Upgrade Gradle to 7.6.3 #142
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tomaszmichalak
force-pushed
the
feature/openjdk-11
branch
4 times, most recently
from
11cc714 to
d1b9656
Compare
tomaszmichalak
changed the title
Upgrade wiremock to version 3.3.1. Knotx/knotx#500 Upgrade to JDK 11 Run audit for stack build Use mavencentral instead of jcenter.
tomaszmichalak
force-pushed
the
feature/openjdk-11
branch
from
d1b9656 to
f603d88
Compare
malaskowski
approved these changes
Feb 4, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Upgrade Gradle to 7.6.3.
Description
Distribution with openjdk 11 and Vert.x 3.9.16.
Motivation and Context
Fix multiple vulnerabilities:
com.github.tomakehurst:wiremock-jre8:2.30.1 introduces org.eclipse.jetty.http2:http2-common:9.4.43.v20210629 which has 1 vulnerabilities
=> [CVE-2023-44487] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') (see https://ossindex.sonatype.org/vuln/CVE-2023-44487)
io.vertx:vertx-config:3.9.8 introduces com.fasterxml.jackson.core:jackson-databind:2.12.4 which has 4 vulnerabilities
=> [CVE-2020-36518] CWE-787: Out-of-bounds Write (see https://ossindex.sonatype.org/vuln/CVE-2020-36518)
=> [CVE-2022-42003] CWE-502: Deserialization of Untrusted Data (see https://ossindex.sonatype.org/vuln/CVE-2022-42003)
=> [CVE-2022-42004] CWE-502: Deserialization of Untrusted Data (see https://ossindex.sonatype.org/vuln/CVE-2022-42004)
=> [CVE-2021-46877] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') (see https://ossindex.sonatype.org/vuln/CVE-2021-46877)
com.github.tomakehurst:wiremock-jre8:2.30.1 introduces org.eclipse.jetty:jetty-http:9.4.43.v20210629 which has 3 vulnerabilities
=> [CVE-2022-2047] CWE-20: Improper Input Validation (see https://ossindex.sonatype.org/vuln/CVE-2022-2047)
=> [CVE-2023-26048] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') (see https://ossindex.sonatype.org/vuln/CVE-2023-26048)
=> [CVE-2023-40167] CWE-130: Improper Handling of Length Parameter Inconsistency (see https://ossindex.sonatype.org/vuln/CVE-2023-40167)
com.github.tomakehurst:wiremock-jre8:2.30.1 introduces org.eclipse.jetty:jetty-servlets:9.4.43.v20210629 which has 1 vulnerabilities
=> [CVE-2023-36479] CWE-149: Improper Neutralization of Quoting Syntax (see https://ossindex.sonatype.org/vuln/CVE-2023-36479)
io.vertx:vertx-config:3.9.8 introduces io.vertx:vertx-core:3.9.8 which has 1 vulnerabilities
=> [CVE-2023-4586] CWE-20: Improper Input Validation (see https://ossindex.sonatype.org/vuln/CVE-2023-4586)
com.github.tomakehurst:wiremock-jre8:2.30.1 introduces org.eclipse.jetty:jetty-client:9.4.43.v20210629 which has 1 vulnerabilities
=> [CVE-2022-2047] CWE-20: Improper Input Validation (see https://ossindex.sonatype.org/vuln/CVE-2022-2047)
com.github.tomakehurst:wiremock-jre8:2.30.1 introduces net.minidev:json-smart:2.4.7 which has 1 vulnerabilities
=> [CVE-2023-1370] CWE-674: Uncontrolled Recursion (see https://ossindex.sonatype.org/vuln/CVE-2023-1370)
com.github.tomakehurst:wiremock-jre8:2.30.1 introduces org.eclipse.jetty:jetty-server:9.4.43.v20210629 which has 3 vulnerabilities
=> [CVE-2022-2047] CWE-20: Improper Input Validation (see https://ossindex.sonatype.org/vuln/CVE-2022-2047)
=> [CVE-2023-26048] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') (see https://ossindex.sonatype.org/vuln/CVE-2023-26048)
=> [CVE-2023-26049] CWE-200: Information Exposure (see https://ossindex.sonatype.org/vuln/CVE-2023-26049)
com.github.tomakehurst:wiremock-jre8:2.30.1 introduces com.jayway.jsonpath:json-path:2.6.0 which has 1 vulnerabilities
=> [CVE-2023-51074] CWE-Other (see https://ossindex.sonatype.org/vuln/CVE-2023-51074)
org.jsoup:jsoup:1.14.2 introduces org.jsoup:jsoup:1.14.2 which has 1 vulnerabilities
=> [CVE-2022-36033] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (see https://ossindex.sonatype.org/vuln/CVE-2022-36033)
com.github.tomakehurst:wiremock-jre8:2.30.1 introduces org.eclipse.jetty:jetty-proxy:9.4.43.v20210629 which has 1 vulnerabilities
=> [CVE-2022-2047] CWE-20: Improper Input Validation (see https://ossindex.sonatype.org/vuln/CVE-2022-2047)
io.knotx:knotx-launcher:2.3.2-SNAPSHOT introduces com.google.guava:guava:30.1.1-jre which has 2 vulnerabilities
=> [CVE-2023-2976] CWE-552: Files or Directories Accessible to External Parties (see https://ossindex.sonatype.org/vuln/CVE-2023-2976)
=> [CVE-2020-8908] CWE-379: Creation of Temporary File in Directory with Incorrect Permissions (see https://ossindex.sonatype.org/vuln/CVE-2020-8908)
com.github.tomakehurst:wiremock-jre8:2.30.1 introduces commons-fileupload:commons-fileupload:1.4 which has 1 vulnerabilities
=> [CVE-2023-24998] CWE-770: Allocation of Resources Without Limits or Throttling (see https://ossindex.sonatype.org/vuln/CVE-2023-24998)
io.knotx:knotx-launcher:2.3.2-SNAPSHOT introduces ch.qos.logback:logback-classic:1.2.3 which has 2 vulnerabilities
=> [CVE-2023-6378] CWE-502: Deserialization of Untrusted Data (see https://ossindex.sonatype.org/vuln/CVE-2023-6378)
=> [CVE-2021-42550] CWE-502: Deserialization of Untrusted Data (see https://ossindex.sonatype.org/vuln/CVE-2021-42550)
com.github.tomakehurst:wiremock-jre8:2.30.1 introduces org.eclipse.jetty:jetty-util:9.4.43.v20210629 which has 1 vulnerabilities
=> [CVE-2023-26048] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') (see https://ossindex.sonatype.org/vuln/CVE-2023-26048)
com.github.tomakehurst:wiremock-jre8:2.30.1 introduces org.eclipse.jetty.http2:http2-server:9.4.43.v20210629 which has 1 vulnerabilities
=> [CVE-2022-2048] CWE-Other (see https://ossindex.sonatype.org/vuln/CVE-2022-2048)
io.knotx:knotx-launcher:2.3.2-SNAPSHOT introduces ch.qos.logback:logback-core:1.2.3 which has 2 vulnerabilities
=> [CVE-2023-6378] CWE-502: Deserialization of Untrusted Data (see https://ossindex.sonatype.org/vuln/CVE-2023-6378)
=> [CVE-2021-42550] CWE-502: Deserialization of Untrusted Data (see https://ossindex.sonatype.org/vuln/CVE-2021-42550)
Screenshots (if appropriate)
Upgrade notes (if appropriate)
Types of changes
Checklist:
I hereby agree to the terms of the Knot.x Contributor License Agreement.