Closed akurtakov closed 1 year ago
Currently reddeer requires org.yaml.snakeyaml;bundle-version="1.14.0": https://github.com/search?q=repo%3Aeclipse%2Freddeer+snakeyaml&type=code
Currrent Eclipse IDE ships 1.27 from orbit. All those versions are reported to have multiple vulnerabilities.: https://mvnrepository.com/artifact/org.yaml/snakeyaml
Would you please require snakeyaml 2.0?
@merks Could you please help this project with setting up proper usage of maven central artifacts?
I will look into it now.
I'm kind of confused where the dependencies come from. I can't find a *.target file. Searching all the files doesn't even clue me in to where the dependency might be specified...
merks@CORE MINGW64 /d/Users/merks/temp/reddeer
$grep snake $(find . -type f )
./NOTICE.md:snakeyaml (1.27.0)
./plugins/org.eclipse.reddeer.junit/META-INF/MANIFEST.MF: org.yaml.snakeyaml;bundle-version="1.14.0"
./plugins/org.eclipse.reddeer.junit/src/org/eclipse/reddeer/junit/internal/configuration/reader/JSONConfigurationReader.java:import org.yaml.snakeyaml.Yaml;
./plugins/org.eclipse.reddeer.junit/src/org/eclipse/reddeer/junit/internal/configuration/reader/JSONConfigurationReader.java:import org.yaml.snakeyaml.constructor.SafeConstructor;
./tests/org.eclipse.reddeer.integration.test/MANIFEST.MF: org.yaml.snakeyaml;bundle-version="1.14.0"
Instead of target file the project defines p2 sites in the pom.xml e.g. https://github.com/eclipse/reddeer/blob/master/pom.xml#L208 . Switching the project to target file is probably better as it's kind of standard.
Reddeer could use https://download.eclipse.org/oomph/simrel-orbit/2023-09 which aggregates Orbit's IBuild (currently with all the direct-from-Maven dependencies of all the SimRel projects, already PGP signed. It contains the following versions:
I assume, given there is no upper bound on the dependency in the MANIFEST.MF, the build would just pick up the 2.0.0 version automatically. Of course this update site will update to minor versions "automatically", and at some point soon, this will be provided/hosted by Orbit's downloads.
Okay?
@merks @akurtakov I have prepared PR to tackle this issue. https://github.com/eclipse/reddeer/pull/2206. although I like the site Ed proposed. I will work that in.
Do you plan new release soon? It would be nice to have one so this old snakeyaml disappears through the transitive deps updates for 2023-09.
@akurtakov we are working on new release (4.7.0): https://github.com/eclipse/reddeer/issues/2216 :)
This release fixes CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471 according to https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes