils and not something else!
I am not able to use XSSF prefix for POI . When i run the code following error is given . Please help me out
Error:run:
Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/xmlbeans/XmlObject
at javacodechefsummer.Javacodechefsummer.main(Javacodechefsummer.java:36)
The Apache POI website has a whole section on the components and their dependencies, which a staggeringly high number of people seem to completely ignore... (Just look at the number of similar questions every week to see!)
If you care to take a read through it, you'll clearly see the dependencies that are required by XSSF. These dependencies ship with Apache POI, you just need to add them to your classpath. From your error, you are missing xmlbeans, and possibly some others too
if u r using maven the dependencies are
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>poi</artifactId>
<version>3.8-beta3</version>
</dependency>
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>poi-ooxml</artifactId>
<version>3.8-beta3</version>
</dependency>