-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
graal-sdk 22.0.0.2 has 6 vulnerabilities #2148
Comments
duplicate of #2009 - please comment there |
@ptrthomas Hey, I don't think this was a duplicate. |
@lukasz-gosiewski if you read the complete thread, my understanding is that 22.1 requires us to move to Java 11. which is planned in this ticket - #2083 you are welcome to contribute a PR to speed up the process |
Sure thing, it's not like I wanted to put any pressure there. I just wanted to note that solving the linked issue will not solve this one, which is not obvious to anyone coming from outside. |
@lukasz-gosiewski no worries, thanks for calling this out and I guess more people would be interested in this - so the details are clear now since this sounds more serious than I thought, we will consider creating a |
@ptrthomas Sounds perfect, as Snyk is reporting those vulns pretty aggressively. I've tired bumping graalvim manually but it won't work with karate-junit5 due to the compatibility issues (most probably the same that requires you to bump to java 11) |
@lukasz-gosiewski the changes are minimal and I've just made them. I don't know if building from source is sufficient for you to validate that it clears all vuln-checks, but let me know. either way, it looks like we can make a 1.4.0 release pretty quickly reopening this ticket for visibility |
@lukasz-gosiewski one more thing, I was able to force-upgrade graal on one of my side-projects (and using junit5) so here's the pom for reference: https://github.com/ptrthomas/karate-oas-demo/blob/ac08c940888c9eca652eed3725320eff0352ad21/pom.xml#L20-L31 |
@ptrthomas I can't validate a thing built from source against our Snyk setup, but I have validated your way of enforcing graalvm dependencies and it works perfectly fine. Clears all the issues from Snyk and a dependency tree looks fine. Do you need me to validate anything more? |
@lukasz-gosiewski great. and I was able to make a release to maven central. it has been a few minutes, so should be ready now. decided to take this opportunity to test the whole release github action, docker and all. version is 1.4.0.RC1 - do let me know how it goes ! |
My system runs with Karate 1.3.0, Java 11 and Graal 22.1.0.1 (and Quarkus 2.11.3.Final) However, I just tested with Karate 1.4.0.RC1, Java 11 and Graal 22.2.0.1 (and Quarkus 2.14.0.Final) and it appears to work. I will continue to test with this combination. It is now Quarkus that is behind as I cannot upgrade to Graal 22.3.0 yet, but downgrading Graal doesn't appear to be an issue. This is a great step forwards and also reduces the number of vulnerabilities I have to analyze. The remaining ones brought in by Karate appear to be related to
Thanks for releasing 1.4.0.RC1 |
@ptrthomas I just migrated to |
thanks @edwardsph and @lukasz-gosiewski for the feedback ! |
1.4.0 released |
The develop branch comes with graal-sdk 22.0.0.2:
Snyk reports 6 vulnerabilities for graal-sdk 22.0.0.2:
https://security.snyk.io/package/maven/org.graalvm.sdk:graal-sdk/22.0.0.2
Please upgrade to a fixed version of Graal.
The text was updated successfully, but these errors were encountered: