Added CVE-2022-42889 affecting Apache Commons Text

[henrikplate]

No description provided.

[copernico]

I run this command line (note: I did not even specify a version interval):

python client/cli/main.py CVE-2022-42889 --repository https://github.com/apache/commons-text --use-backend=optional

The tool found 654 candidates and the one that @henrikplate reported is no.5 (but the ones above it are quite clearly not security fixes).

When specifying a version interval, the commit found by Henrik is no.1 (but other irrelevant commits are assigned the same relevance).

My conclusion: using Prospector would have taken 29 seconds to produce the report + maybe another 30 s to pick the commit and export it in statement format (using the button in the report itself).

Question for @sacca97 : any idea why the PR apache/commons-text#341 (mentioned in the commit message) was not used? It has the CVE id in it....

Question for @henrikplate : what criteria did you use to pick that commit? And how long did it take for you to find it and decide it was the right one?

[henrikplate]

@copernico - I needed < 5 mins, because I knew that the vuln. was about string lookups, so it was easy to spot the corresponding commit message in the commits preceding the release.

[sacca97]

I know I'm on a day off but my flight is late soo...
This is the report of the latest version which is not yet synched with Github. We're not detecting the CVE in the linked issue because that part of the issue is not in the Github API response.
But If we go back to scraping the html using BeautifulSoup we will get it.