Update ivy version to 2.5.2 #619
Conversation
Updates `org.apache.ivy:ivy` to version 2.5.2 to fix CVE-2022-46751
Adds 2 CVEs due to `debezium-supplier` transitive dependencies.
onobc
force-pushed
the
update-ivy-version-2_5_2
branch
from
122b10e to
a289835
Compare
| @@ -14,10 +14,6 @@ | |||
| <relativePath>../../stream-applications-core/pom.xml</relativePath> | |||
| </parent> | |||
|
|
|||
| <properties> | |||
| <apache-ivy.version>2.5.1</apache-ivy.version> | |||
There was a problem hiding this comment.
Sorry, Chris, how does it work if we don’t specify version any more?
Is this Spring Boot managed dep?
So, it comes as latest now and with all those CVEs fixed?
There was a problem hiding this comment.
Good point @artembilan - I was not clear in my description. We (stream-applications) already have dep. mgmt. for this ivy in stream-applications-build but for some reason these versions were still being hardcoded in these modules.
This moves those versions out of the way and lets the stream-applications-build/pom.xml be the final arbiter of the versions.
| ################################ | ||
| ## From debezium-supplier | ||
| ################################ | ||
| CVE-2023-1428 |
There was a problem hiding this comment.
These "mute" the grpc and protobuf related CVEs being reported
| @@ -4,7 +4,6 @@ SCDIR=$(realpath $SCDIR) | |||
| if [[ "$1" != *"-sources.jar" ]] && [[ "$1" != *"-javadoc.jar" ]]; then | |||
| if [ "$TRIVY_UPLOAD" == "true" ]; then | |||
| echo "Scanning:$1" | |||
| echo "trivy rootfs --format sarif -o \"$1.sarif\" \"$1\"" | |||
There was a problem hiding this comment.
This looks like some debug that is surely to get out of sync w/ the actual command
|
@artembilan I am going to go ahead and merge this. I am happy to make any changes post merge. |
Updates
org.apache.ivy:ivyto version 2.5.2 to fix CVE-2022-46751