Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(dependencies): update resteasy to remove CVE #1123

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

claymccoy
Copy link

An old version of resteasy is resolved transitively through org.pacesys:openstack4j in front50-swift. Updating this removes CVE-2020-1695.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1695

At Armory, we have been running this config for over a year, so this is a pretty safe change. We are just moving our own overrides to open source to fix CVE's for everyone.
| | | --- org.pacesys:openstack4j:3.2.0
| | | +--- org.pacesys.openstack4j.connectors:openstack4j-resteasy:3.2.0
| | | | +--- org.jboss.resteasy:resteasy-client:3.1.4.Final
| | | | | +--- org.jboss.resteasy:resteasy-jaxrs:3.1.4.Final -> 3.12.1.Final

An old version of resteasy is resolved transitively through org.pacesys:openstack4j in front50-swift. Updating this removes CVE-2020-1695.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1695

At Armory, we have been running this config for over a year, so this is a pretty safe change. We are just moving our own overrides to open source to fix CVE's for everyone.
|    |    |    \--- org.pacesys:openstack4j:3.2.0
|    |    |         +--- org.pacesys.openstack4j.connectors:openstack4j-resteasy:3.2.0
|    |    |         |    +--- org.jboss.resteasy:resteasy-client:3.1.4.Final
|    |    |         |    |    +--- org.jboss.resteasy:resteasy-jaxrs:3.1.4.Final -> 3.12.1.Final
@claymccoy claymccoy requested a review from j-sandy April 21, 2022 15:59
Copy link
Contributor

@j-sandy j-sandy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@claymccoy I think we can easily constraint any transitive dependency upgrade using constraint {} clause.
As per NVD, all resteasy 3.x.x versions prior to 3.12.0.Final have this vulnerability, and based on dependency insight it seems 3 libraries are being used by front50-swift. I think we may need to constraint all the 3.

> Task :front50-swift:dependencyInsight
org.jboss.resteasy:resteasy-client:3.1.4.Final
   variant "compile" [
      org.gradle.status              = release (not requested)
      org.gradle.usage               = java-api
      org.gradle.libraryelements     = jar (compatible with: classes+resources)
      org.gradle.category            = library

      Requested attributes not found in the selected variant:
         org.gradle.dependency.bundling = external
         org.gradle.jvm.version         = 11
   ]

org.jboss.resteasy:resteasy-client:3.1.4.Final
\--- org.pacesys.openstack4j.connectors:openstack4j-resteasy:3.2.0
     \--- org.pacesys:openstack4j:3.2.0
          \--- compileClasspath

org.jboss.resteasy:resteasy-jaxrs:3.1.4.Final
   variant "compile" [
      org.gradle.status              = release (not requested)
      org.gradle.usage               = java-api
      org.gradle.libraryelements     = jar (compatible with: classes+resources)
      org.gradle.category            = library

      Requested attributes not found in the selected variant:
         org.gradle.dependency.bundling = external
         org.gradle.jvm.version         = 11
   ]

org.jboss.resteasy:resteasy-jaxrs:3.1.4.Final
\--- org.jboss.resteasy:resteasy-client:3.1.4.Final
     \--- org.pacesys.openstack4j.connectors:openstack4j-resteasy:3.2.0
          \--- org.pacesys:openstack4j:3.2.0
               \--- compileClasspath

org.jboss.resteasy:resteasy-jaxrs-services:3.1.4.Final
   variant "compile" [
      org.gradle.status              = release (not requested)
      org.gradle.usage               = java-api
      org.gradle.libraryelements     = jar (compatible with: classes+resources)
      org.gradle.category            = library

      Requested attributes not found in the selected variant:
         org.gradle.dependency.bundling = external
         org.gradle.jvm.version         = 11
   ]

org.jboss.resteasy:resteasy-jaxrs-services:3.1.4.Final
+--- org.jboss.resteasy:resteasy-client:3.1.4.Final
|    \--- org.pacesys.openstack4j.connectors:openstack4j-resteasy:3.2.0
|         \--- org.pacesys:openstack4j:3.2.0
|              \--- compileClasspath
\--- org.jboss.resteasy:resteasy-jaxrs:3.1.4.Final
     \--- org.jboss.resteasy:resteasy-client:3.1.4.Final (*)

@claymccoy
Copy link
Author

Okay, I can move it to a constraint block instead, but that gets trickier with some things now that kork is brought in through enforcedPlatform.
We have a project that is equivalent to kork-bom that overrides our own transitive dependencies and we want to get ride of it by moving our relevant overrides to OSS. In other cases (which I would appreciate your review on) we are making PRs to kork (spinnaker/kork#950, spinnaker/kork#951). But since this was only used in Front50, I didn't want to pollute kork with it.
I didn't understand what you meant by 3 libraries, it looked like it was coming in from org.pacesys:openstack4j:3.2.0 only.
Thanks for taking a look @j-sandy

@j-sandy
Copy link
Contributor

j-sandy commented Apr 27, 2022

@claymccoy I was referring to org.jboss.resteasy:resteasy-jaxrs-services, org.jboss.resteasy:resteasy-jaxrs, org.jboss.resteasy:resteasy-client. Later, I realized constraining only org.jboss.resteasy:resteasy-client should work, as other 2 are transitive dependency of resteasy-client.

@dbyron-sf
Copy link
Contributor

@Mergifyio update

@mergify
Copy link
Contributor

mergify bot commented May 2, 2022

update

✅ Branch has been successfully updated

@@ -28,6 +28,7 @@ dependencies {
implementation "io.spinnaker.kork:kork-core"
implementation "org.springframework:spring-web"
implementation 'org.pacesys:openstack4j:3.2.0'
implementation 'org.jboss.resteasy:resteasy-jaxrs:3.12.1.Final'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
implementation 'org.jboss.resteasy:resteasy-jaxrs:3.12.1.Final'
implementation 'org.jboss.resteasy:resteasy-client:3.12.1.Final'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants