Skip to content

Update dependency org.assertj:assertj-core to v3.27.7 [SECURITY]#102

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/maven-org.assertj-assertj-core-vulnerability
Open

Update dependency org.assertj:assertj-core to v3.27.7 [SECURITY]#102
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/maven-org.assertj-assertj-core-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 6, 2026

This PR contains the following updates:

Package Change Age Confidence
org.assertj:assertj-core (source) 3.23.13.27.7 age confidence
org.assertj:assertj-core (source) 3.26.33.27.7 age confidence

AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion

CVE-2026-24400 / GHSA-rqfh-9r24-8c9r

More information

Details

An XML External Entity (XXE) vulnerability exists in org.assertj.core.util.xml.XmlStringPrettyFormatter: the toXmlDocument(String) method initializes DocumentBuilderFactory with default settings, without disabling DTDs or external entities. This formatter is used by the isXmlEqualTo(CharSequence) assertion for CharSequence values.

An application is vulnerable only when it uses untrusted XML input with one of the following methods:

  • isXmlEqualTo(CharSequence) from org.assertj.core.api.AbstractCharSequenceAssert
  • xmlPrettyFormat(String) from org.assertj.core.util.xml.XmlStringPrettyFormatter
Impact

If untrusted XML input is processed by the methods mentioned above (e.g., in test environments handling external fixture files), an attacker could:

  • Read arbitrary local files via file:// URIs (e.g., /etc/passwd, application configuration files)
  • Perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs
  • Cause Denial of Service via "Billion Laughs" entity expansion attacks
Mitigation

isXmlEqualTo(CharSequence) has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference:

  1. Replace isXmlEqualTo(CharSequence) with XMLUnit, or
  2. Upgrade to version 3.27.7, or
  3. Avoid using isXmlEqualTo(CharSequence) or XmlStringPrettyFormatter with untrusted input.

XmlStringPrettyFormatter has historically been considered a utility for isXmlEqualTo(CharSequence) rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.

References

Severity

  • CVSS Score: 8.2 / 10 (High)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Configuration

📅 Schedule: (in timezone Europe/Berlin)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies label May 6, 2026
@renovate renovate Bot requested a review from a team May 6, 2026 12:20
@sonar-review-alpha
Copy link
Copy Markdown

sonar-review-alpha Bot commented May 6, 2026
edited
Loading

Summary

⚠️ The PR description exceeded the analysis limit and was truncated. The review may not reflect all context.

This PR updates org.assertj:assertj-core to v3.27.7 across two POM files to address [CVE-2026-24400]([link removed: nvd.nist.gov]), an XXE vulnerability in the library's XML parsing utilities. The changes are straightforward dependency version bumps with no code modifications: 3.23.1 → 3.27.7 in test-sources/pom.xml and 3.26.3 → 3.27.7 in the root pom.xml. v3.27.7 includes the fix and deprecates the vulnerable isXmlEqualTo() and XmlStringPrettyFormatter methods (scheduled for removal in v4.0).

What reviewers should know

What to check:

  • Verify the dependency resolution is clean (no conflicts with matching versions across both POMs)
  • Run the test suite to ensure compatibility—this is the main action item since the update spans multiple minor versions
  • No code changes required in this codebase; the deprecation only affects future versions

Context:

  • The vulnerability only affects applications using isXmlEqualTo() or XmlStringPrettyFormatter with untrusted XML input (typical in test fixtures). Review your test code to see if this applies; if not, this is a low-risk update.
  • The two POM files had drifted to different versions (3.23.1 vs 3.26.3) and are now synchronized at 3.27.7—this consistency is good for maintainability.
  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

@hashicorp-vault-sonar-prod
Copy link
Copy Markdown
Contributor

hashicorp-vault-sonar-prod Bot commented May 6, 2026
edited by atlassian Bot
Loading

Renovate Jira issue ID: JAVASE-216

sonar-review-alpha[bot]
sonar-review-alpha Bot reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown

@sonar-review-alpha sonar-review-alpha Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean security dependency update. No functional code changes. The project does not use isXmlEqualTo() or XmlStringPrettyFormatter anywhere, so it was never directly exposed to CVE-2026-24400 — this upgrade is still correct as a precautionary measure and keeps the dependency current.

One structural maintenance issue is worth fixing alongside this: the version pinning in checks-test-sources/pom.xml caused the pre-PR drift (3.23.1 there vs 3.26.3 in the root). Removing the explicit version tag there would let it inherit from the root's <dependencyManagement> like all other modules do, making future bumps a single-file change.

🗣️ Give feedback

Comment thread java-symbolic-execution/java-symbolic-execution-checks-test-sources/pom.xml
Comment on lines 476 to +477
<artifactId>assertj-core</artifactId>
<version>3.23.1</version>
<version>3.27.7</version>
Copy link
Copy Markdown

@sonar-review-alpha sonar-review-alpha Bot May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logic duplication: The assertj-core version is managed centrally in the root pom.xml <dependencyManagement> (line 247), and also pinned explicitly here. This caused the two declarations to drift out of sync pre-PR (3.23.1 here vs 3.26.3 in root), requiring this dual-file update.

The <scope>provided</scope> override below can be kept without specifying a version — Maven resolves the version from <dependencyManagement> independently of scope overrides. Removing the <version> tag here means future bumps only require touching pom.xml.

Suggested change
<artifactId>assertj-core</artifactId>
<version>3.23.1</version>
<version>3.27.7</version>
<artifactId>assertj-core</artifactId>
  • Mark as noise

@sonarqube-next
Copy link
Copy Markdown

sonarqube-next Bot commented May 6, 2026

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sonar-review-alpha sonar-review-alpha[bot] sonar-review-alpha[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants