Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix web3signer build #927

Merged
merged 3 commits into from
Oct 11, 2023
Merged

Fix web3signer build #927

merged 3 commits into from
Oct 11, 2023

Conversation

usmansaleem
Copy link
Contributor

PR Description

  • Upgrade gradle wrapper to 7.6 to allow build using Java 19 without existing ~/.gradle/caches pre-populated.
  • Temporary suppression of resurfaced CVE-2023-4586 as no current fix is available and our code is not directly using the netty handlers.

Fixed Issue(s)

#926

Documentation

  • I thought about documentation and added the doc-change-required label to this PR if updates are required.

Changelog

  • I thought about adding a changelog entry, and added one if I deemed necessary.

Testing

  • I thought about testing these changes in a realistic/non-local environment.

@usmansaleem usmansaleem requested review from siladu and jframe October 11, 2023 03:03
siladu
siladu reviewed Oct 11, 2023
View reviewed changes
gradle/owasp-suppression.xml
The other vulnerable lib is besu-metrics, which might want looking at, will see if this CVE gets flagged in besu first
file name: netty-handler-4.1.97.Final.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty\-handler@.*$</packageUrl>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What was the reason for loosening the package filter? I'd be concerned that this CVE might crop up in other packages even though we've only considered netty-handler

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated with more generic netty expression.

@usmansaleem usmansaleem merged commit 6d61cac into Consensys:master Oct 11, 2023
2 checks passed
@usmansaleem usmansaleem deleted the gradle_7.6 branch October 11, 2023 04:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@siladu siladu siladu approved these changes

@jframe jframe Awaiting requested review from jframe

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@usmansaleem @siladu