search

testcontainers / testcontainers-java

Testcontainers is a Java library that supports JUnit tests, providing lightweight, throwaway instances of common databases, Selenium web browsers, or anything else that can run in a Docker container.
https://testcontainers.org
MIT License
8.02k stars 1.65k forks source link

[Bug]: Vulnerable dependency commons-compress 1.24.0 #8338

Open veita opened 8 months ago

veita commented 8 months ago

Module

Core

Testcontainers version

1.19.5

Using the latest Testcontainers version?

Yes

Host OS

Linux

Host Arch

x86_64

Docker version

Podman 4.3.1

What happened?

Testcontainers pulls in common-compress 1.24.0.

https://github.com/testcontainers/testcontainers-java/blob/main/core/build.gradle#L76

Additional Information

marcelstoer commented 8 months ago

Anyone coming across this, please follow the discussion at #8354. The commons-compress dependency won't be updated here for now.

hailuand commented 7 months ago

Apache have released patch version 1.26.1 of commons-compress last week that may address this?

COMPRESS-659: TarArchiveOutputStream should use Commons IO Charsets instead of Commons Codec Charsets.

I was able to successfully upgrade the commons-compress version in a project of mine to 1.26.1 that was previously failing on 1.26.0 with:

java.lang.NoClassDefFoundError: org/apache/commons/codec/Charsets

    at org.apache.commons.compress.archivers.tar.TarArchiveOutputStream.<init>(TarArchiveOutputStream.java:212)
    at org.apache.commons.compress.archivers.tar.TarArchiveOutputStream.<init>(TarArchiveOutputStream.java:157)
    at org.apache.commons.compress.archivers.tar.TarArchiveOutputStream.<init>(TarArchiveOutputStream.java:147)
    at org.testcontainers.containers.ContainerState.copyFileToContainer(ContainerState.java:350)
    at org.testcontainers.containers.ContainerState.copyFileToContainer(ContainerState.java:331)
    at java.base/java.util.LinkedHashMap.forEach(LinkedHashMap.java:986)
    at org.testcontainers.containers.GenericContainer.tryStart(GenericContainer.java:441)
blommish commented 7 months ago

Do I understand this correctly, it will probably not be updated before spring has updated it to 1.26.1?

antonmos commented 4 months ago

Is any reason not resolve this by updating to 1.26.1? NoClassDefFoundError has been resolved in that version.

angelo-v commented 2 months ago

It also works with 1.27.0. Please update.

kevinherron commented 2 months ago

When this does get upgraded it seems pretty clear that it should also become a shaded dependency. Libraries with other common libraries as dependencies are problematic.

vcruzmj commented 2 weeks ago

Any news on this?