Force newer version of Eclipse core transitive dependency (resolves CVE-2023-4218) #3737
Conversation
Signed-off-by: Daniel Widdis <[email protected]>
dbwiddis
requested review from
cliu123,
cwperks,
DarshitChanpura,
davidlago,
peternied,
RyanL1997,
stephen-crawford,
reta and
willyborankin
as code owners
stephen-crawford
changed the title
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #3737 +/- ##
==========================================
- Coverage 65.23% 65.22% -0.01%
==========================================
Files 297 297
Lines 21129 21129
Branches 3451 3451
==========================================
- Hits 13783 13781 -2
- Misses 5647 5648 +1
- Partials 1699 1700 +1 |
…VE-2023-4218) (#3737) ### Description The Spotless Gradle Plugin brings in a transitive dependency on Eclipse Core Runtime 3.26.100. That version is impacted by a CVE. This forces the newest version, currently 3.29.0. Note that newer versions than 3.26 require JDK17+ to run spotless. Signed-off-by: Daniel Widdis <[email protected]> (cherry picked from commit b72a9cf) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
FYI, the Whitesource Security check failed here: https://github.com/opensearch-project/security/pull/3737/checks?check_run_id=18799318680 which indicates the "newest" version is still vulnerable. But that doesn't seem to be the case as the newest Eclipse version is allegedly not vulnerable.... In any case, explicitly specifying the version should allow auto-updates in the future. |
|
The CVE entry points to this as a commit resolving it which indicates 3.29.0 "fixes" it... eclipse-platform/eclipse.platform.ui@f243cf0 |
|
Aha, here's the specific line in https://www.cve.org/CVERecord?id=CVE-2023-4218
I interpret "before" as < .... so I hope that failed check is a false positive and 3.29.0 is resolved. |
|
And not only do I interpret it that way, the CVE record linked above is very clear about what the "before" syntax means:
This would mean the "affected version doesn't include 3.29.0" so I do not understand why Mend is alerting on it. (It opened a new issue here: opensearch-project/flow-framework#177) |
…ncy (resolves CVE-2023-4218) (#3739) Backport b72a9cf from #3737. Signed-off-by: Daniel Widdis <[email protected]> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Description
The Spotless Gradle Plugin brings in a transitive dependency on Eclipse Core Runtime 3.26.100. That version is impacted by a CVE.
This forces the newest version, currently 3.29.0. Note that newer versions than 3.26 require JDK17+ to run spotless.
Issues Resolved
Fixes #3688
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.