-
Notifications
You must be signed in to change notification settings - Fork 640
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(dependencies): update resteasy to remove CVE #1123
base: master
Are you sure you want to change the base?
Conversation
b212b25
to
71dd97c
Compare
An old version of resteasy is resolved transitively through org.pacesys:openstack4j in front50-swift. Updating this removes CVE-2020-1695. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1695 At Armory, we have been running this config for over a year, so this is a pretty safe change. We are just moving our own overrides to open source to fix CVE's for everyone. | | | \--- org.pacesys:openstack4j:3.2.0 | | | +--- org.pacesys.openstack4j.connectors:openstack4j-resteasy:3.2.0 | | | | +--- org.jboss.resteasy:resteasy-client:3.1.4.Final | | | | | +--- org.jboss.resteasy:resteasy-jaxrs:3.1.4.Final -> 3.12.1.Final
71dd97c
to
732a2dc
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@claymccoy I think we can easily constraint any transitive dependency upgrade using constraint {} clause.
As per NVD, all resteasy 3.x.x versions prior to 3.12.0.Final have this vulnerability, and based on dependency insight it seems 3 libraries are being used by front50-swift. I think we may need to constraint all the 3.
> Task :front50-swift:dependencyInsight
org.jboss.resteasy:resteasy-client:3.1.4.Final
variant "compile" [
org.gradle.status = release (not requested)
org.gradle.usage = java-api
org.gradle.libraryelements = jar (compatible with: classes+resources)
org.gradle.category = library
Requested attributes not found in the selected variant:
org.gradle.dependency.bundling = external
org.gradle.jvm.version = 11
]
org.jboss.resteasy:resteasy-client:3.1.4.Final
\--- org.pacesys.openstack4j.connectors:openstack4j-resteasy:3.2.0
\--- org.pacesys:openstack4j:3.2.0
\--- compileClasspath
org.jboss.resteasy:resteasy-jaxrs:3.1.4.Final
variant "compile" [
org.gradle.status = release (not requested)
org.gradle.usage = java-api
org.gradle.libraryelements = jar (compatible with: classes+resources)
org.gradle.category = library
Requested attributes not found in the selected variant:
org.gradle.dependency.bundling = external
org.gradle.jvm.version = 11
]
org.jboss.resteasy:resteasy-jaxrs:3.1.4.Final
\--- org.jboss.resteasy:resteasy-client:3.1.4.Final
\--- org.pacesys.openstack4j.connectors:openstack4j-resteasy:3.2.0
\--- org.pacesys:openstack4j:3.2.0
\--- compileClasspath
org.jboss.resteasy:resteasy-jaxrs-services:3.1.4.Final
variant "compile" [
org.gradle.status = release (not requested)
org.gradle.usage = java-api
org.gradle.libraryelements = jar (compatible with: classes+resources)
org.gradle.category = library
Requested attributes not found in the selected variant:
org.gradle.dependency.bundling = external
org.gradle.jvm.version = 11
]
org.jboss.resteasy:resteasy-jaxrs-services:3.1.4.Final
+--- org.jboss.resteasy:resteasy-client:3.1.4.Final
| \--- org.pacesys.openstack4j.connectors:openstack4j-resteasy:3.2.0
| \--- org.pacesys:openstack4j:3.2.0
| \--- compileClasspath
\--- org.jboss.resteasy:resteasy-jaxrs:3.1.4.Final
\--- org.jboss.resteasy:resteasy-client:3.1.4.Final (*)
Okay, I can move it to a constraint block instead, but that gets trickier with some things now that kork is brought in through enforcedPlatform. |
@claymccoy I was referring to org.jboss.resteasy:resteasy-jaxrs-services, org.jboss.resteasy:resteasy-jaxrs, org.jboss.resteasy:resteasy-client. Later, I realized constraining only org.jboss.resteasy:resteasy-client should work, as other 2 are transitive dependency of resteasy-client. |
@Mergifyio update |
✅ Branch has been successfully updated |
@@ -28,6 +28,7 @@ dependencies { | |||
implementation "io.spinnaker.kork:kork-core" | |||
implementation "org.springframework:spring-web" | |||
implementation 'org.pacesys:openstack4j:3.2.0' | |||
implementation 'org.jboss.resteasy:resteasy-jaxrs:3.12.1.Final' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
implementation 'org.jboss.resteasy:resteasy-jaxrs:3.12.1.Final' | |
implementation 'org.jboss.resteasy:resteasy-client:3.12.1.Final' |
An old version of resteasy is resolved transitively through org.pacesys:openstack4j in front50-swift. Updating this removes CVE-2020-1695.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1695
At Armory, we have been running this config for over a year, so this is a pretty safe change. We are just moving our own overrides to open source to fix CVE's for everyone.
| | | --- org.pacesys:openstack4j:3.2.0
| | | +--- org.pacesys.openstack4j.connectors:openstack4j-resteasy:3.2.0
| | | | +--- org.jboss.resteasy:resteasy-client:3.1.4.Final
| | | | | +--- org.jboss.resteasy:resteasy-jaxrs:3.1.4.Final -> 3.12.1.Final