graal-sdk 22.0.0.2 has 6 vulnerabilities

[julianladisch]

The develop branch comes with graal-sdk 22.0.0.2:

mvn dependency:tree -Dincludes=org.graalvm.sdk:graal-sdk

[INFO] com.intuit.karate:karate-core:jar:1.3.0-SNAPSHOT
[INFO] \- org.graalvm.js:js-scriptengine:jar:22.0.0.2:compile
[INFO]    \- org.graalvm.sdk:graal-sdk:jar:22.0.0.2:compile

Snyk reports 6 vulnerabilities for graal-sdk 22.0.0.2:
https://security.snyk.io/package/maven/org.graalvm.sdk:graal-sdk/22.0.0.2

• https://nvd.nist.gov/vuln/detail/CVE-2022-21434 Unsafe Reflection
• https://nvd.nist.gov/vuln/detail/CVE-2022-21426 Denial of Service (DoS)
• https://nvd.nist.gov/vuln/detail/CVE-2022-21443 Denial of Service (DoS)
• https://nvd.nist.gov/vuln/detail/CVE-2022-21476 Information Exposure
• https://nvd.nist.gov/vuln/detail/CVE-2022-21496 Improper Input Validation
• https://nvd.nist.gov/vuln/detail/CVE-2022-21449 Access Restriction Bypass

Please upgrade to a fixed version of Graal.

[ptrthomas]

duplicate of #2009 - please comment there

[lukasz-gosiewski]

@ptrthomas Hey, I don't think this was a duplicate.
The linked issue (that was fixed in 1.3.0 which was just released) is about migrating to 22.x branch. And this is, indeed, done. The thing is, that the version to which karate was migrated is still vulnerable, and those vulns are rather serious. Those listed by the original author are exactly in version 22.0.0.2 which is right now used in karate-junit5. So instead of closing it as duplicate, it should be fixed by upgrading to 22.1.0.

[ptrthomas]

@lukasz-gosiewski if you read the complete thread, my understanding is that 22.1 requires us to move to Java 11. which is planned in this ticket - #2083

you are welcome to contribute a PR to speed up the process

[lukasz-gosiewski]

Sure thing, it's not like I wanted to put any pressure there. I just wanted to note that solving the linked issue will not solve this one, which is not obvious to anyone coming from outside.

[ptrthomas]

@lukasz-gosiewski no worries, thanks for calling this out and I guess more people would be interested in this - so the details are clear now

since this sounds more serious than I thought, we will consider creating a java11 branch and releasing a 1.4.0.RC1 sooner - so that at least those with very strict security policies can move ahead

[lukasz-gosiewski]

@ptrthomas Sounds perfect, as Snyk is reporting those vulns pretty aggressively. I've tired bumping graalvim manually but it won't work with karate-junit5 due to the compatibility issues (most probably the same that requires you to bump to java 11)

[ptrthomas]

@lukasz-gosiewski the changes are minimal and I've just made them. I don't know if building from source is sufficient for you to validate that it clears all vuln-checks, but let me know. either way, it looks like we can make a 1.4.0 release pretty quickly

reopening this ticket for visibility

[ptrthomas]

@lukasz-gosiewski one more thing, I was able to force-upgrade graal on one of my side-projects (and using junit5) so here's the pom for reference: https://github.com/ptrthomas/karate-oas-demo/blob/ac08c940888c9eca652eed3725320eff0352ad21/pom.xml#L20-L31

[lukasz-gosiewski]

@ptrthomas I can't validate a thing built from source against our Snyk setup, but I have validated your way of enforcing graalvm dependencies and it works perfectly fine. Clears all the issues from Snyk and a dependency tree looks fine. Do you need me to validate anything more?

[ptrthomas]

@lukasz-gosiewski great. and I was able to make a release to maven central. it has been a few minutes, so should be ready now.

decided to take this opportunity to test the whole release github action, docker and all. version is 1.4.0.RC1 - do let me know how it goes !

[edwardsph]

My system runs with Karate 1.3.0, Java 11 and Graal 22.1.0.1 (and Quarkus 2.11.3.Final)
Previously it didn't work if I upgraded Graal to 22.2.0 (which is what Quarkus needs in 2.12-2.14)

However, I just tested with Karate 1.4.0.RC1, Java 11 and Graal 22.2.0.1 (and Quarkus 2.14.0.Final) and it appears to work. I will continue to test with this combination. It is now Quarkus that is behind as I cannot upgrade to Graal 22.3.0 yet, but downgrading Graal doesn't appear to be an issue. This is a great step forwards and also reduces the number of vulnerabilities I have to analyze. The remaining ones brought in by Karate appear to be related to

• org.yaml.snakeyaml-1.32
• armeria-1.18.0
• netty-tcnative-boringssl-static-2.0.54.Final-osx-x86_64.jar
  However, I've superseded the first and don't use the vulnerable aspects of the others.

Thanks for releasing 1.4.0.RC1

[lukasz-gosiewski]

@ptrthomas I just migrated to 1.4.0.RC1 and it works perfect. That was a really fast reaction, thank you!

[ptrthomas]

thanks @edwardsph and @lukasz-gosiewski for the feedback !

[ptrthomas]

an update for anyone landing here, we don't support the GraalVM which someone attempted here: #2243

I guess the only option in this case is to use a separate maven project (or profile) to run your tests. unless anyone has better ideas cc @droger88

[ptrthomas]

1.4.0 released