Pin bcel version to 6.6.1 #270
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Filip Drobnjakovic <[email protected]>
kaushalmahi12
approved these changes
Jan 19, 2023
|
Please do ensure that this dependency is also not coming from any other direct dependency. If that is the case the solution might not work |
|
That is easy to confirm by generating gradle dependency tree ('./gradlew dependencies). Also I believe this solution covers both plugin's and any other configuration's transitive dependencies so it works in general case (it's an overkill when not dealing with plugins and then we use other constructs like 'force'). This is also confirmed by looking at checks (Mend check confirmes that vulnerability has been dealt with). |
kiranprakash154
approved these changes
Jan 19, 2023
Tjofil
added a commit
to Tjofil/performance-analyzer-rca
that referenced
this pull request
Jan 24, 2023
Signed-off-by: Filip Drobnjakovic <[email protected]> Signed-off-by: Filip Drobnjakovic <[email protected]>
khushbr
pushed a commit
that referenced
this pull request
Jan 26, 2023
Signed-off-by: Filip Drobnjakovic <[email protected]>
This was referenced Feb 13, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Filip Drobnjakovic [email protected]
Is your feature request related to a problem? Please provide an existing Issue # , or describe.
#264
Describe the solution you are proposing
According to spotbugs/spotbugs#2251 this bcel vulnerability doesn't affect SpotBugs. As there's no tentative date for a new SpotBugs release that would include the version bump from their side and as confirmed by some users from the mentioned issue, pinning the dependency by ourselves gets rid of the warning and doesn't break SpotBugs. As bcel is transitive dependency of a plugin, it has to be done with iterative dependency substitution.
Describe alternatives you've considered
Alternative would be to completely ignore warning as there's no real threat from it and wait for new SpotBugs version or to find and integrate SpotBugs alternatives which would be more complicated and wouldn't bring much benefit.
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.