Bump com.hierynomus:sshj from 0.32.0 to 0.36.0 in /prime-router #11246
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
Bumps [com.hierynomus:sshj](https://github.com/hierynomus/sshj) from 0.32.0 to 0.36.0. - [Commits](hierynomus/sshj@v0.32.0...v0.36.0) --- updated-dependencies: - dependency-name: com.hierynomus:sshj dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
Dependency Review✅ No vulnerabilities or license issues found.Scanned Manifest Files |
|
Breaking change |
|
Mo's sage advice:
|
GilmoreA6
added
the
onboarding-ops
|
Ran check all STLTs' SFTPs and RESTs for SSHJ version 0.32.0 (current working version) and 0.36.0 (latest version). I compared the output for both; they are identical, which tells me that, after the fix, the new version is now backward compatible with the older version. Below are the output logs for both versions: |
oslynn
requested review from
mkalish,
arnejduranovic,
snesm,
GilmoreA6 and
pstonebu
and removed request for
jalbinson and
GilmoreA6
| @@ -405,7 +405,7 @@ class RESTTransport(private val httpClient: HttpClient? = null) : ITransport { | |||
| if (restUrl.contains("dataingestion.datateam-cdc-nbs")) { | |||
| val idTokenInfoString: String = client.post(restUrl) { | |||
| val credentialString = credential.user + ":" + credential.pass | |||
| val basicAuth = "Basic " + Base64.encodeBytes(credentialString.encodeToByteArray()) | |||
| val basicAuth = "Basic " + Base64.getEncoder().encodeToString(credentialString.encodeToByteArray()) | |||
There was a problem hiding this comment.
Depending on Java standard library is always a good idea simple operations like this 👍
|
Changes look good, what does our test coverage look like for SSH/SFTP? |
| // Apache SSHD that doesn't rsa-sha2-* signatures. To make it works with old servers, | ||
| // we need to include the KeyAlgorithms.SSHRSA at the top of the list or have higher | ||
| // priority than other as below. | ||
| sshConfig.keyAlgorithms = listOf( |
There was a problem hiding this comment.
Is it worth creating a tech debt ticket to make this configurable per receiver? I remember you saying this breaks after trying the first three key algorithms, is that still the case or is this not related to that?
There was a problem hiding this comment.
No, it isn't worth it to create a tech dept for this. After this fix, it works with all of our reivers.
There was a problem hiding this comment.
@snesm our Security expert approved the fix. However, he suggested I get with the receiver who still using the SSHRAS key exchange and suggest they upgrade their server to support the new key exchange.
|
SonarCloud Quality Gate failed.
|
oslynn
deleted the
dependabot/gradle/prime-router/com.hierynomus-sshj-0.36.0
branch
Bumps com.hierynomus:sshj from 0.32.0 to 0.36.0.
Commits
f4d34d8Fix release build2bef99cPrepare release 0.36.0a186dbfFix race condition causing SSH_MSG_UNIMPLEMENTED occasionally during key exch...a5fdb29Fixed itests for missing docker container (#892)3069138Add DefaultSecurityProviderConfig with Bouncy Castle disabled (#861)a3c9c61Prepare release notes31d156bRewriting testing utilities to use jupiter engine (#881)ec69d10Removed Java 7 backport Socket utilities (#880)f35c2bdReplaced custom Base64 with java.util.Base64 (#879)0783709Removed unused bcrypt password hashing methods (#852)You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)