ballerina-lang icon indicating copy to clipboard operation
ballerina-lang copied to clipboard

Published 20 hours ago verified publisher icon ballerina-platform

Update vulnerable dependencies

Open f-schnabel opened this issue 1 year ago • 3 comments

Purpose

Update testng, hsqldb, jline, apache commons-compress and jetty-server dependency because of reported vulnerability. ~Also convert maven-resolver to a module since there were some module path issues.~ Fixed module path isses in another way

Approach

Describe how you are implementing the solutions along with the design details.

Samples

Provide high-level details about the samples related to this feature.

Remarks

List any other known issues, related PRs, TODO items, or any other notes related to the PR.

Check List

  • [x] Read the Contributing Guide
  • [ ] Updated Change Log
  • [ ] Checked Tooling Support (#<Issue Number>)
  • [ ] Added necessary tests
    • [ ] Unit Tests
    • [ ] Spec Conformance Tests
    • [ ] Integration Tests
    • [ ] Ballerina By Example Tests
  • [ ] Increased Test Coverage
  • [ ] Added necessary documentation
    • [ ] API documentation
    • [ ] Module documentation in Module.md files
    • [ ] Ballerina By Examples

f-schnabel avatar Jun 18 '24 20:06 f-schnabel

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 77.30%. Comparing base (88ce468) to head (9bad6b1). Report is 19 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff            @@
##             master   #42947   +/-   ##
=========================================
  Coverage     77.29%   77.30%           
  Complexity    51359    51359           
=========================================
  Files          2932     2932           
  Lines        204534   204529    -5     
  Branches      26701    26713   +12     
=========================================
+ Hits         158097   158107   +10     
+ Misses        37843    37827   -16     
- Partials       8594     8595    +1

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Jun 18 '24 22:06 codecov[bot]

@keizer619 Can u check these changes?

warunalakshitha avatar Jun 24 '24 05:06 warunalakshitha

I would like to fix all Trivy issues but unfortunately, the org.apache.james:apache-mime4j-core vulnerability is a transitive dependency of org.apache.ws.commons.axiom:axiom-api which currently doesn't have a newer version where this transitive dependency is updated. I also created an Issue in their Jira but let's see, when this will be addressed...

Jira issue in Axiom: https://issues.apache.org/jira/projects/AXIOM/issues/AXIOM-521 Trivy run: https://github.com/ballerina-platform/ballerina-lang/actions/runs/9783135210/job/27011022249

f-schnabel avatar Jul 04 '24 22:07 f-schnabel

I would like to fix all Trivy issues but unfortunately, the org.apache.james:apache-mime4j-core vulnerability is a transitive dependency of org.apache.ws.commons.axiom:axiom-api which currently doesn't have a newer version where this transitive dependency is updated. I also created an Issue in their Jira but let's see, when this will be addressed...

Jira issue in Axiom: https://issues.apache.org/jira/projects/AXIOM/issues/AXIOM-521 Trivy run: https://github.com/ballerina-platform/ballerina-lang/actions/runs/9783135210/job/27011022249

Thanks for the contributions we just merged these.

keizer619 avatar Jul 15 '24 10:07 keizer619