Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix / ignore vulnerabilities #8

Merged
merged 5 commits into from
Sep 13, 2024
Merged

Fix / ignore vulnerabilities #8

merged 5 commits into from
Sep 13, 2024

Conversation

Mahoney
Copy link
Contributor

@Mahoney Mahoney commented Sep 13, 2024
edited
Loading

  • chore: Fix transitive vulnerability in jackson
  • chore: Ignore unfixable vulnerability
  • chore: Ignore unfixable vulnerability
  • chore: Fix transitive vulnerability in commons-compress
  • wiremock-extension-convention plugin 0.2.0 -> 0.3.0

Submitter checklist

  • Recommended: Join WireMock Slack to get any help in #help-contributing or a project-specific channel like #wiremock-java
  • The PR request is well described and justified, including the body and the references
  • The PR title represents the desired changelog entry
  • The repository's code style is followed (see the contributing guide)
  • Test coverage that demonstrates that the change works as expected
  • For new features, there's necessary documentation in this pull request or in a subsequent PR to wiremock.org

@Mahoney
chore: Ignore unfixable vulnerability
2f5d882 
As of kotlin-stdlib version 1.4.21, the vulnerable functions have been
marked as deprecated. Due to still being usable, this advisory is kept
as "unfixed". But we can't fix it so ignore it for a year.
@Mahoney
chore: Ignore unfixable vulnerability
1ea817b
@Mahoney
chore: Fix transitive vulnerability in commons-compress
a2fad10 
Set the minimum version to 1.26.0. Version 1.24.0 brought in
transitively by org.wiremock:wiremock:3.9.1 has CVE-2024-25710.

A gradle constraint does not fix the version, just sets a minimum
version: https://www.linen.dev/s/gradle-community/t/22694678/hi-snyk-has-revealed-that-some-deeply-nested-transitive-depe#e46476e5-70e1-49a7-a72f-fa5453374e42
@Mahoney
wiremock-extension-convention plugin 0.2.0 -> 0.3.0
9a0ca95
@Mahoney
Add snyk to GHA
0684bf1
@Mahoney Mahoney merged commit 002c659 into main Sep 13, 2024
9 checks passed
@Mahoney Mahoney deleted the fix-vulns branch September 13, 2024 12:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leeturner leeturner leeturner approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Mahoney @leeturner