spotless icon indicating copy to clipboard operation
spotless copied to clipboard
verified publisher icon diffplug

Plugins use dependencies that trigger CVEs

Open binkley opened this issue 1 year ago • 2 comments

If you are submitting a bug, please include the following:

  • [x] summary of problem
  • [x] Gradle or Maven version
  • [x] spotless version
  • [x] operating system and version
  • [x] copy-paste your full Spotless configuration block(s), and a link to a public git repo that reproduces the problem if possible
  • [x] copy-paste the full content of any console errors emitted by gradlew spotless[Apply/Check] --stacktrace

If you're just submitting a feature request or question, no need for the above.

Summary

An accidental discovery: making Spotless a dependency instead of a plugin (yes, it was a mistake) turned up multiple CVEs from DependencyCheck. This tells me 2 things:

  • DependencyCheck is not checking plugins
  • Spotless has outdated dependencies for the plugins

Obviously, this is a user goof, however, it tells me that Spotless may need to refresh/update dependencies for the plugins. On the other hand, some of these may be build-only dependencies for the plugin? Either way, there are some outdated dependencies in the plugin.

CVEs with 2.43.0:

  • org.eclipse.jgit-6.7.0.202309050840-r.jar: CVE-2023-4759(8.8)
  • org.eclipse.osgi-3.18.300.jar: CVE-2021-41033(8.1), CVE-2020-27225(7.8), CVE-2023-4218(5.0)
  • plexus-resources-1.2.0.jar: CVE-2022-4245(4.3), CVE-2022-4244(7.5)

My issue post focuses on the Maven plugin. I haven't tried doing the same with the Gradle plugin.

Maven version

3.9.6

Spotless version

2.43.0

OS version

Not relevant, however "Linux Hobbiton 5.15.146.1-microsoft-standard-WSL2 #1 SMP Thu Jan 11 04:09:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux" running Ubuntu under WSL2 on Windows 11.

Spotless configuration block

No configuration block provided.

Console output

I wanted to paste the full ./mvnw -X verify output, however two problems:

  • Lots of useless stuff non-specific to the problem at hand
  • Posting the full output gave GitHub a heartburn, and it complained that this issue exceeded the character limit

binkley avatar Jun 11 '24 12:06 binkley

Regarding each in turn

  • [x] org.eclipse.jgit-6.7.0.202309050840-r.jar we've got to make some changes to adapt to a new API after this (#1949), a new JGit (6.10) is supposed to come out any day now, so that'll be a good time
  • [x] org.eclipse.osgi-3.18.300.jar: this should be trivial to bump
  • [x] plexus-resources-1.2.0.jar I had been holding this back with the idea of preserving compat, but sure we can bump to 1.3.0

nedtwigg avatar Jun 12 '24 18:06 nedtwigg

@nedtwigg Sounds like y'all are on top of this already. Again, thanks for considering an Issue that is the result of clear user error. 😄

binkley avatar Jun 19 '24 11:06 binkley