Universal: Update "jsoup" plugin due to CVE-2022-36033 (#269)

samruddhikhandale · web-flow · commit b1a2835c0ae6 · 2022-12-15T15:34:52.000-08:00
* Universal: Update aws-java-sdk-s3 due to CVE-2022-31159 * Universal: Update "jsoup" plugin due to CVE-2022-36033
diff --git a/src/universal/.devcontainer/local-features/setup-user/install.sh b/src/universal/.devcontainer/local-features/setup-user/install.sh
@@ -20,16 +20,24 @@ chmod +x /etc/profile.d/00-restore-env.sh
 
 export DEBIAN_FRONTEND=noninteractive
 
+# Temporary: Replace the current gradle plugins with patched versions
+GRADLE_PATH=$(cd /usr/local/sdkman/candidates/gradle/7*/lib/plugins/ && pwd)
+
 # Temporary: Due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31159
 # Delete the current plugin
-GRADLE_PATH=$(cd /usr/local/sdkman/candidates/gradle/7*/lib/plugins/ && pwd)
 rm -f ${GRADLE_PATH}/aws-java-sdk-s3-*
 
 # Install "aws-java-sdk-s3" plugin with version >= 1.12.261
 curl -sSL https://github.com/aws/aws-sdk-java/archive/refs/tags/1.12.363.tar.gz | tar -xzC /tmp 2>&1
 jar cf ${GRADLE_PATH}/aws-java-sdk-s3-1.12.363.jar /tmp/aws-sdk-java-1.12.363/aws-java-sdk-s3
 rm -rf /tmp/aws-sdk-java-1.12.363
 
+# Temporary: Due to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36033
+rm -f ${GRADLE_PATH}/jsoup-*
+curl -sSL https://github.com/jhy/jsoup/archive/refs/tags/jsoup-1.15.3.tar.gz | tar -xzC /tmp 2>&1
+jar cf ${GRADLE_PATH}/jsoup-1.15.3.jar /tmp/jsoup-jsoup-1.15.3
+rm -rf /tmp/jsoup-jsoup-1.15.3
+
 # Temporary: Upgrade NPM packages due to mentioned CVEs.
 # decode-uri-component: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38900
 # ansi-regex: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3807
diff --git a/src/universal/test-project/test.sh b/src/universal/test-project/test.sh
@@ -173,8 +173,10 @@ check "java-version-on-path-is-12.0.2" java --version | grep 12.0.2
 # Test patches
 GRADLE_PATH=$(cd /usr/local/sdkman/candidates/gradle/7*/lib/plugins && pwd)
 check "aws-java-sdk-s3-plugin" bash -c "ls ${GRADLE_PATH} | grep aws-java-sdk-s3-1.12.363.jar"
+check "jsoup-plugin" bash -c "ls ${GRADLE_PATH} | grep jsoup-1.15.3.jar"
 
 cd /usr/local/share/nvm/versions/node/v14*/lib/node_modules/npm
+
 decodeVersion=$(npm ls --depth 1 --json | jq -r '.dependencies."decode-uri-component".version')
 check-version-ge "decode-uri-component" "${decodeVersion}" "0.2.1"
 
