maestro icon indicating copy to clipboard operation
maestro copied to clipboard

Published 20 hours ago verified publisher icon mobile-dev-inc

Update Ktor and logback to mitigate security risks

Open johnaziz57 opened this issue 1 year ago • 0 comments

Proposed Changes

We are trying to adopt Maestro in our company, but running a security scan -using Sonatype IQ server- we found the following issues

  1. Ktor 2.2.2, should be updated to 2.3.5
  2. Logback 1.2.3, should be updated to 1.2.6
[ERROR] The IQ Server reports policy failing due to 
Policy(Security-High-9) [
 Component(displayName=io.ktor : ktor-network-tls-jvm : 2.2.2, hash=5555e04fb3f6c82282ad) [
  Constraint(Security threat level 9) [Security Vulnerability Severity >= 9 because: Found security vulnerability CVE-2023-45613 with severity >= 9 (severity = 9.1), on condition 0, Security Vulnerability Status is not NOT_APPLICABLE because: Found security vulnerability CVE-2023-45613 with status 'Open', not 'Not Applicable', on condition 0, Security Vulnerability Severity < 10 because: Found security vulnerability CVE-2023-45613 with severity < 10 (severity = 9.1), on condition 0, Proprietary is false because: Component does not contain proprietary packages, on condition 0] ]]
[ERROR] The IQ Server reports policy failing due to 
Policy(Security-High-8) [
 Component(displayName=ch.qos.logback : logback-core : 1.2.3, hash=864344400c3d4d92dfeb) [
  Constraint(Security threat level 8) [Security Vulnerability Severity >= 8 because: Found security vulnerability sonatype-2021-1175 with severity >= 8 (severity = 8.6), on condition 0, Security Vulnerability Status is not NOT_APPLICABLE because: Found security vulnerability sonatype-2021-1175 with status 'Open', not 'Not Applicable', on condition 0, Security Vulnerability Severity < 9 because: Found security vulnerability sonatype-2021-1175 with severity < 9 (severity = 8.6), on condition 0] ]]
[WARN] The IQ Server reports policy warning due to

There is one more security issue, but unfortunately, I don't have a fix for it yet.

In this PR, I am updating those dependencies.

Update

Ktor 2.3.5 requires minimum Kotlin version of 1.9.0. Ktor 2.3.6 requires minimum Kotlin version of 1.8.0 (Based on what I understood here). So I updated Ktor to 2.3.6 and Kotlin to 1.8.0

Testing

Ran ./gradlew :maestro-test:test and it succeeded Ran ./gradlew installDist and it succeeded

Issues Fixed

Security issue related to Ktor and Logback

johnaziz57 avatar Apr 19 '24 09:04 johnaziz57