getsentry
Fix security vulnerability by bumping lifecycleVersion to 2.8.4
Fix security vulnerability by bumping lifecycleVersion to 2.8.4
📢 Type of change
- [ ] Bugfix
- [ ] New feature
- [x] Enhancement
- [ ] Refactoring
📜 Description
Bump lifecycleVersion to 2.8.4
💡 Motivation and Context
- This version has a security vulnerability CVE-2020-15250 from junit 4.12
- 2.2.0 was released 9/21/2019 almost 5 years ago.
-
lifecycle-common-2.2.0,lifecycle-common-java8-2.2.0,lifecycle-process-2.2.0andlifecycle-runtime-2.2.0does not have the corresponding.ascso it is not possible to verify the integrity of the libraries. This cause that we adding sentry to our project, we get the following error:
> Dependency verification failed for configuration ':log-decryptor:implementation':
- On artifact lifecycle-common-2.2.0.pom (androidx.lifecycle:lifecycle-common:2.2.0) in repository 'Artifactory Google': checksum is missing from verification metadata.
- On artifact lifecycle-common-java8-2.2.0.pom (androidx.lifecycle:lifecycle-common-java8:2.2.0) in repository 'Artifactory Google': checksum is missing from verification metadata.
- On artifact lifecycle-process-2.2.0.pom (androidx.lifecycle:lifecycle-process:2.2.0) in repository 'Artifactory Google': checksum is missing from verification metadata.
- On artifact lifecycle-runtime-2.2.0.pom (androidx.lifecycle:lifecycle-runtime:2.2.0) in repository 'Artifactory Google': checksum is missing from verification metadata.
💚 How did you test it?
📝 Checklist
- [x] I reviewed submitted code
- [ ] I added tests to verify changes
- [x] All tests passing
- [x] No breaking changes
🔮 Next steps
@jffiorillo thanks for creating this PR. For clarification: Could you explain how this is linked to the junit CVE?
hi @jffiorillo, thanks for opening a PR!
- This seems to only affect tests using
TemporaryFolder, but you can use newer junit versions, not affected by it - We tend to keep compatibility as much as possible
- Can you share with us how you're running dependency verification?
Sorry folks for the late reply @stefanosiano @markushi, Do you guys have a specific concern with this PR, I think the goal of my PR are 3 items:
- This version has a security vulnerability CVE-2020-15250 from junit 4.12
- 2.2.0 was released 9/21/2019 almost 5 years ago.
lifecycle-common-2.2.0,lifecycle-common-java8-2.2.0,lifecycle-process-2.2.0andlifecycle-runtime-2.2.0does not have the corresponding.ascso it is not possible to verify the integrity of the libraries. This cause that we adding sentry to our project, we get the following error:
We tend to keep compatibility as much as possible
Is upgrading to 2.8.4 breaking compatibility somehow? I would assume that 2.8.4. is backward compatible with 2.2.0
Can you share with us how you're running dependency verification?
./gradlew <my_gradle_module>dependencies where <my_gradle_module> has as a dependency io.sentry:sentry-android:7.14.0.
Hey @jffiorillo
- This version has a security vulnerability CVE-2020-15250 from junit 4.12
androidx.lifecycle libraries don't have dependencies on junit, unless i'm missing something. Anyway, that vulnerability only affects tests, and you can use the junit version you want to write tests. Whatever the library uses doesn't affect your testing.
There's no reason on our side to upgrade a library just because there is a new version. Doing so would force our users to use newer versions of the dependency without adding any value. You are still able to include the version you prefer in your app, automatically overriding the version provided in Sentry.
- lifecycle-common-2.2.0, lifecycle-common-java8-2.2.0, lifecycle-process-2.2.0 and lifecycle-runtime-2.2.0 does not have the corresponding .asc so it is not possible to verify the integrity of the libraries. This cause that we adding sentry to our project, we get the following error:
Same as above, you can use the version you prefer, given it's at least 2.2.0
I'm closing this PR as not relevant for us. Feel free to comment to reopen it again