The RXOP deliverable contains two servlet packages intended for use on the deprecated SDK/J platform: rxconfServlet and rxspServlet. At least one of these has a dependency on the BouncyCastle Provider library bcprov-jdk14-152.jar.
Sometimes an automated scan or manual inspection of this library will reveal that, as of RXOP v3.8.9, there are a number of known security issues with this dependency.
There are no plans to update this dependency because SDK/J development is fully deprecated and no longer supported. See: What does the SDK/J "end of support" mean for the future of my SDK/J xlet or servlet? | Ricoh Developer Program (RiDP)
Please note that the BouncyCastle Provider dependency is only used by the single helper rxspServlet (which runs on the SDK/J device) when getting and setting SP values on legacy SDK/J (CVM based) devices via RXSP, and only for managing encrypted ACL data. That is, no other RXOP APIs your application may invoke declares a dependency on this library directly or transitively.
In short, no RXOP application that uses supported API to manage supported devices should ever require access to this library. There are a two possible action items for those using RXOP during this deprecation phase:
- Do nothing. Either your RXOP application is intended to manage SOP devices only, or you do not use the RXSP API against legacy devices. Package your app appropriately, making sure to not distribute the unused rxspServlet package with your application.
- Since support for RDK/J devices has ended, if you need to support CVM based devices in this interim period, and you need to use RXSP API to do so, you will have to accept using this older dependency on legacy devices. There are no plans to update the dependency and recertify SDK/J functionality.
Future releases of RXOP will mark SDK/J specific API deprecated. This means that the servlet functionality and API will continue to work for now, but is no longer supported by RiDP. At some point in the future this API will be removed and the support servlets dropped from the RXOP package.