This is an automated email from the ASF dual-hosted git repository.
tiagobento pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/incubator-kie-tools.git
The following commit(s) were added to refs/heads/main by this push:
new ddda0e885f4 kie-issues#1594: Security fixes for
dev-deployment-kogito-quarkus-blank-app (#2716)
ddda0e885f4 is described below
commit ddda0e885f48d2fcb95c57683742d3cf1ba57660
Author: Alex Porcelli <[email protected]>
AuthorDate: Wed Oct 30 14:11:19 2024 -0400
kie-issues#1594: Security fixes for dev-deployment-kogito-quarkus-blank-app
(#2716)
Co-authored-by: Tiago Bento <[email protected]>
---
.../Containerfile | 4 +-
.../pom.xml | 90 +++++++++++++++-------
2 files changed, 65 insertions(+), 29 deletions(-)
diff --git
a/packages/dev-deployment-kogito-quarkus-blank-app-image/Containerfile
b/packages/dev-deployment-kogito-quarkus-blank-app-image/Containerfile
index 9fad06ed812..d593ff44c4f 100644
--- a/packages/dev-deployment-kogito-quarkus-blank-app-image/Containerfile
+++ b/packages/dev-deployment-kogito-quarkus-blank-app-image/Containerfile
@@ -30,7 +30,7 @@ COPY --chown=$USER_ID:$USER_ID dist-dev/quarkus-app
$HOME_PATH/app/
COPY --chown=$USER_ID:$USER_ID dist-dev/settings.xml
/tmp/kogito/.m2/settings.xml
# Pre-populate local Maven repository for faster startup
-RUN ./mvnw clean package -B -nsu --settings /tmp/kogito/.m2/settings.xml
-Dmaven.test.skip -Dmaven.repo.local=/tmp/kogito/.m2/repository
-Dquarkus.http.non-application-root-path=${ROOT_PATH}/q
-Dquarkus.http.root-path=${ROOT_PATH} \
+RUN ./mvnw -Dmaven=3.9.6 clean package -B -nsu --settings
/tmp/kogito/.m2/settings.xml -Dmaven.test.skip
-Dmaven.repo.local=/tmp/kogito/.m2/repository
-Dquarkus.http.non-application-root-path=${ROOT_PATH}/q
-Dquarkus.http.root-path=${ROOT_PATH} \
&& chgrp -R 0 $HOME_PATH/app && chmod -R g=u $HOME_PATH/app && chgrp -R 0
/tmp/kogito && chmod -R g=u /tmp/kogito && chgrp -R 0 /.m2 && chmod -R g=u /.m2
USER $USER_ID
@@ -39,4 +39,4 @@ EXPOSE 8080
ENTRYPOINT ["/bin/bash", "-c"]
-CMD ["dev-deployment-upload-service && cp -r $HOME_PATH/app/. /tmp/app && cd
/tmp/app && ./mvnw quarkus:dev -o -s=/tmp/kogito/.m2/settings.xml
-Dquarkus.analytics.disabled=true -Ddebug=false
-Dmaven.repo.local=/tmp/kogito/.m2/repository
-Dquarkus.http.non-application-root-path=${ROOT_PATH}/q
-Dquarkus.http.root-path=${ROOT_PATH}"]
+CMD ["dev-deployment-upload-service && cp -r $HOME_PATH/app/. /tmp/app && cd
/tmp/app && ./mvnw -Dmaven=3.9.6 quarkus:dev -o -s=/tmp/kogito/.m2/settings.xml
-Dquarkus.analytics.disabled=true -Ddebug=false
-Dmaven.repo.local=/tmp/kogito/.m2/repository
-Dquarkus.http.non-application-root-path=${ROOT_PATH}/q
-Dquarkus.http.root-path=${ROOT_PATH}"]
diff --git a/packages/dev-deployment-kogito-quarkus-blank-app/pom.xml
b/packages/dev-deployment-kogito-quarkus-blank-app/pom.xml
index b2f9abac4cd..0708db7b997 100644
--- a/packages/dev-deployment-kogito-quarkus-blank-app/pom.xml
+++ b/packages/dev-deployment-kogito-quarkus-blank-app/pom.xml
@@ -25,11 +25,8 @@
<!-- Purposefully not declaring maven-base as parent -->
<!-- As this app aims to work as any consumer app would. -->
- <parent>
- <groupId>org.apache</groupId>
- <artifactId>apache</artifactId>
- <version>32</version>
- </parent>
+ <!-- Purposefully not declaring `apache` as parent -->
+ <!-- As this app is not meant to be published and consumed as a library -->
<modelVersion>4.0.0</modelVersion>
<groupId>org.kie.kogito</groupId>
@@ -47,7 +44,7 @@
<!-- Maven versions -->
<version.maven.artifact.plugin>3.4.1</version.maven.artifact.plugin>
<version.maven.compiler.plugin>3.13.0</version.maven.compiler.plugin>
- <version.maven.resources.plugin>3.2.0</version.maven.resources.plugin>
+ <version.maven.resources.plugin>3.3.1</version.maven.resources.plugin>
<version.maven.failsafe.plugin>3.0.0-M7</version.maven.failsafe.plugin>
<version.maven.surefire.plugin>3.5.0</version.maven.surefire.plugin>
<version.maven.install.plugin>3.1.3</version.maven.install.plugin>
@@ -55,7 +52,6 @@
<version.maven.site.plugin>3.12.1</version.maven.site.plugin>
<version.maven.dependency.plugin>3.6.1</version.maven.dependency.plugin>
<version.maven.jar.plugin>3.4.1</version.maven.jar.plugin>
-
<version.maven.remote.resources.plugin>3.2.0</version.maven.remote.resources.plugin>
<version.maven.clean.plugin>3.4.0</version.maven.clean.plugin>
<version.codehaus.flatten.plugin>1.6.0</version.codehaus.flatten.plugin>
@@ -67,6 +63,8 @@
<version.junit>4.13.2</version.junit>
<version.org.apache.commons.commons-compress>1.26.1</version.org.apache.commons.commons-compress>
<version.org.iq80.snappy>0.5</version.org.iq80.snappy>
+ <version.commons-io>2.16.1</version.commons-io>
+ <version.com.google.protobuf>3.25.5</version.com.google.protobuf>
</properties>
<dependencyManagement>
@@ -94,6 +92,18 @@
</dependencyManagement>
<dependencies>
+ <!-- This was added when the latest version of protobuf brought by Quarkus
was 3.25.0 -->
+ <!-- To address CVE-2024-7254, affecting protobuf:3.25.0 -->
+ <dependency>
+ <groupId>com.google.protobuf</groupId>
+ <artifactId>protobuf-java</artifactId>
+ <version>${version.com.google.protobuf}</version>
+ </dependency>
+ <dependency>
+ <groupId>com.google.protobuf</groupId>
+ <artifactId>protobuf-java-util</artifactId>
+ <version>${version.com.google.protobuf}</version>
+ </dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
@@ -214,7 +224,6 @@
<pluginManagement>
<plugins>
<plugin>
- <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId>
<version>${version.maven.site.plugin}</version>
<dependencies>
@@ -231,24 +240,6 @@
</dependencies>
</plugin>
<plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-remote-resources-plugin</artifactId>
- <version>${version.maven.remote.resources.plugin}</version>
- <dependencies>
- <dependency>
- <groupId>org.apache.commons</groupId>
- <artifactId>commons-compress</artifactId>
- <version>${version.org.apache.commons.commons-compress}</version>
- </dependency>
- <dependency>
- <groupId>org.iq80.snappy</groupId>
- <artifactId>snappy</artifactId>
- <version>${version.org.iq80.snappy}</version>
- </dependency>
- </dependencies>
- </plugin>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<version>${version.maven.jar.plugin}</version>
<dependencies>
@@ -260,7 +251,6 @@
</dependencies>
</plugin>
<plugin>
- <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>${version.maven.surefire.plugin}</version>
<dependencies>
@@ -276,6 +266,32 @@
</dependency>
</dependencies>
</plugin>
+ <plugin>
+ <artifactId>maven-resources-plugin</artifactId>
+ <version>${version.maven.resources.plugin}</version>
+ <dependencies>
+ <dependency>
+ <!-- This was added when the latest version of
maven-resources-plugin was 3.3.1 -->
+ <!-- To address CVE-2024-47554, affecting
commons-io:commons-io:2.11 -->
+ <groupId>commons-io</groupId>
+ <artifactId>commons-io</artifactId>
+ <version>${version.commons-io}</version>
+ </dependency>
+ </dependencies>
+ </plugin>
+ <plugin>
+ <artifactId>maven-compiler-plugin</artifactId>
+ <version>${version.maven.compiler.plugin}</version>
+ <dependencies>
+ <dependency>
+ <!-- This was added when the latest version of
maven-compiler-plugin was 3.13.0 -->
+ <!-- To address CVE-2024-47554, affecting
commons-io:commons-io:2.11 -->
+ <groupId>commons-io</groupId>
+ <artifactId>commons-io</artifactId>
+ <version>${version.commons-io}</version>
+ </dependency>
+ </dependencies>
+ </plugin>
</plugins>
</pluginManagement>
<plugins>
@@ -336,4 +352,24 @@
</plugin>
</plugins>
</build>
+ <repositories>
+ <repository>
+ <id>apache.snapshots</id>
+ <name>Apache Snapshot Repository</name>
+ <url>https://repository.apache.org/snapshots</url>
+ <releases>
+ <enabled>false</enabled>
+ </releases>
+ </repository>
+ </repositories>
+ <pluginRepositories>
+ <pluginRepository>
+ <id>apache.snapshots</id>
+ <name>Apache Snapshot Repository</name>
+ <url>https://repository.apache.org/snapshots</url>
+ <releases>
+ <enabled>false</enabled>
+ </releases>
+ </pluginRepository>
+ </pluginRepositories>
</project>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
