search

morfologik / morfologik-stemming

Tools for finite state automata construction and dictionary-based morphological dictionaries. Includes Polish stemming dictionary.
BSD 3-Clause "New" or "Revised" License
186 stars 44 forks source link

Update vulnerable dependency #102

Closed TiagoSantos81 closed 4 years ago

TiagoSantos81 commented 4 years ago

Noticed this on my project, that has morfologik as a dependency. com.beust:jcommander:1.48, referenced on morfologik-tools/pom.xml should be updated to 1.75 or later. https://snyk.io/vuln/SNYK-JAVA-COMBEUST-174815

It is not a simple update. A simple change of version in the pom will throw this:

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.3:compile (default-compile) on project morfologik-tools: Compilation failure: Compilation failure: 
[ERROR] /home/pc/morfologik/morfologik-stemming/morfologik-tools/src/main/java/morfologik/tools/CliTool.java:[181,7] method usage in class com.beust.jcommander.JCommander cannot be applied to given types;
[ERROR]   required: no arguments
[ERROR]   found: java.lang.StringBuilder
[ERROR]   reason: actual and formal argument lists differ in length
[ERROR] /home/pc/morfologik/morfologik-stemming/morfologik-tools/src/main/java/morfologik/tools/CliTool.java:[187,7] method usage in class com.beust.jcommander.JCommander cannot be applied to given types;
[ERROR]   required: no arguments
[ERROR]   found: java.lang.StringBuilder
[ERROR]   reason: actual and formal argument lists differ in length
[ERROR] /home/pc/morfologik/morfologik-stemming/morfologik-tools/src/main/java/morfologik/tools/CustomParameterConverters.java:[9,1] morfologik.tools.CustomParameterConverters is not abstract and does not override abstract method getConverter(java.lang.Class<?>) in com.beust.jcommander.IStringConverterFactory
[ERROR] /home/pc/morfologik/morfologik-stemming/morfologik-tools/src/main/java/morfologik/tools/CustomParameterConverters.java:[19,51] name clash: getConverter(java.lang.Class<T>) in morfologik.tools.CustomParameterConverters and getConverter(java.lang.Class<?>) in com.beust.jcommander.IStringConverterFactory have the same erasure, yet neither overrides the other
[ERROR] /home/pc/morfologik/morfologik-stemming/morfologik-tools/src/main/java/morfologik/tools/CustomParameterConverters.java:[18,3] method does not override or implement a method from a supertype
[ERROR] -> [Help 1]
[ERROR]
dweiss commented 4 years ago

Why do you have a dependency on the tools? This isn't a library package -- it's a set of end-user programs.

TiagoSantos81 commented 4 years ago

This was an FYI, after looking at the snyk warning, and I believe that since this library is used by hundreds of projects, a vulnerability here can be significant. If I understand the report correctly, even though there is a low change that you got an altered version of that dependency, if that was the case, it can contain anything in it.

Why do you have a dependency on the tools? This isn't a library package -- it's a set of end-user programs.

The use I give is irrelevant to this problem, but the tools are integrated to help language developers build or update the morfologik dictionaries used.

dweiss commented 4 years ago

Updated to jcommander 1.78.