Appium 8 Dependency Issues and com.browserstack 1.0.x CVE-2020-15250 Vulnerability Mitigation

[ghsm4-db-mb-auto-dvps]

The projects I am working on run fine on appium 7x with their current configurations. Initially I simply attempted to update the appium POM dependencies to 8.x and received an Error:

[ERROR] cannot access org.openqa.selenium.Rotatable: class file for org.openqa.selenium.Rotatable not found

I then created a new project based on the github cucumber skeleton project using the following dependencies: Additionally, I did not include the com.browserstack dependency in your project due to the vulnerability listed in the title. however, the prior project mentioned above does not implement it and has no issues running (though it too has the vulnerability and needs to be upgraded as well). In fact, the issue with selenium / appium will also break cucumber execution entirely. Finally, the driver code I am using is the same as the code you provided in your project: DesiredCapabilities caps = new DesiredCapabilities(); HashMap<String, Object> browserstackOptions = new HashMap<String, Object>(); // Set your access credentials browserstackOptions.put("userName",user); browserstackOptions.put("accessKey",key);

    // Set other BrowserStack capabilities
    browserstackOptions.put("appiumVersion", "1.22.0");
    browserstackOptions.put("projectName", "First Java Project");
    browserstackOptions.put("buildName", "browserstack-build-1");
    browserstackOptions.put("sessionName", "first_test");

    // Passing browserstack capabilities inside bstack:options
    caps.setCapability("bstack:options", browserstackOptions);

    // Set URL of the application under test
    caps.setCapability("app", "bs://<appid>");//the actual app ID was provided here but has been redacted

    // Specify deviceName and platformName for testing
    caps.setCapability("deviceName", "Samsung Galaxy S22 Ultra");
    caps.setCapability("platformName", "android");
    caps.setCapability("platformVersion", "12.0");

    String baseUrl = "http://hub.browserstack.com/wd/hub";
    return new AndroidDriver(new URL(baseUrl), caps);

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>org.junit</groupId>
            <artifactId>junit-bom</artifactId>
            <version>5.9.1</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
        <dependency>
            <groupId>io.cucumber</groupId>
            <artifactId>cucumber-bom</artifactId>
            <version>7.8.1</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
        <dependency>
            <groupId>com.azure</groupId>
            <artifactId>azure-core</artifactId>
            <version>1.34.0</version>
        </dependency>
    </dependencies>
</dependencyManagement>

org.junit.platform junit-platform-suite test org.junit.jupiter junit-jupiter test io.cucumber cucumber-testng 7.8.1 io.cucumber cucumber-java test io.cucumber cucumber-junit-platform-engine test io.cucumber cucumber-testng 7.8.1 io.netty netty-handler 4.1.69.Final org.testng testng 6.9.8 test io.appium java-client 8.0.0 com.konghq unirest-java 4.0.0-RC2 com.konghq unirest-object-mappers-gson 4.0.0-RC6 com.konghq unirest-objectmapper-jackson 4.0.0-RC6

Stack Error is as follows:

[java file location and name redacted] cannot access org.openqa.selenium.Rotatable class file for org.openqa.selenium.Rotatable not found at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:375) at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:351) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:171) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:163) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:294) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:960) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:293) at org.apache.maven.cli.MavenCli.main (MavenCli.java:196) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:77) at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:568) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347) Caused by: org.apache.maven.plugin.compiler.CompilationFailureException: Compilation failure [java file location and name redacted] cannot access org.openqa.selenium.Rotatable class file for org.openqa.selenium.Rotatable not found

at org.apache.maven.plugin.compiler.AbstractCompilerMojo.execute (AbstractCompilerMojo.java:1310)
at org.apache.maven.plugin.compiler.TestCompilerMojo.execute (TestCompilerMojo.java:183)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:370)
at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:351)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:171)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:163)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:294)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:960)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:293)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:196)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:77)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:568)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)

[bs-ashwanipathak]

I have checked the same issue on other online sources and found that this issue can be resolved by updating java-client and selenium-java. Try updating these and please share the behavior.

https://github.com/appium/appium/discussions/17860