logback vulnerabilities

guardian / grid

The Guardian’s image management system

https://www.theguardian.com/info/developer-blog/2015/aug/12/open-sourcing-grid-image-service

Apache License 2.0

1.44k stars 119 forks source link

logback vulnerabilities #4299

Closed dblatcher closed 2 weeks ago

dblatcher commented 2 weeks ago

What does this change?

Addresses vulnerabilities from ch.qos.logback:logback-classic:

adds dependency overrides to patch vulnerabilities in logback-classic
patches kinesis-logback-appender to 1.4.4 (did not upgrade to v2 as relies on awsSdk v2 - Grid currently using awsSdk v1)

How should a reviewer test this change?

project should still compile, test and run - healthchecks for all services should pass.

How can success be measured?

reduction in vulnerabilities

Who should look at this?

Tested? Documented?

[x] locally by committer
[ ] locally by Guardian reviewer
[ ] on the Guardian's TEST environment
[ ] relevant documentation added or amended (if needed)

github-actions[bot] commented 2 weeks ago

- [Deploy build 12595 to TEST](https://riffraff.gutools.co.uk/deployment/deployAgain?project=media-service%3A%3Agrid%3A%3Aall&build=12595&stage=TEST&updateStrategy=MostlyHarmless&action=deploy) - [Deploy parts of build 12595 to TEST by previewing it first](https://riffraff.gutools.co.uk/preview/yaml?project=media-service%3A%3Agrid%3A%3Aall&build=12595&stage=TEST&updateStrategy=MostlyHarmless)

From guardian/actions-riff-raff.

prout-bot commented 2 weeks ago

Seen on auth, usage, image-loader, metadata-editor, cropper, kahuna (merged by @dblatcher 8 minutes and 39 seconds ago) Please check your changes!

prout-bot commented 2 weeks ago

Seen on collections, thrall, media-api (merged by @dblatcher 8 minutes and 43 seconds ago) Please check your changes!

prout-bot commented 2 weeks ago

Seen on leases (merged by @dblatcher 8 minutes and 47 seconds ago) Please check your changes!