testcontainers-java icon indicating copy to clipboard operation
testcontainers-java copied to clipboard

Published 20 hours ago verified publisher icon testcontainers

Upgrade jackson to 2.19 and snakeyaml to 2.14

Open ZachChuba opened this issue 7 months ago • 4 comments

Code hygene and clearing falsely flagged CVEs

Upgrade jackson and snakeyaml to the latest version. Aside from providing code hygene, these two dependencies are flagged by FOSS scanning tools as having critical severity CVEs. Although not exploitable in testcontainers, this causes a headache for developers.

This is to address Issue #9289

ZachChuba avatar May 09 '25 11:05 ZachChuba

@eddumelendez Can you enable the tests CI flows so we can confirm this does not break and review?

ZachChuba avatar May 21 '25 15:05 ZachChuba

@eddumelendez Can you enable the tests CI flows so we can confirm this does not break and review?

The easiest way to run CI and get that feedback is to send a pull request to your own fork's main and let CI run

I did that in my fork + your changes here: https://github.com/yeikel/testcontainers-java/pull/1

Unfortunately, your changes are not passing some of the workflows

ie:


Gradle Test Executor 2 > ArtemisContainerTest > defaultCredentials FAILED
    java.util.ServiceConfigurationError: org.testcontainers.dockerclient.DockerClientProviderStrategy: Provider org.testcontainers.dockerclient.EnvironmentAndSystemPropertyClientProviderStrategy could not be instantiated
        at java.base/java.util.ServiceLoader.fail(ServiceLoader.java:586)
        at java.base/java.util.ServiceLoader$ProviderImpl.newInstance(ServiceLoader.java:813)
        at java.base/java.util.ServiceLoader$ProviderImpl.get(ServiceLoader.java:729)
        at java.base/java.util.ServiceLoader$3.next(ServiceLoader.java:1403)
        at java.base/java.lang.Iterable.forEach(Iterable.java:74)
        at org.testcontainers.DockerClientFactory.getOrInitializeStrategy(DockerClientFactory.java:152)
        at org.testcontainers.DockerClientFactory.client(DockerClientFactory.java:196)
        at org.testcontainers.DockerClientFactory$1.getDockerClient(DockerClientFactory.java:108)
        at com.github.dockerjava.api.DockerClientDelegate.authConfig(DockerClientDelegate.java:109)
        at org.testcontainers.containers.GenericContainer.start(GenericContainer.java:321)
        at org.testcontainers.activemq.ArtemisContainerTest.defaultCredentials(ArtemisContainerTest.java:24)

        Caused by:
        java.lang.NoClassDefFoundError: com/fasterxml/jackson/annotation/JsonKey

There are also other failures

        Caused by:
        java.lang.NoSuchMethodError: 'com.fasterxml.jackson.annotation.OptBoolean com.fasterxml.jackson.annotation.JsonProperty.isRequired()'

Refer to the link above to see the full CI Run. Example: https://github.com/yeikel/testcontainers-java/actions/runs/15290585561/job/43009689378?pr=1

I also sent you an invite in case it is more convenient to just push to my fork

yeikel avatar May 28 '25 03:05 yeikel

It seems that the issue is a mismatch as docker-java-api is bringing jackson-annotations:2.10.3

Although we may be able to overwrite that, it seems safer to upgrade docker-java-api first as is closely developed and tested with testcontainers-java

See https://github.com/docker-java/docker-java/pull/2447

yeikel avatar May 28 '25 04:05 yeikel

Let me know when that version is published and I'll add it to the build

ZachChuba avatar Jun 06 '25 11:06 ZachChuba

Let me know when that version is published and I'll add it to the build

@ZachChuba https://github.com/docker-java/docker-java/releases/tag/3.5.3 is published

gabrieljones avatar Jul 10 '25 20:07 gabrieljones

@ZachChuba I updated and tested the upgrade via https://github.com/yeikel/testcontainers-java/pull/2. All the tests are passing now

Can you merge that patch in?

After that, we'll need help to get it reviewed

yeikel avatar Jul 13 '25 20:07 yeikel

@yeikel Pushed the changes, in this PR

ZachChuba avatar Jul 14 '25 12:07 ZachChuba

@yeikel Pushed the changes, in this PR

As per GitHub, your branch is not up to date with main. Can you resolve that?

yeikel avatar Jul 14 '25 12:07 yeikel

Rebased

ZachChuba avatar Jul 15 '25 17:07 ZachChuba

Thank you so much for your contribution!

eddumelendez avatar Jul 16 '25 03:07 eddumelendez

Thanks everyone, I've been following keenly.

Just need to wait for the release now, when do we think that would be

codefish1 avatar Jul 16 '25 07:07 codefish1

Thank you so much for your contribution

@eddumelendez Thank you for the quick turnaround

Given that what motivated this change was a CVE, is there any chance we can push this out as a minor patch?

I noticed that it is part of the next milestone, but it is unclear what the criteria for the next release are.

Thank you!

yeikel avatar Jul 16 '25 11:07 yeikel

@eddumelendez Same question as above, is there any information on when the next release that contains this change will be available?

mstuy avatar Jul 31 '25 20:07 mstuy

Hi, when is this going to be available in a release, please? Or is there some roadmap with planned future releases, please?

baldimir avatar Aug 13 '25 12:08 baldimir

Hi, same request as above. It would be really helpful for us to have this as a patch release

Rene2000k avatar Sep 12 '25 08:09 Rene2000k

Hi team,

Sorry for the ping but we've been waiting since May

is there anything we can do to help this move forward as a release?

Thanks in advance!

yeikel avatar Oct 14 '25 19:10 yeikel

@yeikel @Rene2000k I've been waiting as well, v2.0.1 is now released and shows 0 vulns on sonatype.

ZachChuba avatar Oct 24 '25 16:10 ZachChuba

@yeikel @Rene2000k I've been waiting as well, v2.0.1 is now released and shows 0 vulns on sonatype.

Yep, thank you. V2.0.0 is also not showing any vun for me

yeikel avatar Oct 24 '25 17:10 yeikel