search

gradle / gradle-native

The home of Gradle's support for natively compiled languages
https://blog.gradle.org/introducing-the-new-cpp-plugins
Apache License 2.0
91 stars 8 forks source link

Vulnerabilities in Gradle 5.1.1 #1003

Closed gakhrejah closed 5 years ago

gakhrejah commented 5 years ago

Hi Team,

I am using Gradle 5.1.1 version to compile my spring boot applications in a docker container. I am using JFROG as an artifactory to store all the artifact . It runs a JFROG artifact scan which is causing the issue . Gradle 5.1.1 comes with a common-collection-3.2.2.jar in lib folder and bcprov-jdk15on-1.60.jar in lib/plugin folder . These JAR is causing the JFROG XRAY issue These are vulnerabilities which is causing my build to fail

Expected Behavior

XRAY scan should pass

Current Behavior

XRAY scan is failing with the vulnerabilities attached

Context

Can you please let me know 1) Is there any we can upgrade these 2 jar in gradle-5.1.1. 2) I have tried directly replacing the jar with the upgraded version but then it is not able to compile my code.

Please let me know , as this issue is blocker. Please let me know if you require any other info

XRAY-SCAN-LOGS.txt for us

gakhrejah commented 5 years ago

JARS in which vulnerabilities are fixed

bcprov-jdk15on-1.61.jar commons-collections4-4.2.jar

Can you please let us know how can we update the pre existing jar in gradle package i.e. gradle-5.1.1-all.zip

NOTE: I want the jar to be updated in gradle package inside lib folder .

Please let me know if you need any other info

lacasseio commented 5 years ago

Issue moved to gradle/gradle #8857 via ZenHub

lacasseio commented 5 years ago

The gradle/gradle-native board is for native (C++, Swift, etc) only issues. Please use gradle/gradle issue tracker for all other issues instead.