-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MIGRATIONS-1296 - Fix mend security issues #293
Conversation
Signed-off-by: Omar Khasawneh <[email protected]>
Codecov Report
@@ Coverage Diff @@
## main #293 +/- ##
=========================================
Coverage 62.14% 62.14%
Complexity 619 619
=========================================
Files 82 82
Lines 3141 3141
Branches 292 292
=========================================
Hits 1952 1952
Misses 1013 1013
Partials 176 176
Flags with carried forward coverage won't be shown. Click here to find out more. |
Signed-off-by: Omar Khasawneh <[email protected]>
Signed-off-by: Omar Khasawneh <[email protected]>
Signed-off-by: Omar Khasawneh <[email protected]>
Signed-off-by: Omar Khasawneh <[email protected]>
This also fixes 2 of 3 vulnerabilities from this issue: #205. The one left (jtidy) is still not fixed (at least still shows up as a CVE) in the latest version, as mentioned here: jtidy/jtidy#63 |
Also fixes 3 out of 4 vulns from issue #126 |
Signed-off-by: Omar Khasawneh <[email protected]>
Signed-off-by: Omar Khasawneh <[email protected]>
Signed-off-by: Omar Khasawneh <[email protected]>
Signed-off-by: Omar Khasawneh <[email protected]>
|
||
testImplementation project(':testUtilities') | ||
testImplementation group: 'org.apache.httpcomponents.client5', name: 'httpclient5', version: '5.2.1' | ||
testImplementation 'org.mockito:mockito-core:4.6.1' | ||
testImplementation 'org.mockito:mockito-junit-jupiter:4.6.1' | ||
} | ||
|
||
configurations.all { | ||
resolutionStrategy.eachDependency { DependencyResolveDetails details -> | ||
if (details.requested.group == 'org.apache.commons' && details.requested.name == 'commons-text') { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From mine and Omar's conversation earlier: I have a slight concern here about maintaining this in the future, say for instance the dependency which has this transitive dependency gets updated and in turn updates this transitive dependency to a later version than we have listed here (1.10.0). I don't want to actually prevent a later version from being used. If its a small fix we should add a conditional check here that the dependency is less than the version we want to insert, or otherwise don't override the version. If not a small fix let's raise an issue around this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Tanner, that's a very valid concern and I agree that it wouldn't be dev friendly to have to maintain that.
Fortunately, I just pushed a change where I'm specifying a minimum version and check if the dependency wants to pull a higher version of the transitive dependency. If that's the case, then the higher version would be used. In case the dependency was requesting a version lower than the one we're "targeting", then the targeted version would be used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was playing around with this a little bit and it seems like it is just doing string comparison and not actual version comparison. For instance if I set the target version to 1.9.0 and the incoming requested is 1.10.0, it will try to set the incoming requested to 1.9.0. Lmk if you see different results with this use case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh interesting.
What I tested before pushing that was with the apache.bcel
dependency. I know that the requested version is 6.5, If I set the target to 6.4 then the 6.5 one is pulled.
I'll look into that and see if there's a different method of comparison for this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm thinking of doing something with string parsing and compare the versions manually, I think it can be helpful in case we have more situations with transitive dependency versions in the future. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please let me know what you think of the proposed method I just pushed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I think this in more in line with what we need to do. I would change the function you created to return a boolean and call it something like isRequestedVersionOlder
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Few additional comments to capture in another JIRA:
- You can make your new function
static
- Your logic for the function seems to be reversed of what I think of from the method name, I would expect if the requested part is less than the target part that it is an older version. Maybe this name was a bit misleading too, a bit wordy but we could add some clarity with
wasRequestedVersionReleasedBeforeTargetVersion
- With the previous change, can you make your if statement simply, without the boolean check
if (isRequestedVersionOlder(details.requested.version, targetVersion))
recommendation Signed-off-by: Omar Khasawneh <[email protected]>
…the right version of the dependency Signed-off-by: Omar Khasawneh <[email protected]>
Signed-off-by: Omar Khasawneh <[email protected]>
…s into mend-fixes
|
||
testImplementation project(':testUtilities') | ||
testImplementation group: 'org.apache.httpcomponents.client5', name: 'httpclient5', version: '5.2.1' | ||
testImplementation 'org.mockito:mockito-core:4.6.1' | ||
testImplementation 'org.mockito:mockito-junit-jupiter:4.6.1' | ||
} | ||
|
||
configurations.all { | ||
resolutionStrategy.eachDependency { DependencyResolveDetails details -> | ||
if (details.requested.group == 'org.apache.commons' && details.requested.name == 'commons-text') { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Few additional comments to capture in another JIRA:
- You can make your new function
static
- Your logic for the function seems to be reversed of what I think of from the method name, I would expect if the requested part is less than the target part that it is an older version. Maybe this name was a bit misleading too, a bit wordy but we could add some clarity with
wasRequestedVersionReleasedBeforeTargetVersion
- With the previous change, can you make your if statement simply, without the boolean check
if (isRequestedVersionOlder(details.requested.version, targetVersion))
Description
This PR attempts to fix some of the currently existing mend security issues in the repo.
These are the issues it attempts to fix at the moment (more will follow soon):
-#251
-#247
-#246
-#226
-#227
Issues Resolved
Migrations-1296
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.