search

softwareCobbler / luceedebug

line debugger for lucee
GNU Lesser General Public License v2.1
44 stars 15 forks source link

Vulnerabilities in Guava Dependency #45

Closed jamiejackson closed 1 year ago

jamiejackson commented 1 year ago

There's a HIGH vulnerability.

guava-31.1-jre.jar (pkg:maven/com.google.guava/guava@31.1-jre, cpe:2.3:a:google:guava:31.1:*:*:*:*:*:*:*) : CVE-2023-2976, CVE-2020-8908

Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

Note that #44 helps identify this stuff. It will drop an HTML report as build/reports/dependency-check-report.html, which has more detail.

jamiejackson commented 1 year ago

I'd submit a PR for the fix but I'm having trouble running tests. (Either I don't know or don't remember how to run them.)

This is on master:

$ ./gradlew test

Setting maxParallelForks to 12

> Task :luceedebug:test

SteppingWorksAsExpectedOnSinglelineStatementWithManySubexpressions > a() STANDARD_ERROR
    SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
    SLF4J: Defaulting to no-operation (NOP) logger implementation
    SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.

HitsABreakpointAndRetrievesVariableInfo > a() STANDARD_ERROR
    SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
    SLF4J: Defaulting to no-operation (NOP) logger implementation
    SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.

StepsToFinallyAndThenCatchSkippingPastUnwoundLines > a() STANDARD_ERROR
    SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
    SLF4J: Defaulting to no-operation (NOP) logger implementation
    SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.

EvaluatesAnExpression > a() STANDARD_ERROR
    SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
    SLF4J: Defaulting to no-operation (NOP) logger implementation
    SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.

SteppingThroughDefaultArgs > a() STANDARD_ERROR
    SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
    SLF4J: Defaulting to no-operation (NOP) logger implementation
    SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.

SteppingWorksAsExpectedOnSinglelineStatementWithManySubexpressions > a() FAILED
    org.opentest4j.AssertionFailedError at SteppingWorksAsExpectedOnSinglelineStatementWithManySubexpressions.java:57

HitsABreakpointAndRetrievesVariableInfo > a() FAILED
    org.opentest4j.AssertionFailedError at HitsABreakpointAndRetrievesVariableInfo.java:59

StepsToFinallyAndThenCatchSkippingPastUnwoundLines > a() FAILED
    org.opentest4j.AssertionFailedError at StepsToFinallyAndThenCatchSkippingPastUnwoundLines.java:57

SteppingThroughDefaultArgs > a() FAILED
    org.opentest4j.AssertionFailedError at SteppingThroughDefaultArgs.java:58

EvaluatesAnExpression > a() FAILED
    org.opentest4j.AssertionFailedError at EvaluatesAnExpression.java:57

5 tests completed, 5 failed

> Task :luceedebug:test FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':luceedebug:test'.
> There were failing tests. See the report at: file:///Users/jjackson/projects/luceedebug/luceedebug/build/reports/tests/test/index.html

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 29s
6 actionable tasks: 6 executed
softwareCobbler commented 1 year ago

Thanks, this is fixed as of agent/2.0.8, guava's at 32.1.2.

Sorry the tests didn't work on your machine; you might not have had a docker daemon running?

jamiejackson commented 1 year ago

Looks good, thanks. The latest ./gradlew dependencyCheckAnalyze scan comes out clean.

I'll open another ticket to ask test-related questions.