Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: vulnerability of Woodstox 6.2.4 #3318

Closed
wants to merge 1 commit into from
Closed

fix: vulnerability of Woodstox 6.2.4 #3318

wants to merge 1 commit into from

Conversation

kuju63
Copy link

@kuju63 kuju63 commented Nov 4, 2023

This PR is to fix the vulnerability of Woodstox 6.2.4.
It is critical vulnerability from CVSS score (CVSS score 7.5).
It caused by jackson-databind which use vulnerable library.

It change impact is to need to change Kotlin support version to exclude 1.4, because jackson-databind 2.13 and later are not support Kotlin 1.4.

CLOSE #3194

@kuju63
fix: vulnerability of Woodstox 6.2.4
9389e8e 
This commit is to fix the vulnerability of Woodstox 6.2.4.
It including jackson and jackson databind.
@hfhbd
Copy link
Contributor

hfhbd commented Feb 6, 2024

Kotlin 1.4 support is need to support Gradle 7, which is still supported by Gradle and by Kotlin 1.9.22. Alternatively, switching to Kotlinx serialization would fix this vulnerability too.

@whyoleg
Copy link
Collaborator

whyoleg commented Feb 6, 2024
edited
Loading

Hey!
Thanks for the PR, but as stated above the main reason for such old Jackson dependency is compatibility with older Gradle verisions (which are still supported by Gradle and Kotlin Gradle Plugin). So we can't change it right now.

In case you need to enforce usage of newer compatible Jackson version during Dokka execution you need to enforce it in 2 places:

  1. in build script classpath (because Dokka Gradle Plugin depends on it) - this configuration will depend on how your build is structured.
  • in case you are using buildSrc/build-logic(or any other included build to manage convention plugins or shared configuration) you need to add this to it's build.gradle/build.gradle.kts:
dependencies {
    implementation(enforcedPlatform("com.fasterxml.jackson:jackson-bom:2.13.5"))
}
  • in other cases, you can add this to projects build.gradle/build.gradle.kts where Dokka Gradle Plugin is applied:
buildscript {
    dependencies {
        classpath(enforcedPlatform("com.fasterxml.jackson:jackson-bom:2.13.5"))
    }
}
  1. in Dokka execution - add this to all modules where Dokka is configured:
dependencies {
    dokkaRuntime(enforcedPlatform("com.fasterxml.jackson:jackson-bom:2.13.5"))
    dokkaPlugin(enforcedPlatform("com.fasterxml.jackson:jackson-bom:2.13.5"))
}

Note: this is via Kotlin Gradle DSL, for groovy same or similar code should work. In some cases, Gradle can not generate dokkaRuntime/dokkPlugin accessors - in this case it's possible to just quote them like "dokkaRuntime"

Maximum available Jackson version here depends on your Gradle version (and as so on embedded Kotlin version used in Gradle: https://docs.gradle.org/current/userguide/compatibility.html#kotlin), I've tested that at my side even 2.15.3 works (with Gradle 8.6).

Hopefully during implementation of new Dokka Gradle Plugin this will be resolved in some way and there will be no vulnerability reports.

@whyoleg whyoleg closed this Feb 6, 2024
@kuju63 kuju63 deleted the fix/woodstox-6.2.4 branch April 15, 2024 14:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@whyoleg whyoleg Awaiting requested review from whyoleg

Assignees

@whyoleg whyoleg

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Woodstox:6.2.4 Security vulnerability in Dokka versions
3 participants
@kuju63 @hfhbd @whyoleg