Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updates XStream due to published CVE #13739

Merged
merged 1 commit into from
Dec 7, 2020
Merged

Updates XStream due to published CVE #13739

merged 1 commit into from
Dec 7, 2020

Conversation

wjglerum
Copy link
Contributor

@wjglerum wjglerum commented Dec 7, 2020

See GHSA-mw36-7c6c-q4q2

Not sure if Quarkus is impacted though as I'm not aware of the usage. Our build tools reported this one 😄

@wjglerum
Updates XStream due to published CVE
5bb4904 
See GHSA-mw36-7c6c-q4q2

Not sure if Quarkus is impacted thought as I'm not aware of the usage.
@ghost ghost added the area/testing label Dec 7, 2020
@wjglerum
Copy link
Contributor Author

wjglerum commented Dec 7, 2020

Checked why @dependabot was not updating this library, seems like it was turned of by @famod due to wrong reports, see c02b9ea#diff-dd4fbda47e51f1e35defb9275a9cd9c212ecde0b870cba89ddaaae65c5f3cd28

@sberyozkin
Copy link
Member

Probably because it is used for the tests only

@sberyozkin sberyozkin self-requested a review December 7, 2020 17:58
@famod
Copy link
Member

famod commented Dec 7, 2020

Thanks for taking care of this! Last time I checked Quarkus only used XStream in the JUnit5 test framework.
And yes, we were getting Dependabot PRs for the -java7 version.

@gsmet gsmet added this to the 1.10.3.Final milestone Dec 7, 2020
@gsmet gsmet merged commit 95dc563 into quarkusio:master Dec 7, 2020
@ghost
Copy link

ghost commented Dec 7, 2020

Milestone is already set for some of the items:

  • The pull request itself

We haven't automatically updated the milestones for these items.

This message is automatically generated by a bot.

@gsmet
Copy link
Member

gsmet commented Dec 7, 2020

Thanks!

@wjglerum wjglerum deleted the patch-1 branch December 8, 2020 07:12
@wjglerum
Copy link
Contributor Author

wjglerum commented Dec 8, 2020
edited
Loading

@gsmet no problem, glad I could help. Just noticed after upgrading to Quarkus 1.10.3.Final this evening that 1.4.11 of the xstream library is still present in the quarkus-universe-bom instead of the new 1.4.14. How's that possible? Something missed the release cut off?

Maven Central -> https://search.maven.org/artifact/io.quarkus/quarkus-universe-bom/1.10.3.Final/pom

      <dependency>
        <groupId>com.thoughtworks.xstream</groupId>
        <artifactId>xstream</artifactId>
        <version>1.4.11</version>
      </dependency>

Code at 1.10.3.Final -> https://github.com/quarkusio/quarkus/blob/1.10.3.Final/test-framework/junit5/pom.xml

        <dependency>
            <groupId>com.thoughtworks.xstream</groupId>
            <artifactId>xstream</artifactId>
            <!-- Avoid adding this to the BOM -->
            <version>1.4.14</version>
        </dependency>

@gsmet
Copy link
Member

gsmet commented Dec 8, 2020

Hmmm, it's not in the core Quarkus BOM, only in the test dependency.

The one in the Quarkus Universe BOM must come from another project we include in the Platform.

/cc @aloubyansky

@aloubyansky
Copy link
Member

Looks like this is how it got introduced c2f679e#diff-b88aa07681bc7b1050d16244dcb773cef6c1ec8b66b9e8c90f7ac0ff5ca68760
So, perhaps it's optaplanner that contributes it to the platform.

@aloubyansky
Copy link
Member

But if we are using it, we should probably have in our BOM.

@famod
Copy link
Member

famod commented Dec 8, 2020

But if we are using it, we should probably have in our BOM.

#11956 (review) 🤷‍♂️

@aloubyansky
Copy link
Member

But if we are using it, we should probably have in our BOM.

#11956 (review)

Yes, it probably makes more sense as just a dependency.

This was referenced Jan 8, 2021
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sberyozkin sberyozkin sberyozkin approved these changes

@gsmet gsmet gsmet approved these changes

Assignees
No one assigned
Labels
area/testing
Projects
None yet
Milestone
1.10.3.Final
Development

Successfully merging this pull request may close these issues.
5 participants
@wjglerum @sberyozkin @famod @gsmet @aloubyansky