Bundles need to be upgraded

[techcobweb]

Story

As a user of Galasa I want to know that the latest vulnerability-free versions of the code it depends upon are being used, so I can be more confident in the safety of using the galasa tools and systems.

Background

Some of our dependencies are out of date, and need updating.

Tasks

• [ ] logging-log4j2-log4j-2.17.1
  • [ ] framework < It's the boot jar !
  • [ ] managers
  • [ ] extensions
  • [ ] obr
• [ ] gary-os-httpd-2.4.54 : upgrade to v 2.4.60
• [ ] log4j-1.2.17.jar : upgrade to ch.qos.reload4j:reload4j:1.2.18.2
• [ ] slf4j-ext-1.7.25.jar : upgrade to org.slf4j:slf4j-ext:1.7.26,1.8.0-beta2
• [ ] kafka-clients-1.1.1.jar : upgrade to org.apache.kafka:kafka-clients:2.1.1
• [ ] snakeyaml-1.27.jar : upgrade to org.yaml:snakeyaml:2.0
• [ ] commons-compress-1.21.jar : upgrade to org.apache.commons:commons-compress:1.26.0
• [ ] jackson-databind-2.12.4.jar : upgrade to com.fasterxml.jackson.core:jackson-databind:2.13.4

[jlolivos]

Please find below dependecies High and Medium.

High:

log4j-1.2.17.jar: log4j-manua-1.2.17-16 log4j-javadoc - 1.2.17-16 log4j-1.2.17-16,1.2.17-16 uom-parent -1.0.3-3.module,1.0.3-3.module; uom-se-javadoc - 1.0.4-3.module; parfait-examples - 0.5.4-4.module; log4j-manual - 1.2.17-16; si-units-javadoc - 0.6.5-2.module; unit-api - 1.0-5.module,1.0-5.module; unit-apijavadoc - 1.0-5.module; parfait - 0.5.4-4.module,0.5.4-4.module; log4j-javadoc - 1.2.17-16; uom-systems-javadoc - 0.7-1.module; uom-lib-javadoc - 1.0.1-6.module; uom-systems - 0.7-1.module,0.7-1.module; log4j - 1.2.17-16,1.2.17-16; uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module; parfaitjavadoc - 0.5.4-4.module; pcpparfait-agent - 0.5.4-4.module; siunits - 0.6.5-2.module,0.6.5-2.module org.apache.logging.log4j:log4jcore:2.0 ch.qos.reload4j:reload4j:1.2.18.3

kafka-clients-1.1.1.jar: org.apache.servicemi x.bundles:org.apache.servicemix. bundles.kafka-clients:2.1.1_1

protobuf-java-3.21.10.jar: com.google.protobuf:protobufjavalite - 3.25.5,4.28.2,4.27.5;com.google.protobuf:protobuf-java - 4.27.5,3.25.5,4.28.2

jose4j-0.9.2.jar: org.bitbucket.b_c:jose4j:0.9.3 org.bitbucket.b_c:jose4j:0.9.4

protobuf-java-3.24.0.jar: com.google.protobuf:protobufjavalite - 3.25.5,4.28.2,4.27.5;com.google.protobuf:protobuf-java - 4.27.5,3.25.5,4.28.2

protobuf-javalite-3.24.0.jar: com.google.protobuf:protobufjavalite - 3.25.5,4.28.2,4.27.5;com.google.protobuf:protobuf-java - 4.27.5,3.25.5,4.28.2

httpd-2.4.59-rc1-candidate: (pag 8) httpd-2.4.60

bcprov-jdk18on-1.75.jar: org.bouncycastle:bcprovjdk15to18:1.78, org.bouncycastle:bcprovjdk18on:1.78, BouncyCastle.Cryptography - 2.3.1

commons-io-2.8.0.jar: commonsio:commons-io:2.14.0

snakeyaml-1.27.jar: org.yaml:snakeyaml:1.31 org.yaml:snakeyaml:1.32

snappy-java-1.1.7.1.jar: org.xerial.snappy:snappyjava:1.1.10.1 org.xerial.snappy:snappyjava:1.1.10.4

jszip-3.7.1.js: jszip - 3.8.0

Medium:

jquery-3.3.1.js: jquery - 3.5.0;jquery-rails - 4.4.0

commons-codec-1.11.jar: commonscodec:commons-codec:1.13

woodstox-core-6.2.6.jar: com.fasterxml.woodstox:woodstox-core:5.4.0,6.4.0

bcprov-jdk18on-1.75.jar: org.bouncycastle:bcprovjdk18on:1.78,org.bouncycastle:bcprov-jdk15to18:1.78 org.bouncycastle:bcprovjdk14:1.78 BouncyCastle.Cryptography - 2.3.1

jackson-databind-2.12.4.jar: com.fasterxml.jackson.core:jackson-databind:2.12.6, 2.13.1; com.fasterxml.jackson.core:jackson-core:2.12.6, 2.13.1

okio-jvm-3.0.0.jar: com.squareup.okio:okio-jvm:3.4.0

commons-compress-1.21.jar: org.apache.commons:commonscompress:1.26.0

guava-30.1.1-jre.jar: com.google.guava:guava:32.0.1-android,32.0.1-jre

[jlolivos]

Please find here:

• gradle dependencies tree.
• maven dependencies tree.

gradle_dependencies.txt mvn_dependencies.txt

[techcobweb]

@jlolivos I've no idea what that gradle_dependencies.txt file means. Doesn't look like dependencies as I know them.

I actually was asking if we upgraded everything in the description, do you think the scans would pass ?

[jlolivos]

Regarding gradle file is the output for all Galasa repositories for this command: $ find . -name 'build.gradle' -exec grep -H ""bundleDependency"" {} \; > gradle_dependencies.txt

Regarding updates, to have scan pass please include the ones I added, those are also in the report.