Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update scala-library jar bundled in apex-link from 2.13.3 to 2.13.9 #46

Closed
JonnyPower opened this issue Apr 4, 2024 · 2 comments · Fixed by #49
Closed

Update scala-library jar bundled in apex-link from 2.13.3 to 2.13.9 #46

JonnyPower opened this issue Apr 4, 2024 · 2 comments · Fixed by #49
Labels
dependencies
Milestone
April 2024

Comments

@JonnyPower
Copy link

Describe the bug
apexlink bundles some jars, one of which has a known CVE-2022-36944 https://nvd.nist.gov/vuln/detail/CVE-2022-36944

To Reproduce
refer to jar version in apexlink for scala-library

Expected behavior
Update scala-library to latest patch release for 2.13.x

Screenshots
image

Will submit a PR that refers to this issue shortly,
JonnyPower added a commit to Traction-Rec/sfp that referenced this issue Apr 4, 2024
@JonnyPower
fix: scala jars updated to latest patch for 2.13.x
6afaa2c 
Resolves know CVE with scala-library pre v2.13.9

Related to flxbl-io#46
@JonnyPower JonnyPower mentioned this issue Apr 4, 2024
Closed
5 tasks
@azlam-abdulsalam azlam-abdulsalam linked a pull request Apr 19, 2024 that will close this issue
feat(apexparser): upgrade apexparser to 4.0.0 #49
Merged
5 tasks
@azlam-abdulsalam azlam-abdulsalam added this to the April 2024 milestone Apr 19, 2024
@JonnyPower
Copy link
Author

ah - tricky!

still being reported
image

the scala-library-2.13.3 jar is still in the repo

@thraco
Copy link

thraco commented Jul 8, 2024
edited
Loading

I'm also still finding this vulnerability, in both 38.4.1 and 39.0.3. We're considering manually deleting the jar from our image, since presumably it's not being used.

Edit: Here's the culprit -- https://github.com/flxbl-io/sfp/blob/%40flxbl-io/sfp%4038.4.1/packages/apexlink/jars/scala-library-2.13.3.jar

@thraco thraco mentioned this issue Jul 9, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies
Projects
None yet
Milestone
April 2024
Development

Successfully merging a pull request may close this issue.

feat(apexparser): upgrade apexparser to 4.0.0 flxbl-io/sfp
3 participants
@thraco @JonnyPower @azlam-abdulsalam