kie-issues#1203: Overriding apache mime4j dependency version (apach…

…e#2321)
jomarko · May 17, 2024 · e7c0127 · e7c0127
1 parent 951478c
commit e7c0127
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/packages/jbpm-quarkus-devui/jbpm-quarkus-devui-deployment/pom.xml b/packages/jbpm-quarkus-devui/jbpm-quarkus-devui-deployment/pom.xml
@@ -36,6 +36,7 @@
   <properties>
     <java.module.name>org.jbpm.quarkus.dev.ui.deployment</java.module.name>
     <path.to.webapp.app>../node_modules/@kie-tools/runtime-tools-process-dev-ui-webapp</path.to.webapp.app>
+    <version.apache.mime4j>0.8.11</version.apache.mime4j>
   </properties>
 
   <dependencies>
@@ -72,6 +73,14 @@
       <groupId>org.kie.kogito</groupId>
       <artifactId>kogito-quarkus-extension-spi</artifactId>
     </dependency>
+    <!-- Transitively imported by io.quarkus:quarkus-resteasy-multipart-deployment
+         Overriding it to fix CVE-2024-21742
+         Can be removed once the parent dependency updates it to a 0.8.11+ version -->
+    <dependency>
+      <groupId>org.apache.james</groupId>
+      <artifactId>apache-mime4j-core</artifactId>
+      <version>${version.apache.mime4j}</version>
+    </dependency>
 
     <!-- Undertow is needed so that the static resource serving can correctly locate CP resources from `META-INF/resources` of the application, as it would be normally expected.
          See https://issues.redhat.com/browse/KOGITO-3477 -->

diff --git a/packages/sonataflow-quarkus-devui/sonataflow-quarkus-devui-deployment/pom.xml b/packages/sonataflow-quarkus-devui/sonataflow-quarkus-devui-deployment/pom.xml
@@ -36,6 +36,7 @@
 
   <properties>
       <path.to.webapp.app>../node_modules/@kie-tools/serverless-workflow-dev-ui-webapp</path.to.webapp.app>
+      <version.apache.mime4j>0.8.11</version.apache.mime4j>
   </properties>
 
   <dependencies>
@@ -68,6 +69,14 @@
       <groupId>io.quarkus</groupId>
       <artifactId>quarkus-resteasy-multipart-deployment</artifactId>
     </dependency>
+    <!-- Transitively imported by io.quarkus:quarkus-resteasy-multipart-deployment
+         Overriding it to fix CVE-2024-21742
+         Can be removed once the parent dependency updates it to a 0.8.11+ version -->
+    <dependency>
+      <groupId>org.apache.james</groupId>
+      <artifactId>apache-mime4j-core</artifactId>
+      <version>${version.apache.mime4j}</version>
+    </dependency>
 
     <!-- Undertow is needed so that the static resource serving can correctly locate CP resources from `META-INF/resources` of the application, as it would be normally expected.
          See https://issues.redhat.com/browse/KOGITO-3477 -->
@@ -109,7 +118,7 @@
             <path>
               <groupId>io.quarkus</groupId>
               <artifactId>quarkus-extension-processor</artifactId>
-              <version>${quarkus.platform.version}</version> 
+              <version>${quarkus.platform.version}</version>
             </path>
           </annotationProcessorPaths>
         </configuration>