-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Vulnerable dependency commons-compress 1.24.0 #8338
Comments
Anyone coming across this, please follow the discussion at #8354. The |
Apache have released patch version 1.26.1 of commons-compress last week that may address this? I was able to successfully upgrade the commons-compress version in a project of mine to 1.26.1 that was previously failing on 1.26.0 with: java.lang.NoClassDefFoundError: org/apache/commons/codec/Charsets
at org.apache.commons.compress.archivers.tar.TarArchiveOutputStream.<init>(TarArchiveOutputStream.java:212)
at org.apache.commons.compress.archivers.tar.TarArchiveOutputStream.<init>(TarArchiveOutputStream.java:157)
at org.apache.commons.compress.archivers.tar.TarArchiveOutputStream.<init>(TarArchiveOutputStream.java:147)
at org.testcontainers.containers.ContainerState.copyFileToContainer(ContainerState.java:350)
at org.testcontainers.containers.ContainerState.copyFileToContainer(ContainerState.java:331)
at java.base/java.util.LinkedHashMap.forEach(LinkedHashMap.java:986)
at org.testcontainers.containers.GenericContainer.tryStart(GenericContainer.java:441) |
Do I understand this correctly, it will probably not be updated before spring has updated it to 1.26.1? |
Is any reason not resolve this by updating to 1.26.1? NoClassDefFoundError has been resolved in that version. |
It also works with 1.27.0. Please update. |
When this does get upgraded it seems pretty clear that it should also become a shaded dependency. Libraries with other common libraries as dependencies are problematic. |
In folio-backend-testing upgrade commons-compress from 1.24 to 1.27.1. This upgrades the commons-compress version that testcontainers comes with from a vulnerable version to a fixed version: * testcontainers/testcontainers-java#8338 * https://www.cve.org/CVERecord?id=CVE-2024-25710 * https://www.cve.org/CVERecord?id=CVE-2024-26308
Module
Core
Testcontainers version
1.19.5
Using the latest Testcontainers version?
Yes
Host OS
Linux
Host Arch
x86_64
Docker version
What happened?
Testcontainers pulls in common-compress 1.24.0.
https://github.com/testcontainers/testcontainers-java/blob/main/core/build.gradle#L76
Additional Information
The text was updated successfully, but these errors were encountered: