-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update common-compress to address CVE-2024-25710 CVE-2024-26308 #16009
update common-compress to address CVE-2024-25710 CVE-2024-26308 #16009
Conversation
This resolves: |
trying this before supressing it in plugin-configuration
<dependency> | ||
<groupId>commons-codec</groupId> | ||
<artifactId>commons-codec</artifactId> | ||
<scope>runtime</scope> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
any reason we need to add this dependency to the processing pom?
It also seems odd we would only be declaring it a runtime dependency.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's added to processing as this is where commons-compress is used.
The dependency is listed as optional for commons-compress (https://mvnrepository.com/artifact/org.apache.commons/commons-compress/1.26.0)
and is not needed compile time. The dependency is needed runtime (as illustrated by failing tests in #15932). If we add it in the compile scope we will need to add the suppression of dependency analyze tool.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see, can we add a comment to explain the reason for making it runtime?
Let's also update the PR description to mention that 1.26 added this optional dependency and that it is required in our case to make tests pass.
Co-authored-by: Xavier Léauté <xl+github@xvrl.net>
…he#16009) * Update common-compress to 1.26.0 to address CVEs CVE-2024-25710 CVE-2024-26308 * Add commons-codec as a runtime dependency required by common-compress 1.26.0 --------- Co-authored-by: Xavier Léauté <xl+github@xvrl.net>
…he#16009) * Update common-compress to 1.26.0 to address CVEs CVE-2024-25710 CVE-2024-26308 * Add commons-codec as a runtime dependency required by common-compress 1.26.0 --------- Co-authored-by: Xavier Léauté <xl+github@xvrl.net>
Description
This PR has: