search

atomashpolskiy / bt

BitTorrent library and client with DHT, magnet links, encryption and more
https://atomashpolskiy.github.io/bt/
Apache License 2.0
2.4k stars 382 forks source link

Gradle issues with cling dependency library (upnp module) #210

Open aqua-pro opened 1 year ago

aqua-pro commented 1 year ago

Greetings

I have setup Gradle to create a Kotlin project for Torrents

repositories { mavenCentral() } dependencies { implementation("com.github.atomashpolskiy:bt-core:1.10") implementation("com.github.atomashpolskiy:bt-dht:1.10") implementation("com.github.atomashpolskiy:bt-http-tracker-client:1.10") implementation("com.github.atomashpolskiy:bt-upnp:1.10") testImplementation(kotlin("test")) }

I'm getting an error with bt-upnp library, it can't find the cling library. I can however see it available at mvnrepository here https://mvnrepository.com/artifact/org.fourthline.cling/cling-core/2.1.1

KotlinUpdater5:test: Could not find org.fourthline.cling:cling-core:2.1.1. Required by: project : > com.github.atomashpolskiy:bt-upnp:1.10 Possible solution:

Does anyone have the same issue? Any idea how to fix this?

Thank you Best regards

atomashpolskiy commented 1 year ago

Sorry, no ideas from my side. Are you sure that you need UPnP at all?

On Wed, 12 Oct 2022 at 17:04, aqua-pro @.***> wrote:

Greetings

I have setup Gradle to create a Kotlin project for Torrents

repositories { mavenCentral() } dependencies { implementation("com.github.atomashpolskiy:bt-core:1.10") implementation("com.github.atomashpolskiy:bt-dht:1.10") implementation("com.github.atomashpolskiy:bt-http-tracker-client:1.10") implementation("com.github.atomashpolskiy:bt-upnp:1.10") testImplementation(kotlin("test")) }

I'm getting an error with bt-upnp library, it can't find the cling library. I can however see it available at mvnrepository here https://mvnrepository.com/artifact/org.fourthline.cling/cling-core/2.1.1

KotlinUpdater5:test: Could not find org.fourthline.cling:cling-core:2.1.1. Required by: project : > com.github.atomashpolskiy:bt-upnp:1.10 Possible solution:

Does anyone have the same issue? Any idea how to fix this?

Thank you Best regards

— Reply to this email directly, view it on GitHub https://github.com/atomashpolskiy/bt/issues/210, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA4TJBWPFLT4V4S5J2UYLLDWC3HP3ANCNFSM6AAAAAARDMH2WI . You are receiving this because you are subscribed to this thread.Message ID: @.***>

pyckle commented 1 year ago

Most likely this is due to the gradle equivalent of CVE-2021-26291 - https://maven.apache.org/docs/3.8.1/release-notes.html

As the 4thline.org repo lacks https, there's no easy fix. A release of cling probably should be uploaded to maven central, but as there's no maintainer and it hasn't been updated in years, I doubt this will be done any time soon.

aqua-pro commented 1 year ago

Greetings, dear friends

I've "fixed" it this way. I know it's insecure, but I really don't know any other way

repositories { mavenCentral() maven { url = uri("http://4thline.org/m2") isAllowInsecureProtocol = true } }

I believe the real fix is making a Cling fork and releasing the artifacts on maven central, and changing the dependencies in the BT project to the new fork. I also see many different CVE on the libraries, it might be interesting maintaining them

Thank you for your support!