Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(dependencies): Upgrade org.testng:testng to resolve vulnerability #894

Merged
merged 1 commit into from
Sep 3, 2021
Merged

chore(dependencies): Upgrade org.testng:testng to resolve vulnerability #894

merged 1 commit into from
Sep 3, 2021

Conversation

j-sandy
Copy link
Contributor

@j-sandy j-sandy commented Sep 3, 2021

SONATYPE-2019-0115
org.testng:testng is transitively introduced by org.codehaus.groovy:groovy-testng (part of groovy-all)

chore(dependencies): Upgrade org.testng:testng to resolve vulnerability
95e4cf6 
SONATYPE-2019-0115
org.testng:testng is transitively introduced by org.codehaus.groovy:groovy-testng (part of groovy-all)
@j-sandy
Copy link
Contributor Author

j-sandy commented Sep 3, 2021

After applying the fix, gate dependency insight

$.\gradlew gate-web:dI --dependency org.testng:testng --configuration runtimeClasspath
Starting a Gradle Daemon, 1 busy Daemon could not be reused, use --status for details

> Task :gate-web:dependencyInsight
org.testng:testng:7.4.0
   variant "runtimeElements" [[21s]
      org.gradle.category            = library
      org.gradle.dependency.bundling = external
      org.gradle.jvm.version         = 8 (compatible with: 11)
      org.gradle.libraryelements     = jar
      org.gradle.usage               = java-runtime
      org.gradle.status              = release (not requested)
   ]
   Selection reasons:
      - By constraint
      - By conflict resolution : between versions 7.4.0 and 6.13.1

org.testng:testng:7.4.0
\--- io.spinnaker.kork:kork-bom:testng-cve-fix-SNAPSHOT
     +--- runtimeClasspath
     +--- project :gate-proxy
     |    \--- runtimeClasspath
     +--- project :gate-plugins
     |    \--- runtimeClasspath
     +--- project :gate-api
     |    +--- runtimeClasspath
     |    +--- project :gate-proxy (*)
     |    \--- project :gate-plugins (*)
     +--- project :gate-integrations-gremlin
     |    \--- runtimeClasspath
     +--- project :gate-basic
     |    \--- runtimeClasspath
     +--- project :gate-iap
     |    \--- runtimeClasspath
     +--- project :gate-ldap
     |    \--- runtimeClasspath
     +--- project :gate-oauth2
     |    \--- runtimeClasspath
     +--- project :gate-saml
     |    \--- runtimeClasspath
     +--- project :gate-x509
     |    \--- runtimeClasspath
     \--- project :gate-core
          +--- runtimeClasspath
          +--- project :gate-proxy (*)
          +--- project :gate-plugins (*)
          +--- project :gate-integrations-gremlin (*)
          +--- project :gate-basic (*)
          +--- project :gate-iap (*)
          +--- project :gate-ldap (*)
          +--- project :gate-oauth2 (*)
          +--- project :gate-saml (*)
          \--- project :gate-x509 (*)

org.testng:testng:6.13.1 -> 7.4.0
\--- org.codehaus.groovy:groovy-testng:2.5.11
     +--- io.spinnaker.kork:kork-bom:testng-cve-fix-SNAPSHOT (requested org.codehaus.groovy:groovy-testng:2.5.9)
     |    +--- runtimeClasspath
     |    +--- project :gate-proxy
     |    |    \--- runtimeClasspath
     |    +--- project :gate-plugins
     |    |    \--- runtimeClasspath
     |    +--- project :gate-api
     |    |    +--- runtimeClasspath
     |    |    +--- project :gate-proxy (*)
     |    |    \--- project :gate-plugins (*)
     |    +--- project :gate-integrations-gremlin
     |    |    \--- runtimeClasspath
     |    +--- project :gate-basic
     |    |    \--- runtimeClasspath
     |    +--- project :gate-iap
     |    |    \--- runtimeClasspath
     |    +--- project :gate-ldap
     |    |    \--- runtimeClasspath
     |    +--- project :gate-oauth2
     |    |    \--- runtimeClasspath
     |    +--- project :gate-saml
     |    |    \--- runtimeClasspath
     |    +--- project :gate-x509
     |    |    \--- runtimeClasspath
     |    \--- project :gate-core
     |         +--- runtimeClasspath
     |         +--- project :gate-proxy (*)
     |         +--- project :gate-plugins (*)
     |         +--- project :gate-integrations-gremlin (*)
     |         +--- project :gate-basic (*)
     |         +--- project :gate-iap (*)
     |         +--- project :gate-ldap (*)
     |         +--- project :gate-oauth2 (*)
     |         +--- project :gate-saml (*)
     |         \--- project :gate-x509 (*)
     \--- org.codehaus.groovy:groovy-all:2.5.11
          +--- runtimeClasspath (requested org.codehaus.groovy:groovy-all)
          +--- project :gate-proxy (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :gate-plugins (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :gate-integrations-gremlin (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :gate-basic (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :gate-iap (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :gate-ldap (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :gate-oauth2 (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :gate-saml (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :gate-x509 (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :gate-core (requested org.codehaus.groovy:groovy-all) (*)
          +--- io.spinnaker.kork:kork-bom:testng-cve-fix-SNAPSHOT (*)
          \--- io.spinnaker.kork:kork-web:7.109.0
               +--- runtimeClasspath (requested io.spinnaker.kork:kork-web)
               +--- project :gate-proxy (requested io.spinnaker.kork:kork-web) (*)
               +--- project :gate-plugins (requested io.spinnaker.kork:kork-web) (*)
               +--- project :gate-integrations-gremlin (requested io.spinnaker.kork:kork-web) (*)
               +--- project :gate-core (requested io.spinnaker.kork:kork-web) (*)
               +--- io.spinnaker.kork:kork-bom:testng-cve-fix-SNAPSHOT (requested io.spinnaker.kork:kork-web:testng-cve-fix-SNAPSHOT) (*)
               +--- io.spinnaker.fiat:fiat-api:1.28.0
               |    +--- runtimeClasspath
               |    +--- project :gate-plugins (*)
               |    +--- project :gate-iap (*)
               |    +--- project :gate-oauth2 (*)
               |    +--- project :gate-saml (*)
               |    +--- project :gate-x509 (*)
               |    \--- project :gate-core (*)
               +--- io.spinnaker.kork:kork-plugins:testng-cve-fix-SNAPSHOT (requested io.spinnaker.kork:kork-web:testng-cve-fix-SNAPSHOT)
               |    +--- runtimeClasspath (requested io.spinnaker.kork:kork-plugins)
               |    +--- project :gate-plugins (requested io.spinnaker.kork:kork-plugins) (*)
               |    +--- project :gate-core (requested io.spinnaker.kork:kork-plugins) (*)
               |    \--- io.spinnaker.kork:kork-bom:testng-cve-fix-SNAPSHOT (*)
               +--- io.spinnaker.kork:kork-runtime:testng-cve-fix-SNAPSHOT (requested io.spinnaker.kork:kork-web:testng-cve-fix-SNAPSHOT)
               |    +--- runtimeClasspath (requested io.spinnaker.kork:kork-runtime)
               |    \--- io.spinnaker.kork:kork-bom:testng-cve-fix-SNAPSHOT (*)
               \--- io.spinnaker.kork:kork-retrofit:testng-cve-fix-SNAPSHOT (requested io.spinnaker.kork:kork-web:testng-cve-fix-SNAPSHOT)
                    +--- io.spinnaker.kork:kork-bom:testng-cve-fix-SNAPSHOT (*)
                    \--- io.spinnaker.kork:kork-runtime:testng-cve-fix-SNAPSHOT (*)

@j-sandy
Copy link
Contributor Author

j-sandy commented Sep 3, 2021

Clouddriver dependency insight:

$ .\gradlew clouddriver-web:dI --dependency org.testng:testng --configuration runtimeClasspath

> Task :clouddriver-web:dependencyInsight
org.testng:testng:7.4.0
   variant "runtimeElements" [
      org.gradle.category                = library
      org.gradle.dependency.bundling     = external
      org.gradle.jvm.version             = 8 (compatible with: 11)
      org.gradle.libraryelements         = jar
      org.gradle.usage                   = java-runtime
      org.gradle.status                  = release (not requested)

      Requested attributes not found in the selected variant:
         org.jetbrains.kotlin.platform.type = jvm
   ]
   Selection reasons:
      - By constraint
      - By conflict resolution : between versions 7.4.0 and 6.13.1

org.testng:testng:7.4.0
\--- io.spinnaker.kork:kork-bom:testng-cve-fix-SNAPSHOT
     +--- runtimeClasspath
     +--- project :clouddriver-kubernetes
     |    \--- runtimeClasspath
     +--- project :clouddriver-ecs
     |    \--- runtimeClasspath
     +--- project :clouddriver-lambda
     |    \--- runtimeClasspath
     +--- project :clouddriver-appengine
     |    \--- runtimeClasspath
     +--- project :clouddriver-cloudfoundry
     |    \--- runtimeClasspath
     +--- project :clouddriver-google
     |    \--- runtimeClasspath
     +--- project :clouddriver-artifacts
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-kubernetes (*)
     |    +--- project :clouddriver-ecs (*)
     |    +--- project :clouddriver-lambda (*)
     |    +--- project :clouddriver-appengine (*)
     |    +--- project :clouddriver-cloudfoundry (*)
     |    \--- project :clouddriver-google (*)
     +--- project :clouddriver-elasticsearch
     |    \--- runtimeClasspath
     +--- project :clouddriver-sql-mysql
     |    \--- runtimeClasspath
     +--- project :clouddriver-sql-postgres
     |    \--- runtimeClasspath
     +--- project :cats:cats-sql
     |    +--- project :clouddriver-sql-mysql (*)
     |    \--- project :clouddriver-sql-postgres (*)
     +--- project :clouddriver-sql
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-sql-mysql (*)
     |    +--- project :clouddriver-sql-postgres (*)
     |    \--- project :cats:cats-sql (*)
     +--- project :clouddriver-tencentcloud
     |    \--- runtimeClasspath
     +--- project :clouddriver-titus
     |    \--- runtimeClasspath
     +--- project :clouddriver-aws
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-ecs (*)
     |    +--- project :clouddriver-lambda (*)
     |    \--- project :clouddriver-titus (*)
     +--- project :clouddriver-eureka
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-tencentcloud (*)
     |    +--- project :clouddriver-titus (*)
     |    \--- project :clouddriver-aws (*)
     +--- project :clouddriver-oracle
     |    \--- runtimeClasspath
     +--- project :clouddriver-azure
     |    \--- runtimeClasspath
     +--- project :clouddriver-consul
     |    +--- runtimeClasspath
     |    \--- project :clouddriver-google (*)
     +--- project :clouddriver-huaweicloud
     |    \--- runtimeClasspath
     +--- project :clouddriver-yandex
     |    \--- runtimeClasspath
     +--- project :clouddriver-docker
     |    +--- runtimeClasspath
     |    \--- project :clouddriver-cloudfoundry (*)
     +--- project :clouddriver-core
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-kubernetes (*)
     |    +--- project :clouddriver-ecs (*)
     |    +--- project :clouddriver-lambda (*)
     |    +--- project :clouddriver-appengine (*)
     |    +--- project :clouddriver-cloudfoundry (*)
     |    +--- project :clouddriver-google (*)
     |    +--- project :clouddriver-artifacts (*)
     |    +--- project :clouddriver-elasticsearch (*)
     |    +--- project :cats:cats-sql (*)
     |    +--- project :clouddriver-sql (*)
     |    +--- project :clouddriver-tencentcloud (*)
     |    +--- project :clouddriver-titus (*)
     |    +--- project :clouddriver-aws (*)
     |    +--- project :clouddriver-eureka (*)
     |    +--- project :clouddriver-oracle (*)
     |    +--- project :clouddriver-azure (*)
     |    +--- project :clouddriver-consul (*)
     |    +--- project :clouddriver-huaweicloud (*)
     |    +--- project :clouddriver-yandex (*)
     |    \--- project :clouddriver-docker (*)
     +--- project :clouddriver-security
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-kubernetes (*)
     |    +--- project :clouddriver-ecs (*)
     |    +--- project :clouddriver-lambda (*)
     |    +--- project :clouddriver-appengine (*)
     |    +--- project :clouddriver-cloudfoundry (*)
     |    +--- project :clouddriver-google (*)
     |    +--- project :clouddriver-elasticsearch (*)
     |    +--- project :cats:cats-sql (*)
     |    +--- project :clouddriver-tencentcloud (*)
     |    +--- project :clouddriver-titus (*)
     |    +--- project :clouddriver-aws (*)
     |    +--- project :clouddriver-oracle (*)
     |    +--- project :clouddriver-azure (*)
     |    +--- project :clouddriver-huaweicloud (*)
     |    +--- project :clouddriver-yandex (*)
     |    +--- project :clouddriver-docker (*)
     |    \--- project :clouddriver-core (*)
     +--- project :cats:cats-redis
     |    +--- project :cats:cats-sql (*)
     |    \--- project :clouddriver-core (*)
     +--- project :cats:cats-core
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-kubernetes (*)
     |    +--- project :clouddriver-ecs (*)
     |    +--- project :clouddriver-lambda (*)
     |    +--- project :clouddriver-appengine (*)
     |    +--- project :clouddriver-cloudfoundry (*)
     |    +--- project :clouddriver-google (*)
     |    +--- project :cats:cats-sql (*)
     |    +--- project :clouddriver-sql (*)
     |    +--- project :clouddriver-tencentcloud (*)
     |    +--- project :clouddriver-titus (*)
     |    +--- project :clouddriver-aws (*)
     |    +--- project :clouddriver-eureka (*)
     |    +--- project :clouddriver-oracle (*)
     |    +--- project :clouddriver-azure (*)
     |    +--- project :clouddriver-huaweicloud (*)
     |    +--- project :clouddriver-yandex (*)
     |    +--- project :clouddriver-docker (*)
     |    +--- project :clouddriver-core (*)
     |    +--- project :clouddriver-security (*)
     |    \--- project :cats:cats-redis (*)
     +--- project :clouddriver-api
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-kubernetes (*)
     |    +--- project :clouddriver-ecs (*)
     |    +--- project :clouddriver-lambda (*)
     |    +--- project :clouddriver-appengine (*)
     |    +--- project :clouddriver-cloudfoundry (*)
     |    +--- project :clouddriver-google (*)
     |    +--- project :clouddriver-artifacts (*)
     |    +--- project :clouddriver-elasticsearch (*)
     |    +--- project :cats:cats-sql (*)
     |    +--- project :clouddriver-sql (*)
     |    +--- project :clouddriver-tencentcloud (*)
     |    +--- project :clouddriver-titus (*)
     |    +--- project :clouddriver-aws (*)
     |    +--- project :clouddriver-eureka (*)
     |    +--- project :clouddriver-oracle (*)
     |    +--- project :clouddriver-azure (*)
     |    +--- project :clouddriver-huaweicloud (*)
     |    +--- project :clouddriver-yandex (*)
     |    +--- project :clouddriver-docker (*)
     |    +--- project :clouddriver-core (*)
     |    +--- project :clouddriver-security (*)
     |    +--- project :cats:cats-redis (*)
     |    \--- project :cats:cats-core (*)
     +--- project :clouddriver-google-common
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-appengine (*)
     |    \--- project :clouddriver-google (*)
     +--- project :clouddriver-configserver
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-kubernetes (*)
     |    \--- project :clouddriver-aws (*)
     +--- project :clouddriver-saga
     |    +--- project :clouddriver-titus (*)
     |    +--- project :clouddriver-aws (*)
     |    \--- project :clouddriver-core (*)
     \--- project :clouddriver-event
          +--- project :clouddriver-sql (*)
          \--- project :clouddriver-saga (*)

org.testng:testng:6.13.1 -> 7.4.0
\--- org.codehaus.groovy:groovy-testng:2.5.11
     +--- io.spinnaker.kork:kork-bom:testng-cve-fix-SNAPSHOT (requested org.codehaus.groovy:groovy-testng:2.5.9)
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-kubernetes
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-ecs
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-lambda
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-appengine
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-cloudfoundry
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-google
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-artifacts
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-kubernetes (*)
     |    |    +--- project :clouddriver-ecs (*)
     |    |    +--- project :clouddriver-lambda (*)
     |    |    +--- project :clouddriver-appengine (*)
     |    |    +--- project :clouddriver-cloudfoundry (*)
     |    |    \--- project :clouddriver-google (*)
     |    +--- project :clouddriver-elasticsearch
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-sql-mysql
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-sql-postgres
     |    |    \--- runtimeClasspath
     |    +--- project :cats:cats-sql
     |    |    +--- project :clouddriver-sql-mysql (*)
     |    |    \--- project :clouddriver-sql-postgres (*)
     |    +--- project :clouddriver-sql
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-sql-mysql (*)
     |    |    +--- project :clouddriver-sql-postgres (*)
     |    |    \--- project :cats:cats-sql (*)
     |    +--- project :clouddriver-tencentcloud
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-titus
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-aws
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-ecs (*)
     |    |    +--- project :clouddriver-lambda (*)
     |    |    \--- project :clouddriver-titus (*)
     |    +--- project :clouddriver-eureka
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-tencentcloud (*)
     |    |    +--- project :clouddriver-titus (*)
     |    |    \--- project :clouddriver-aws (*)
     |    +--- project :clouddriver-oracle
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-azure
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-consul
     |    |    +--- runtimeClasspath
     |    |    \--- project :clouddriver-google (*)
     |    +--- project :clouddriver-huaweicloud
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-yandex
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-docker
     |    |    +--- runtimeClasspath
     |    |    \--- project :clouddriver-cloudfoundry (*)
     |    +--- project :clouddriver-core
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-kubernetes (*)
     |    |    +--- project :clouddriver-ecs (*)
     |    |    +--- project :clouddriver-lambda (*)
     |    |    +--- project :clouddriver-appengine (*)
     |    |    +--- project :clouddriver-cloudfoundry (*)
     |    |    +--- project :clouddriver-google (*)
     |    |    +--- project :clouddriver-artifacts (*)
     |    |    +--- project :clouddriver-elasticsearch (*)
     |    |    +--- project :cats:cats-sql (*)
     |    |    +--- project :clouddriver-sql (*)
     |    |    +--- project :clouddriver-tencentcloud (*)
     |    |    +--- project :clouddriver-titus (*)
     |    |    +--- project :clouddriver-aws (*)
     |    |    +--- project :clouddriver-eureka (*)
     |    |    +--- project :clouddriver-oracle (*)
     |    |    +--- project :clouddriver-azure (*)
     |    |    +--- project :clouddriver-consul (*)
     |    |    +--- project :clouddriver-huaweicloud (*)
     |    |    +--- project :clouddriver-yandex (*)
     |    |    \--- project :clouddriver-docker (*)
     |    +--- project :clouddriver-security
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-kubernetes (*)
     |    |    +--- project :clouddriver-ecs (*)
     |    |    +--- project :clouddriver-lambda (*)
     |    |    +--- project :clouddriver-appengine (*)
     |    |    +--- project :clouddriver-cloudfoundry (*)
     |    |    +--- project :clouddriver-google (*)
     |    |    +--- project :clouddriver-elasticsearch (*)
     |    |    +--- project :cats:cats-sql (*)
     |    |    +--- project :clouddriver-tencentcloud (*)
     |    |    +--- project :clouddriver-titus (*)
     |    |    +--- project :clouddriver-aws (*)
     |    |    +--- project :clouddriver-oracle (*)
     |    |    +--- project :clouddriver-azure (*)
     |    |    +--- project :clouddriver-huaweicloud (*)
     |    |    +--- project :clouddriver-yandex (*)
     |    |    +--- project :clouddriver-docker (*)
     |    |    \--- project :clouddriver-core (*)
     |    +--- project :cats:cats-redis
     |    |    +--- project :cats:cats-sql (*)
     |    |    \--- project :clouddriver-core (*)
     |    +--- project :cats:cats-core
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-kubernetes (*)
     |    |    +--- project :clouddriver-ecs (*)
     |    |    +--- project :clouddriver-lambda (*)
     |    |    +--- project :clouddriver-appengine (*)
     |    |    +--- project :clouddriver-cloudfoundry (*)
     |    |    +--- project :clouddriver-google (*)
     |    |    +--- project :cats:cats-sql (*)
     |    |    +--- project :clouddriver-sql (*)
     |    |    +--- project :clouddriver-tencentcloud (*)
     |    |    +--- project :clouddriver-titus (*)
     |    |    +--- project :clouddriver-aws (*)
     |    |    +--- project :clouddriver-eureka (*)
     |    |    +--- project :clouddriver-oracle (*)
     |    |    +--- project :clouddriver-azure (*)
     |    |    +--- project :clouddriver-huaweicloud (*)
     |    |    +--- project :clouddriver-yandex (*)
     |    |    +--- project :clouddriver-docker (*)
     |    |    +--- project :clouddriver-core (*)
     |    |    +--- project :clouddriver-security (*)
     |    |    \--- project :cats:cats-redis (*)
     |    +--- project :clouddriver-api
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-kubernetes (*)
     |    |    +--- project :clouddriver-ecs (*)
     |    |    +--- project :clouddriver-lambda (*)
     |    |    +--- project :clouddriver-appengine (*)
     |    |    +--- project :clouddriver-cloudfoundry (*)
     |    |    +--- project :clouddriver-google (*)
     |    |    +--- project :clouddriver-artifacts (*)
     |    |    +--- project :clouddriver-elasticsearch (*)
     |    |    +--- project :cats:cats-sql (*)
     |    |    +--- project :clouddriver-sql (*)
     |    |    +--- project :clouddriver-tencentcloud (*)
     |    |    +--- project :clouddriver-titus (*)
     |    |    +--- project :clouddriver-aws (*)
     |    |    +--- project :clouddriver-eureka (*)
     |    |    +--- project :clouddriver-oracle (*)
     |    |    +--- project :clouddriver-azure (*)
     |    |    +--- project :clouddriver-huaweicloud (*)
     |    |    +--- project :clouddriver-yandex (*)
     |    |    +--- project :clouddriver-docker (*)
     |    |    +--- project :clouddriver-core (*)
     |    |    +--- project :clouddriver-security (*)
     |    |    +--- project :cats:cats-redis (*)
     |    |    \--- project :cats:cats-core (*)
     |    +--- project :clouddriver-google-common
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-appengine (*)
     |    |    \--- project :clouddriver-google (*)
     |    +--- project :clouddriver-configserver
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-kubernetes (*)
     |    |    \--- project :clouddriver-aws (*)
     |    +--- project :clouddriver-saga
     |    |    +--- project :clouddriver-titus (*)
     |    |    +--- project :clouddriver-aws (*)
     |    |    \--- project :clouddriver-core (*)
     |    \--- project :clouddriver-event
     |         +--- project :clouddriver-sql (*)
     |         \--- project :clouddriver-saga (*)
     \--- org.codehaus.groovy:groovy-all:2.5.11
          +--- runtimeClasspath (requested org.codehaus.groovy:groovy-all)
          +--- project :clouddriver-kubernetes (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :clouddriver-ecs (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :clouddriver-lambda (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :clouddriver-appengine (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :clouddriver-cloudfoundry (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :clouddriver-google (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :clouddriver-artifacts (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :clouddriver-elasticsearch (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :cats:cats-sql (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :clouddriver-titus (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :clouddriver-aws (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :clouddriver-eureka (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :clouddriver-oracle (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :clouddriver-azure (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :clouddriver-consul (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :clouddriver-huaweicloud (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :clouddriver-yandex (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :clouddriver-docker (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :clouddriver-core (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :clouddriver-security (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :cats:cats-redis (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :cats:cats-core (requested org.codehaus.groovy:groovy-all) (*)
          +--- project :clouddriver-google-common (requested org.codehaus.groovy:groovy-all) (*)
          +--- io.spinnaker.kork:kork-bom:testng-cve-fix-SNAPSHOT (*)
          +--- io.spinnaker.kork:kork-web:7.109.0
          |    +--- runtimeClasspath (requested io.spinnaker.kork:kork-web)
          |    +--- project :clouddriver-eureka (requested io.spinnaker.kork:kork-web) (*)
          |    +--- project :clouddriver-core (requested io.spinnaker.kork:kork-web) (*)
          |    +--- io.spinnaker.kork:kork-bom:testng-cve-fix-SNAPSHOT (requested io.spinnaker.kork:kork-web:testng-cve-fix-SNAPSHOT) (*)
          |    +--- io.spinnaker.kork:kork-runtime:testng-cve-fix-SNAPSHOT (requested io.spinnaker.kork:kork-web:testng-cve-fix-SNAPSHOT)
          |    |    +--- runtimeClasspath (requested io.spinnaker.kork:kork-runtime)
          |    |    \--- io.spinnaker.kork:kork-bom:testng-cve-fix-SNAPSHOT (*)
          |    +--- io.spinnaker.kork:kork-retrofit:testng-cve-fix-SNAPSHOT (requested io.spinnaker.kork:kork-web:testng-cve-fix-SNAPSHOT)
          |    |    +--- project :clouddriver-aws (requested io.spinnaker.kork:kork-retrofit) (*)
          |    |    +--- project :clouddriver-core (requested io.spinnaker.kork:kork-retrofit) (*)
          |    |    +--- io.spinnaker.kork:kork-bom:testng-cve-fix-SNAPSHOT (*)
          |    |    \--- io.spinnaker.kork:kork-runtime:testng-cve-fix-SNAPSHOT (*)
          |    +--- io.spinnaker.kork:kork-plugins:testng-cve-fix-SNAPSHOT (requested io.spinnaker.kork:kork-web:testng-cve-fix-SNAPSHOT)
          |    |    +--- runtimeClasspath (requested io.spinnaker.kork:kork-plugins)
          |    |    +--- project :clouddriver-core (requested io.spinnaker.kork:kork-plugins) (*)
          |    |    \--- io.spinnaker.kork:kork-bom:testng-cve-fix-SNAPSHOT (*)
          |    \--- io.spinnaker.fiat:fiat-api:1.28.0
          |         +--- runtimeClasspath
          |         +--- project :clouddriver-ecs (*)
          |         +--- project :clouddriver-appengine (*)
          |         +--- project :clouddriver-google (*)
          |         +--- project :cats:cats-sql (*)
          |         +--- project :clouddriver-tencentcloud (*)
          |         +--- project :clouddriver-titus (*)
          |         +--- project :clouddriver-aws (*)
          |         +--- project :clouddriver-oracle (*)
          |         +--- project :clouddriver-azure (*)
          |         +--- project :clouddriver-huaweicloud (*)
          |         +--- project :clouddriver-docker (*)
          |         +--- project :clouddriver-core (*)
          |         +--- project :clouddriver-security (*)
          |         \--- project :clouddriver-google-common (*)
          \--- io.spinnaker.kork:kork-aws:testng-cve-fix-SNAPSHOT
               +--- project :clouddriver-aws (requested io.spinnaker.kork:kork-aws) (*)
               \--- io.spinnaker.kork:kork-bom:testng-cve-fix-SNAPSHOT (*)

dbyron-sf
dbyron-sf reviewed Sep 3, 2021
View reviewed changes
spinnaker-dependencies/spinnaker-dependencies.gradle
@@ -168,6 +168,7 @@ dependencies {
api("org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.1.5.RELEASE")
api("org.springframework.security.extensions:spring-security-saml-dsl-core:1.0.5.RELEASE")
api("org.springframework.security.extensions:spring-security-saml2-core:1.0.9.RELEASE")
api("org.testng:testng:7.4.0") // TODO: remove this with upgrade of spring-boot version to 2.5.0 or with upgrade of groovy-all to 3.0.8
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As background, groovy 3.0.7 brings in testng 7.3.0 and groovy 3.0.8 brings in 7.4.0 via [this commit].(apache/groovy@c187b71).

spring boot 2.5.0 brings in groovy-testng 3.0.8, where spring boot 2.4.9 brings in groovy-testng 2.5.14. It's in theory possible that some later 2.4.x could move to groovy-testng 3.0.8, but given this 2.5 release note, that seems unlikely.

@dbyron-sf
Copy link
Contributor

I believe https://snyk.io/vuln/SNYK-JAVA-ORGTESTNG-174823 motivates updating testng to at least 7.0.0 and testng-team/testng#2406 motivates going to 7.4.0

@dbyron-sf
Copy link
Contributor

I'm a little nervous about such a big jump in testng (from 6.13.1 to 7.4.0), but given that I only see fixes, new features, and removal of deprecated functions in https://github.com/cbeust/testng/blob/7.4.0/CHANGES.txt (i.e. nothing obviously breaking) and https://github.com/cbeust/testng/blob/7.4.0/build.gradle.kts#L108 show that testng tests against groovy 2.4 (i.e. not 3.x), I'm OK with this.

@dbyron-sf dbyron-sf added the ready to merge Approved and ready for merge label Sep 3, 2021
@mergify mergify bot merged commit a3ae313 into spinnaker:master Sep 3, 2021
@mergify mergify bot added the auto merged label Sep 3, 2021
@j-sandy
Copy link
Contributor Author

j-sandy commented Sep 4, 2021

@dbyron-sf Thanks for elaborate supporting details.

@j-sandy j-sandy deleted the testng-cve-fix branch September 4, 2021 14:10
@j-sandy j-sandy mentioned this pull request Sep 4, 2021
Closed
3 tasks
@j-sandy j-sandy mentioned this pull request Mar 31, 2022
Closed
6 tasks
ylebedeva pushed a commit to ylebedeva/kork that referenced this pull request May 3, 2022
@j-sandy @ylebedeva-pd
chore(dependencies): Upgrade org.testng:testng to resolve vulnerabili…
dd4f83c 
…ty (spinnaker#894)

SONATYPE-2019-0115
org.testng:testng is transitively introduced by org.codehaus.groovy:groovy-testng (part of groovy-all)

Co-authored-by: j-sandy <jsandy>
richard-timpson pushed a commit to richard-timpson/kork that referenced this pull request May 3, 2023
@j-sandy
@W-9168946: Fixed testng package vulnerability SONATYPE-2019-0115 (sp…
0805146 
…innaker#11)

chore(dependencies): Upgrade org.testng:testng to resolve vulnerability (spinnaker#894)

SONATYPE-2019-0115
org.testng:testng is transitively introduced by org.codehaus.groovy:groovy-testng (part of groovy-all)

Co-authored-by: j-sandy <jsandy>

Co-authored-by: Sandesh <sandeshjainhyd@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dbyron-sf dbyron-sf dbyron-sf approved these changes

Assignees
No one assigned
Labels
auto merged ready to merge Approved and ready for merge target-release/1.28
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@j-sandy @dbyron-sf @spinnakerbot