Fixes httpclient vulnerability by replacing it with a newer alternative

[pedro93]

Security vulnerabilities have been found in apache-httpclient:commons-httpclient:3.1.
Unfortunately, 3.1 is the latest version of this package.

The suggestion to resolve the vulnerability is to https://hc.apache.org/httpcomponents-client-5.1.x/ 

[jjoyce0510]

@li-kramgopa Can we pls get a review on this PR? This is causing severe vuln on dependent project scans.

Thanks!
John

[karthikrg]

@jjoyce0510 why are your ci tests failing? Also can you please update the diff to remove the comment?
You also need to update CHANGELOG and the version.

[karthikrg]

@mchen07 @evanw555 fyi ^

[jjoyce0510]

@pedro93 Please update the PR to address the above :)

[pedro93]

Already did, regarding the failing CI I may need some help from someone more familiar with project.

[mchen07]

can somebody provide link to the vulnerability issue this is trying to solve?

[nickibi]

@pedro93 @jjoyce0510 Can you please share the details about the security vulnerability?
Within Linkedin, there are many other repos also use this dependency. We need to check with InfoSec team and ask for their recommendation. We are not sure the issue or impact at this moment. Moreover, if we are going to replace it, we need to get InfoSec confirmation on which version would be right one.
Before that I don't think we could review this PR.

[pedro93]

Here is the doc: https://docs.google.com/document/d/1ycmmQsY73LUAguDjdJncpr_GQ8E1lMJwfsuIpd5sPl0/edit?usp=sharing
Please let me know if you can't access it. Thanks!

[shirshanka]

Here's a pasted transcript from the doc.

apache-httpclient : commons-httpclient : 3.1

sonatype-2007-0004
Issue
sonatype-2007-0004
Severity
Sonatype CVSS 3:
7.5
CVE CVSS 2.0:
0.0
Weakness
Sonatype CWE:
770
Source
Sonatype Data Research
Categories
Data
Explanation
The Apache HttpComponents project, a library of low level Java components focused on HTTP and associated protocols, is vulnerable to a Denial of Service (DoS). The HttpParser class' readRawLine method performs unbound reads on HTTP POST data. If a new line character \n is not encountered, memory consumption is not limited, leading to a Denial of Service.
Detection
The application is vulnerable by using this component.
Recommendation
We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
NOTE: Component commons-httpclient:commons-httpclient is not expected to have any further releases, including a fixed version. The component was relocated to org.apache.httpcomponents:httpclient. Therefore, users of the affected versions of commons-httpclient:commons-httpclient should consider upgrading to a non-vulnerable version of org.apache.httpcomponents:httpclient.
Root Cause
commons-httpclient-3.1.jarorg/apache/commons/httpclient/HttpParser.class[2.0-alpha3,)
Advisories
Project:
http://hc.apache.org/index.html
Project:
https://issues.apache.org/jira/browse/HTTPCLIENT-644
Project:
https://issues.apache.org/jira/browse/HTTPCORE-3
Project:
https://issues.apache.org/jira/browse/HTTPCORE-4
CVSS Details
Sonatype CVSS 3:
7.5
CVSS Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

[pedro93]

Hello,

Pinging back on this PR. Have you had any chance to evaluate the changes?

Thank you.

[karthikrg]

@mchen07 can you check this please?

[karthikrg]

@pedro93 can you please rebase with master and upload a new diff?

[pedro93]

I merged master into this PR, is that not enough?