Dependency upgrade request: commons-text >= 1.10.0 to address CVE-2022-42889

[madar1992]

Summary

The CheckStyle-IDEA plugin bundles commons-text-1.3.0.jar, which is affected by
CVE-2022-42889 (Text4Shell).

Even with the latest plugin version installed, the vulnerable JAR is present

under:
~/.config/JetBrains/IntelliJIdea*/plugins/checkstyle-idea/checkstyle/lib/

(or on Windows: %APPDATA%\JetBrains\IntelliJIdea*\plugins\checkstyle-idea\checkstyle\lib\)

Impact

In enterprise environments, endpoint security scanners detect the presence of
commons-text-1.3.0.jar and mark developer machines as non-compliant, leading to:

• network isolation
• VPN / Teams access removal
• forced plugin uninstallation

This happens regardless of whether the library is actually used at runtime.

Request

Please consider upgrading the bundled Apache Commons Text dependency to
1.10.0 or later, as recommended by Apache, to address CVE-2022-42889.

This would allow teams to continue using CheckStyle-IDEA in regulated
environments without security exceptions.

References

• CVE-2022-42889 (Apache Commons Text)
• Apache recommendation: upgrade to 1.10.0+

[jshiell]

God save us from IT departments who just read a report and don't consider the usage context ...

I'll have a look when I get a moment, which may well be next week. But this is a Checkstyle, rather than a plugin, dependency, so it'll depend on which versions depend on it and if they're compatible with an updated version (since we can't change the Checkstyle binaries).

[jshiell]

I don't think we can fix this - it looks like even the latest version of Checkstyle (13.0.0) still depends on common-text 1.3 via the Doxia dependency.

It looks like this is already in progress in Checkstyle; however, this will not fix old versions; and given it's transitive I don't know if we'll be able to fix it by mapping at our end, given the Doxia upgrade required code changes in Checkstyle.