Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Plugins use dependencies that trigger CVEs #2166

Open
6 tasks done
binkley opened this issue Jun 11, 2024 · 2 comments
Open
6 tasks done

Plugins use dependencies that trigger CVEs #2166

binkley opened this issue Jun 11, 2024 · 2 comments
Labels
bug

Comments

@binkley
Copy link

binkley commented Jun 11, 2024
edited
Loading

If you are submitting a bug, please include the following:

  • summary of problem
  • Gradle or Maven version
  • spotless version
  • operating system and version
  • copy-paste your full Spotless configuration block(s), and a link to a public git repo that reproduces the problem if possible
  • copy-paste the full content of any console errors emitted by gradlew spotless[Apply/Check] --stacktrace

If you're just submitting a feature request or question, no need for the above.

Summary

An accidental discovery: making Spotless a dependency instead of a plugin (yes, it was a mistake) turned up multiple CVEs from DependencyCheck. This tells me 2 things:

  • DependencyCheck is not checking plugins
  • Spotless has outdated dependencies for the plugins

Obviously, this is a user goof, however, it tells me that Spotless may need to refresh/update dependencies for the plugins.
On the other hand, some of these may be build-only dependencies for the plugin? Either way, there are some outdated dependencies in the plugin.

CVEs with 2.43.0:

My issue post focuses on the Maven plugin. I haven't tried doing the same with the Gradle plugin.

Maven version

3.9.6

Spotless version

2.43.0

OS version

Not relevant, however "Linux Hobbiton 5.15.146.1-microsoft-standard-WSL2 #1 SMP Thu Jan 11 04:09:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux" running Ubuntu under WSL2 on Windows 11.

Spotless configuration block

No configuration block provided.

Console output

I wanted to paste the full ./mvnw -X verify output, however two problems:

  • Lots of useless stuff non-specific to the problem at hand
  • Posting the full output gave GitHub a heartburn, and it complained that this issue exceeded the character limit
@nedtwigg nedtwigg added the bug label Jun 12, 2024
@nedtwigg
Copy link
Member

Regarding each in turn

  • org.eclipse.jgit-6.7.0.202309050840-r.jar we've got to make some changes to adapt to a new API after this (Update dependency org.eclipse.jgit:org.eclipse.jgit to v6.10.0.202406032230-r #1949), a new JGit (6.10) is supposed to come out any day now, so that'll be a good time
  • org.eclipse.osgi-3.18.300.jar: this should be trivial to bump
  • plexus-resources-1.2.0.jar I had been holding this back with the idea of preserving compat, but sure we can bump to 1.3.0

@binkley
Copy link
Author

binkley commented Jun 19, 2024

@nedtwigg Sounds like y'all are on top of this already.
Again, thanks for considering an Issue that is the result of clear user error. 😄

@nedtwigg nedtwigg mentioned this issue Oct 24, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@binkley @nedtwigg