-
Notifications
You must be signed in to change notification settings - Fork 272
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Force newer version of Eclipse core transitive dependency (resolves CVE-2023-4218) #3737
Conversation
Signed-off-by: Daniel Widdis <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @dbwiddis looks good to me!
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #3737 +/- ##
==========================================
- Coverage 65.23% 65.22% -0.01%
==========================================
Files 297 297
Lines 21129 21129
Branches 3451 3451
==========================================
- Hits 13783 13781 -2
- Misses 5647 5648 +1
- Partials 1699 1700 +1 |
…VE-2023-4218) (#3737) ### Description The Spotless Gradle Plugin brings in a transitive dependency on Eclipse Core Runtime 3.26.100. That version is impacted by a CVE. This forces the newest version, currently 3.29.0. Note that newer versions than 3.26 require JDK17+ to run spotless. Signed-off-by: Daniel Widdis <[email protected]> (cherry picked from commit b72a9cf) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
FYI, the Whitesource Security check failed here: https://github.com/opensearch-project/security/pull/3737/checks?check_run_id=18799318680 which indicates the "newest" version is still vulnerable. But that doesn't seem to be the case as the newest Eclipse version is allegedly not vulnerable.... In any case, explicitly specifying the version should allow auto-updates in the future. |
The CVE entry points to this as a commit resolving it which indicates 3.29.0 "fixes" it... eclipse-platform/eclipse.platform.ui@f243cf0 |
Aha, here's the specific line in https://www.cve.org/CVERecord?id=CVE-2023-4218
I interpret "before" as < .... so I hope that failed check is a false positive and 3.29.0 is resolved. |
And not only do I interpret it that way, the CVE record linked above is very clear about what the "before" syntax means:
This would mean the "affected version doesn't include 3.29.0" so I do not understand why Mend is alerting on it. (It opened a new issue here: opensearch-project/flow-framework#177) |
…ncy (resolves CVE-2023-4218) (#3739) Backport b72a9cf from #3737. Signed-off-by: Daniel Widdis <[email protected]> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Description
The Spotless Gradle Plugin brings in a transitive dependency on Eclipse Core Runtime 3.26.100. That version is impacted by a CVE.
This forces the newest version, currently 3.29.0. Note that newer versions than 3.26 require JDK17+ to run spotless.
Issues Resolved
Fixes #3688
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.