The last 10 versions share a common transitive vulnerability in org.eclipse.jgit-5.8.1.202007141445-r.jar

sonatype-nexus-community / scan-gradle-plugin

Gradle plugin that scans the dependencies of a Gradle project using Sonatype platforms: OSS Index and Nexus IQ Server.

Apache License 2.0

77 stars 22 forks source link

The last 10 versions share a common transitive vulnerability in org.eclipse.jgit-5.8.1.202007141445-r.jar #152

Closed rbhuet2 closed 7 months ago

rbhuet2 commented 9 months ago

Describe the bug**To Reproduce** Steps to reproduce the behavior:

Run gradle build with any of the last 10 versions of the plugin defined. For example: classpath "org.sonatype.gradle.plugins:scan-gradle-plugin:2.7.0" apply plugin: 'org.sonatype.gradle.plugins.scan'
See error Could not GET 'https://nexus.xxx.com/repository/public/org/eclipse/jgit/org.eclipse.jgit/5.8.1.202007141445-r/org.eclipse.jgit- 5.8.1.202007141445-r.jar'. Received status code 403 from server: -------------------->>> REQUESTED ITEM IS QUARANTINED -------------------->>> Expected behavior The plugin should reference a version of jgit that does not have any critical vulnerabilities.

Screenshots

Desktop (please complete the following information):

OS: Windows 10
Gradle Version: [7.4.2]
JVM Version and Flavor [Open JDK 17]
Nexus IQ Server Version: [166]

Additional context

github-actions[bot] commented 9 months ago

Hi!

First of all, thank you for opening your first issue. Elementary, we appreciate all feedback that helps us continue improving this plugin.

As this is a community project we can't commit to official due dates for reviews and developing, but we're definitely committed to delivering services, integrations and plugins of top quality.

So please be patient, we will review your issue and get back to you as soon as we can!

Regards, Sherlock Trunks 🐘

guillermo-varela commented 9 months ago

Hi @rbhuet2!

From what I see, the JGit dependency comes from nexus-platform-api.

The latest version of nexus-platform-api already brings a JGit version without vulnerabilities, although upgrading that library brings a series of issues documented at #146

While I can't provide a due date, I can confirm that such upgrade will definitely be done and thanks to this issue we see now it needs to have a higher priority.

Thanks for bringing this into our attention!

guillermo-varela commented 7 months ago

Hi @rbhuet2!

@shaikhu came up with a solution to this JGit issue and now version 2.8.1 has been published: https://github.com/sonatype-nexus-community/scan-gradle-plugin/releases/tag/2.8.1

Please let us know if this enables using the plugin on your environment.

rbhuet2 commented 7 months ago

I just tested version 2.8.1 and it works perfectly. Thanks @shaikhu for the quick response!