-
Bug
-
Resolution: Done-Errata
-
Major
-
None
-
False
-
None
-
False
-
---
-
-
When analyzing https://github.com/quarkusio/quarkus/issues/40780 I mentioned the algorithm used for detection of `@SecureField` is also looking into types that are excluded from lookup in other places of the same algorithm. My thinking is that if someone has a field of one of excluded type (e.g. type from `java.` package) inside DTO, it is possible that custom subclass could have a field annotated with `@SecureField`. Nevertheless it is trying to detect IMO very unlikely situation and for now it's better to shorten detection time. Users are advised to tests every secure field they annotate by Quarkus docs.
I'll try to provide better detection with refactoring of this algorithm based on a new Jandex version in the future. That won't be backportable. This PR is.
- links to
-
RHSA-2024:6437 Red Hat build of Quarkus 3.8.6 release and security update