release version for JDK 17 and address CVEs #2401
Comments
|
@fabio-andre-rodrigues by trial and error I found that graal-js 22.3.3 is the last that we can build on Java 11. I'm curious if that may address the critical CVEs I'm not able to find any graal announcement that they require Java 17 even though previously for Java 11 this was clearly mentioned in the 22.1.0 release notes, https://github.com/oracle/graaljs/blob/master/CHANGELOG.md#version-2210 (screenshot below) 
anyway - for reference, here is an announcement from sonar / sonarqube that they are not supporting java 11 anymore: https://community.sonarsource.com/t/java-11-is-deprecated-as-a-runtime-env-to-scan-your-projects/96597 |
|
Unfortunately 22.3.3 has vulnerability reported
https://security.snyk.io/vuln/maven?search=Graal
A segunda, 25/09/2023, 12:35, Peter Thomas ***@***.***>
escreveu:
… @fabio-andre-rodrigues <https://github.com/fabio-andre-rodrigues> by
trial and error I found that graal 22.3.3 is the last that we can build on
Java 11. I'm curious if that may address the critical CVEs
I'm not able to find any graal announcement that they wont support Java
11, even though this was clearly mentioned in the 22.1.0 release notes,
https://github.com/oracle/graaljs/blob/master/CHANGELOG.md#version-2210
(screenshot below)
[image: image]
<https://user-images.githubusercontent.com/915480/270327967-4027dd32-4107-4571-8685-cf63ac6640a0.png>
anyway - for reference, here is an announcement from sonar / sonarqube
that they are not supporting java 11 anymore:
https://community.sonarsource.com/t/java-11-is-deprecated-as-a-runtime-env-to-scan-your-projects/96597
—
Reply to this email directly, view it on GitHub
<#2401 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUAS2UCXE3AHOSH6ZYVSYETX4FUBZANCNFSM6AAAAAA5DI4TBM>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Ok, thanks for the update.anything else that needs to be done?
A terça, 26/09/2023, 15:12, Peter Thomas ***@***.***>
escreveu:
… note that this pull request is linked to this ticket: #2402
<#2402>
the plan is to release karate 1.5.0.RC1 within a week that addresses these
latest CVEs and requires Java 17. Karate 1.4.1 will be the last Karate
release that supports Java 11
—
Reply to this email directly, view it on GitHub
<#2401 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUAS2UHCFCAUB2NHIS4AJRLX4LPEDANCNFSM6AAAAAA5DI4TBM>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@fabio-andre-rodrigues I think we are good. when a version is out on maven central, I will let you know and would like your feedback on whether snyk reports etc are green |
Will gladly due. |
|
@fabio-andre-rodrigues karate 1.5.0.RC1 is available in maven central. we have changed the maven group-id from link to karate core on maven: https://central.sonatype.com/artifact/io.karatelabs/karate-core docker image should move to https://hub.docker.com/r/karatelabs/karate-chrome - this is yet to be done linking another related issue: #2215 - which is now planned in Karate 1.6, and here is where we will change the API and Java package names to |
|
So far, no issue in using karate framework on 1.5.0.RC1 and all tests are running good. We detected some medium vulnerabilities in Snyk, Will check what we can do on that. On a high note, All high ones were solved (2 high, 11 medium) |
|
Hey, several teams under me are already using this release and all is running smoothly, at least in normal functionality. Also Snyk reports are cleanup up substantionaly. We may need to add a way to update dependencies quicker, but at least this seems to have solved the critical and higs. |
|
@fabio-andre-rodrigues thanks for the update 👍 |
|
when we would have a official release of this» |
|
@fabio-andre-rodrigues my recommendation is you can use 1.5.0.RC1 in "production". we will have a couple of RC releases until final, because a few big-ticket items were added (playwright, gatling java dsl). it may take 2 months for a final 1.5.0 |
|
all: we released 1.5.0.RC2 that should be in maven central in a few minutes |
|
Hi @ptrthomas, I observe there is still "No step defination found error", Is this is a known issue in this release? 
Regards, |
|
@anildhiman88 karate is NOT cucumber. we recommend you use the official IDE plugins |
|
@ptrthomas got it, Thanks |
|
all dependencies were upgraded, refer commit: 425668e Karate 1.5.0.RC3 is now available: https://github.com/karatelabs/karate/releases/tag/v1.5.0.RC3 |
|
Hi, Is it normal to see a RC4 on https://mvnrepository.com/artifact/io.karatelabs/karate-core/1.5.0.RC4 while we don't see corresponding tag in https://github.com/karatelabs/karate/tags? Regards. |
|
@EstebanDugueperoux2 yes, we haven't been diligent about tagging RC versions so you have to make it out from the commit dates. but in future we will make sure to tag these as well |
|
1.5.0 released |
while trying to upgrade
thymeleafgraal and logback - it looks like Java 17 is a must to address all the new CVEs cc @fabio-andre-rodriguesrefer discussion in #2399 and #2390
already these 3 commits have been made, that upgrade the github action runners and the docker container. the docker container required quite a few tweaks
1a106f0
03cd29a
b95796c
The text was updated successfully, but these errors were encountered: