marcel

0 Followers · 0 Following

• Joined on 2026-03-17

Repositories

3

Projects Packages Public Activity Starred Repositories

marcel commented on pull request marcel/familienarchiv#610 2026-05-17 16:19:55 +02:00

security(import): harden DocumentBuilderFactory against XXE (#528)

🏛️ Markus Keller — Senior Application Architect

Verdict: ⚠️ Approved with concerns

The fix is architecturally sound. My concern is documentation: a new class has been added to the…

marcel commented on pull request marcel/familienarchiv#610 2026-05-17 16:19:38 +02:00

security(import): harden DocumentBuilderFactory against XXE (#528)

👨‍💻 Felix Brandt — Senior Fullstack Developer

Verdict: ✅ Approved

Clean, focused, and test-first. The change does one thing and does it well. My usual checklist found very little to…

marcel commented on pull request marcel/familienarchiv#610 2026-05-17 16:19:22 +02:00

security(import): harden DocumentBuilderFactory against XXE (#528)

🔒 Nora "NullX" Steiner — Application Security Engineer

Verdict: ✅ Approved

This is a textbook XXE remediation. The implementation follows the OWASP XML External Entity Prevention Cheat…

marcel pushed to feat/issue-528-xxe-hardening at marcel/familienarchiv 2026-05-17 16:18:27 +02:00

669eaa7c65 fix(ci): pin semgrep version, add pip cache, harden rule severity

marcel commented on pull request marcel/familienarchiv#610 2026-05-17 15:53:14 +02:00

security(import): harden DocumentBuilderFactory against XXE (#528)

🎨 Leonie Voss — UX Designer & Accessibility Strategist

Verdict: ✅ Approved

No frontend, UI, or accessibility changes in this PR. All 5 changed files are backend/infrastructure:

-…

marcel commented on pull request marcel/familienarchiv#610 2026-05-17 15:53:10 +02:00

security(import): harden DocumentBuilderFactory against XXE (#528)

🧪 Sara Holt — Senior QA Engineer

Verdict: ✅ Approved

Test structure

marcel commented on pull request marcel/familienarchiv#610 2026-05-17 15:53:00 +02:00

security(import): harden DocumentBuilderFactory against XXE (#528)

🔒 Nora "NullX" Steiner — Application Security Engineer

Verdict: ✅ Approved

XXE hardening correctness

All 6 OWASP-recommended controls are applied in `XxeSafeXmlParser.hardenedFacto…

marcel commented on pull request marcel/familienarchiv#610 2026-05-17 15:52:47 +02:00

security(import): harden DocumentBuilderFactory against XXE (#528)

📋 Elicit — Requirements Engineer

Verdict: ✅ Approved

Requirements traceability

Issue #528 requested XXE hardening for the DocumentBuilderFactory call in readOds(). The…

marcel commented on pull request marcel/familienarchiv#610 2026-05-17 15:52:36 +02:00

security(import): harden DocumentBuilderFactory against XXE (#528)

🔧 Tobias Wendt — DevOps & Platform Engineer

Verdict: ⚠️ Approved with concerns

What's done well

• actions/checkout@v4 and actions/setup-python@v5 are pinned to current major…

marcel commented on pull request marcel/familienarchiv#610 2026-05-17 15:52:27 +02:00

security(import): harden DocumentBuilderFactory against XXE (#528)

👨‍💻 Felix Brandt — Senior Fullstack Developer

Verdict: ✅ Approved

TDD evidence

The PR description documents the red phase ("entity &xxe; resolved silently — no exception")…

marcel commented on pull request marcel/familienarchiv#610 2026-05-17 15:52:17 +02:00

security(import): harden DocumentBuilderFactory against XXE (#528)

🏗️ Markus Keller — Senior Application Architect

Verdict: ✅ Approved

What I checked against the doc-update matrix

No new Flyway migration, no new backend package/domain module, no…

marcel created pull request marcel/familienarchiv#610 2026-05-17 14:51:01 +02:00

security(import): harden DocumentBuilderFactory against XXE (#528)

marcel commented on issue marcel/familienarchiv#528 2026-05-17 14:50:53 +02:00

security(import): harden DocumentBuilderFactory against XXE in MassImportService

✅ Implementation complete — Felix Brandt

What was implemented

All acceptance criteria are met. Two commits on feat/issue-528-xxe-hardening:

**Commit 1 — `security(import): harden…

marcel pushed to feat/issue-528-xxe-hardening at marcel/familienarchiv 2026-05-17 14:50:36 +02:00

f15ea031d1 ci(security): add Semgrep XXE rule and CI scan job

25a39fca9c security(import): harden DocumentBuilderFactory against XXE in MassImportService

Compare 2 commits »

marcel created branch feat/issue-528-xxe-hardening in marcel/familienarchiv 2026-05-17 14:50:36 +02:00

marcel deleted branch feat/issue-457-spring-boot-security-bump from marcel/familienarchiv 2026-05-17 14:37:47 +02:00

marcel pushed to main at marcel/familienarchiv 2026-05-17 14:37:46 +02:00

e398133907 security(deps): bump Spring Boot 4.0.0 → 4.0.6 and OWASP sanitizer 20240325.1 → 20260101.1

186535f8c9 test(security): add ActuatorSecurityTest to guard auth boundaries

Compare 2 commits »

marcel closed issue marcel/familienarchiv#457 2026-05-17 14:37:45 +02:00

security(deps): bump Spring Boot to 4.0.6 to clear 2 CRIT + 17 HIGH CVEs

marcel merged pull request marcel/familienarchiv#609 2026-05-17 14:37:44 +02:00

security(deps): bump Spring Boot 4.0.0 → 4.0.6 and OWASP sanitizer to clear 2 CRIT + 17 HIGH CVEs

marcel commented on pull request marcel/familienarchiv#609 2026-05-17 14:27:46 +02:00

security(deps): bump Spring Boot 4.0.0 → 4.0.6 and OWASP sanitizer to clear 2 CRIT + 17 HIGH CVEs

Trivy scan result — trivy fs --scanners vuln --severity HIGH,CRITICAL backend/pom.xml

Trivy 0.70.0, DB updated 2026-05-17.

pom.xml (pom)
=============
Total: 5 (HIGH: 5, CRITICAL:…