Update dependency org.assertj:assertj-core to v3.27.7 [SECURITY]#102
Conversation
Summary
Single dependency version bump: org.assertj:assertj-core upgraded from 3.26.3 to 3.27.7 (test scope). This addresses CVE-2026-24400, an XXE vulnerability in AssertJ's XML parsing methods ( What reviewers should knowReview checklist:
No further action needed unless the codebase actively uses the deprecated XML methods with potentially untrusted sources.
|
|
Renovate Jira issue ID: JAVASE-216 |
![sonar-review-alpha[bot]](https://avatars.githubusercontent.com/in/3025063?s=60&v=4){kind=small}
There was a problem hiding this comment.
Clean security dependency update. No functional code changes. The project does not use isXmlEqualTo() or XmlStringPrettyFormatter anywhere, so it was never directly exposed to CVE-2026-24400 — this upgrade is still correct as a precautionary measure and keeps the dependency current.
One structural maintenance issue is worth fixing alongside this: the version pinning in checks-test-sources/pom.xml caused the pre-PR drift (3.23.1 there vs 3.26.3 in the root). Removing the explicit version tag there would let it inherit from the root's <dependencyManagement> like all other modules do, making future bumps a single-file change.
| <artifactId>assertj-core</artifactId> | ||
| <version>3.23.1</version> | ||
| <version>3.27.7</version> |
There was a problem hiding this comment.
Logic duplication: The assertj-core version is managed centrally in the root pom.xml <dependencyManagement> (line 247), and also pinned explicitly here. This caused the two declarations to drift out of sync pre-PR (3.23.1 here vs 3.26.3 in root), requiring this dual-file update.
The <scope>provided</scope> override below can be kept without specifying a version — Maven resolves the version from <dependencyManagement> independently of scope overrides. Removing the <version> tag here means future bumps only require touching pom.xml.
| <artifactId>assertj-core</artifactId> | |
| <version>3.23.1</version> | |
| <version>3.27.7</version> | |
| <artifactId>assertj-core</artifactId> |
- Mark as noise
dorian-burihabwa-sonarsource
force-pushed
the
renovate/maven-org.assertj-assertj-core-vulnerability
branch
from
31df911 to
d2f86aa
Compare
There was a problem hiding this comment.
The security fix itself is correct and complete for the modules that inherit their version from root dependencyManagement. However, the version drift in java-symbolic-execution-checks-test-sources/pom.xml is not addressed, leaving that module pinned to the vulnerable 3.23.1.
|
dorian-burihabwa-sonarsource
deleted the
renovate/maven-org.assertj-assertj-core-vulnerability
branch
1 participant
This PR contains the following updates:
3.23.1→3.27.73.26.3→3.27.7AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion
CVE-2026-24400 / GHSA-rqfh-9r24-8c9r
More information
Details
An XML External Entity (XXE) vulnerability exists in
org.assertj.core.util.xml.XmlStringPrettyFormatter: thetoXmlDocument(String)method initializesDocumentBuilderFactorywith default settings, without disabling DTDs or external entities. This formatter is used by theisXmlEqualTo(CharSequence)assertion forCharSequencevalues.An application is vulnerable only when it uses untrusted XML input with one of the following methods:
isXmlEqualTo(CharSequence)fromorg.assertj.core.api.AbstractCharSequenceAssertxmlPrettyFormat(String)fromorg.assertj.core.util.xml.XmlStringPrettyFormatterImpact
If untrusted XML input is processed by the methods mentioned above (e.g., in test environments handling external fixture files), an attacker could:
file://URIs (e.g.,/etc/passwd, application configuration files)Mitigation
isXmlEqualTo(CharSequence)has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference:isXmlEqualTo(CharSequence)with XMLUnit, orisXmlEqualTo(CharSequence)orXmlStringPrettyFormatterwith untrusted input.XmlStringPrettyFormatterhas historically been considered a utility forisXmlEqualTo(CharSequence)rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.References
Severity
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Configuration
📅 Schedule: (in timezone Europe/Berlin)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.