-
Notifications
You must be signed in to change notification settings - Fork 377
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(guided remediation): Add special handling for specific Maven pack…
…ages (#1219) Add some special cases for overriding versions of Maven packages to prevent undesirable outcomes from following the correct versioning rules: - `com.google.guava:guava`: Preserve the version's 'flavor' (`-android` or `-jre`) when updating (Closes #1183) - Apache `commons-*`: Sort the ancient CalVer versions (e.g.`20021128.082114`) before the newer versions (`1.0`). The logic from this workaround should probably also be added to the updater, and also the other remediation strategies might want to make use of similar workarounds.
- Loading branch information
1 parent
5b4d517
commit 9a93484
Showing
13 changed files
with
1,340 additions
and
152 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
11 changes: 11 additions & 0 deletions
11
internal/remediation/fixtures/override-workaround/commons/osv-scanner.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| [[PackageOverrides]] | ||
| name = "commons-beanutils:commons-beanutils" | ||
| ecosystem = "Maven" | ||
| ignore = true | ||
| reason = "This is an intentionally vulnerable test project" | ||
|
|
||
| [[PackageOverrides]] | ||
| name = "commons-httpclient:commons-httpclient" | ||
| ecosystem = "Maven" | ||
| ignore = true | ||
| reason = "This is an intentionally vulnerable test project" |
20 changes: 20 additions & 0 deletions
20
internal/remediation/fixtures/override-workaround/commons/pom.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| <project> | ||
| <modelVersion>4.0.0</modelVersion> | ||
|
|
||
| <groupId>dev.osv</groupId> | ||
| <artifactId>osv-fix</artifactId> | ||
| <version>1</version> | ||
|
|
||
| <dependencies> | ||
| <dependency> | ||
| <groupId>commons-beanutils</groupId> | ||
| <artifactId>commons-beanutils</artifactId> | ||
| <version>20020520</version> | ||
| </dependency> | ||
| <dependency> | ||
| <groupId>commons-httpclient</groupId> | ||
| <artifactId>commons-httpclient</artifactId> | ||
| <version>3.0</version> | ||
| </dependency> | ||
| </dependencies> | ||
| </project> |
5 changes: 5 additions & 0 deletions
5
internal/remediation/fixtures/override-workaround/guava/android-to-android/osv-scanner.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| [[PackageOverrides]] | ||
| name = "com.google.guava:guava" | ||
| ecosystem = "Maven" | ||
| ignore = true | ||
| reason = "This is an intentionally vulnerable test project" |
15 changes: 15 additions & 0 deletions
15
internal/remediation/fixtures/override-workaround/guava/android-to-android/pom.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| <project> | ||
| <modelVersion>4.0.0</modelVersion> | ||
|
|
||
| <groupId>dev.osv</groupId> | ||
| <artifactId>osv-fix</artifactId> | ||
| <version>1</version> | ||
|
|
||
| <dependencies> | ||
| <dependency> | ||
| <groupId>com.google.guava</groupId> | ||
| <artifactId>guava</artifactId> | ||
| <version>22.0-android</version> | ||
| </dependency> | ||
| </dependencies> | ||
| </project> |
5 changes: 5 additions & 0 deletions
5
internal/remediation/fixtures/override-workaround/guava/jre-to-jre/osv-scanner.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| [[PackageOverrides]] | ||
| name = "com.google.guava:guava" | ||
| ecosystem = "Maven" | ||
| ignore = true | ||
| reason = "This is an intentionally vulnerable test project" |
15 changes: 15 additions & 0 deletions
15
internal/remediation/fixtures/override-workaround/guava/jre-to-jre/pom.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| <project> | ||
| <modelVersion>4.0.0</modelVersion> | ||
|
|
||
| <groupId>dev.osv</groupId> | ||
| <artifactId>osv-fix</artifactId> | ||
| <version>1</version> | ||
|
|
||
| <dependencies> | ||
| <dependency> | ||
| <groupId>com.google.guava</groupId> | ||
| <artifactId>guava</artifactId> | ||
| <version>23.1-jre</version> | ||
| </dependency> | ||
| </dependencies> | ||
| </project> |
5 changes: 5 additions & 0 deletions
5
internal/remediation/fixtures/override-workaround/guava/none-to-jre/osv-scanner.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| [[PackageOverrides]] | ||
| name = "com.google.guava:guava" | ||
| ecosystem = "Maven" | ||
| ignore = true | ||
| reason = "This is an intentionally vulnerable test project" |
15 changes: 15 additions & 0 deletions
15
internal/remediation/fixtures/override-workaround/guava/none-to-jre/pom.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| <project> | ||
| <modelVersion>4.0.0</modelVersion> | ||
|
|
||
| <groupId>dev.osv</groupId> | ||
| <artifactId>osv-fix</artifactId> | ||
| <version>1</version> | ||
|
|
||
| <dependencies> | ||
| <dependency> | ||
| <groupId>com.google.guava</groupId> | ||
| <artifactId>guava</artifactId> | ||
| <version>20.0</version> | ||
| </dependency> | ||
| </dependencies> | ||
| </project> |
79 changes: 79 additions & 0 deletions
79
internal/remediation/fixtures/override-workaround/universe.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| system: Maven | ||
| schema: | | ||
| com.google.guava:guava | ||
| 20.0 | ||
| 21.0 | ||
| 22.0 | ||
| 22.0-android | ||
| 23.0 | ||
| 23.0-android | ||
| 23.1-android | ||
| 23.1-jre | ||
| 24.0-android | ||
| 24.0-jre | ||
| commons-beanutils:commons-beanutils | ||
| 1.0 | ||
| 1.2 | ||
| 1.9.0 | ||
| 1.9.3 | ||
| 1.9.4 | ||
| 20020520 | ||
| 20021128.082114 | ||
| 20030211.134440 | ||
| commons-httpclient:commons-httpclient | ||
| 2.0.2 | ||
| 3.0 | ||
| 3.1 | ||
| 20020423 | ||
| vulns: | ||
| - id: OSV-000-000 | ||
| affected: | ||
| - package: | ||
| ecosystem: Maven | ||
| name: com.google.guava:guava | ||
| ranges: | ||
| - type: ECOSYSTEM | ||
| events: | ||
| - introduced: '0' | ||
| - fixed: '24.0-android' | ||
| versions: | ||
| - '20.0' | ||
| - '21.0' | ||
| - '22.0' | ||
| - '22.0-android' | ||
| - '23.0' | ||
| - '23.0-android' | ||
| - '23.1-android' | ||
| - '23.1-jre' | ||
| - id: GHSA-6phf-73q6-gh87 | ||
| affected: | ||
| - package: | ||
| ecosystem: Maven | ||
| name: commons-beanutils:commons-beanutils | ||
| ranges: | ||
| - type: ECOSYSTEM | ||
| events: | ||
| - introduced: '0' | ||
| - fixed: '1.9.4' | ||
| - introduced: '20020520' # The real OSV record is missing this event | ||
| versions: | ||
| - '1.0' | ||
| - '1.2' | ||
| - '1.9.0' | ||
| - '1.9.3' | ||
| - '20020520' | ||
| - '20021128.082114' | ||
| - '20030211.134440' | ||
| - id: GHSA-3832-9276-x7gf | ||
| affected: | ||
| - package: | ||
| ecosystem: Maven | ||
| name: commons-httpclient:commons-httpclient | ||
| ranges: | ||
| - type: ECOSYSTEM | ||
| events: | ||
| - introduced: '3.0' | ||
| - fixed: '4.0' | ||
| versions: | ||
| - '3.0' | ||
| - '3.1' |
Oops, something went wrong.