Security flaws scanned by Veracode, including very high flaws

[VicZhang1]

Hi @MarkusBernhardt ,

We scanned proxy-vole on Veracode, and found some very high flaws as following:

Seems it's caused by rhino 1.7.7 and JNA 4.2.2. Would you like to take a look at them? or confirm with rhino or Veracode?

[VicZhang1]

There are new version of JNA https://github.com/java-native-access/jna/releases, are you interesting in upgrading to its new version?

[VicZhang1]

There are also new version of rhino https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Rhino/Download_Rhino.

[gschnepp]

Vic, looks like proxy-vole is dead. Markus doesn't answer here anymore except 'Yes, I want to do something, but have no time' for months now. Even pull requests are not fulfilled, it seems.   :-(    One word to Rhino: Having a look into the issues list you'll find efforts to replace Rhino to something else because of known problems and anavailability on Java 11 anymore.Again: No answer from Markus. Looks like we have to find another library. It even would help if Markus declares the end of proxy-vole officially so that someone else could take it over. Sorry, Guido Am 24.09.2019 um 08:14 schrieb Vic Zhang:

…

Hi @MarkusBernhardt <https://github.com/MarkusBernhardt> , We scanned proxy-vole on Veracode, and found some very high flaws as following: image <https://user-images.githubusercontent.com/2956318/65485636-f8327480-ded4-11e9-9819-bfa0c27bd1f9.png> image <https://user-images.githubusercontent.com/2956318/65485870-91fa2180-ded5-11e9-826f-0a45cb74a278.png> Seems it's caused by rhino 1.7.7 and JNA 4.2.2. Would you like to take a look at them? or confirm with rhino or Veracode? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#72?email_source=notifications&email_token=AFQHM34G3Q6FHHZKTFWIJHLQLGV4JA5CNFSM4IZ3GCY2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HNG5SDQ>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFQHM33W7WOSPBU7VJUBVKLQLGV4JANCNFSM4IZ3GCYQ>.

-- Tel. +49 (211) 909995-15 Fax. +49 (211) 909995-715 Mob. +49 (172) 2422575 CRE-DO GmbH Benrather Schlossallee 94 40597 Duesseldorf Germany Managing Director: Guido Schnepp Registered at: AG Duesseldorf, HRB 66540

[VicZhang1]

Thanks for your reply @gschnepp . Yeah, we may need to find another choice if this is no longer maintained.

[gschnepp]

#response_container_BBPPID{font-family: initial; font-size:initial; color: initial;} Vic, No, not yet unfortunately. That's the real drama. Proxy-vole would be fully OK with an active maintainer.Proxies are not my native business so I don't have enough knowledge on this to feel good with an own fork. Guido  Von: notifications@github.comGesendet: 25. September 2019 09:04An: proxy-vole@noreply.github.comAntworten: reply@reply.github.comCc: guido.schnepp@cre-do.de; mention@noreply.github.comBetreff: Re: [MarkusBernhardt/proxy-vole] Security flaws scanned by Veracode, including very high flaws (#72) Thanks for your reply @gschnepp . Yeah, we may need to find another choice. Do you have one now? —You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or mute the thread.

[gschnepp]

Markus doesn't answer any issues or pull requests here for nearly a year now. This project is dead, I think. Unfortunately. :-(

[cpesch]

@gschnepp I'm using proxy-vole in my RouteConverter application and stumbled across some NullPointerException problems. And read your comments below the issues.

Are you aware of an accepted fork of proxy-vole? Or even willing to fork and maintain it?

[gschnepp]

@cpesch No, unfortunately neither. Well, I'd like to be aware of a fork, but I don't know any. And I don't have enough knowledge of proxies in general to do it.

[cpesch]

https://github.com/akuhtz/proxy-vole/commits/master seems to be a promising fork. I've integrated some commits from other forks into it.

Release is published here:
https://repo1.maven.org/maven2/org/bidib/com/github/markusbernhardt/proxy-vole/1.0.6-RC2/

[gschnepp]

Sounds promising! At least it's more living than this here. Thanks!