-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency on commons-text has vulnerability to CVE-2022-42889 #1990
Comments
https://github.com/aquasecurity/trivy Trivy is found there |
Handlerbars has published a 4.3.1 release fixing the CVE. |
Any plans to release a version with this fix? Our security scans are blocking wiremock due to this vulnerability. |
Is there a workaround to fix CVE-2022-42889? |
Apologies for leaving this open. The latest master does not have this issue, which I would say is the best workaround. |
If you can't wait to the next Wiremock release, you can add in your project the dependency Handlebars at the 4.3.1 version (see the link how adding according to different build systems). |
Any plans for 2.34/2.35 release with this fix? |
Wiremock version
2.34.0
How I'm starting wiremock
I'm not - I'm simply scanning a wiremock image with
trivy
A failing test case
You can run
trivy image --ignore-unfixed --security-checks vuln wiremock/wiremock
, which will among other things output the stated CVE.What is the issue
Inside of the wiremock jar there is a META-INF folder containing a maven folder. There is a reference there to commons-text (an apache commons library) at version 1.9. I don't know how it gets there, because I cannot find any reference to it inside of the repository or inside of the gradle build dependencies. It's been a long time since I did jar file engineering, so I have only a vague notion that it is for pulling in dependencies at runtime from the internet.
What would I like to see
I'd like the dependency on commons-text to be gone if it is not needed, or to upgrade it to 1.10.0. That version doesn't have the vulnerability by default, which is nice.
Currently I can build a .jar by telling it
exclude 'META-INF/maven/**'
inside the shadowJar stage of thebuild.gradle
file. This is probably very bad, and I'm still trying to figure out whether or not this breaks anything horrifically.If someone could point me at some relevant docs that will explain to me how to upgrade this dependency I have no trouble creating a pull request.
The text was updated successfully, but these errors were encountered: