Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix logback serialization vulnerability #88

Merged
merged 4 commits into from
Dec 17, 2024
Merged

Fix logback serialization vulnerability #88

merged 4 commits into from
Dec 17, 2024

Conversation

munishchouhan
Copy link
Member

This PR will bump logback to fix serialization vulnerability

@munishchouhan
bump logback to 1.5.12
247b5c6 
Signed-off-by: munishchouhan <[email protected]>
@munishchouhan munishchouhan self-assigned this Dec 17, 2024
@munishchouhan
Copy link
Member Author

tested

(base) munish.chouhan@Munishs-MacBook-Pro wave-cli % ./wave --version
SLF4J(I): Connected with provider of type [ch.qos.logback.classic.spi.LogbackServiceProvider]
1.5.0_247b5c6
(base) munish.chouhan@Munishs-MacBook-Pro wave-cli % ./wave -i ubuntu 
SLF4J(I): Connected with provider of type [ch.qos.logback.classic.spi.LogbackServiceProvider]
wave.seqera.io/wt/b5ee492e9d17/library/ubuntu:latest

@munishchouhan
Copy link
Member Author

Its also printing
SLF4J(I): Connected with provider of type [ch.qos.logback.classic.spi.LogbackServiceProvider]

@pditommaso
Bump slf4j version 2.0.16
8976bce 
Signed-off-by: Paolo Di Tommaso <[email protected]>
@pditommaso
Copy link
Contributor

Bumping org.slf4j version 2.0.16 suppressed that log info.

@munishchouhan
Copy link
Member Author

I have also added a small change
To set jvm vendor as graalvm
gradle/gradle#16595

@munishchouhan
Copy link
Member Author

Tested successfully

(base) munish.chouhan@Munishs-MacBook-Pro wave-cli % ./app/build/native/nativeCompile/wave --version
1.5.0_unknown
(base) munish.chouhan@Munishs-MacBook-Pro wave-cli % ./app/build/native/nativeCompile/wave -i ubuntu
wave.seqera.io/wt/fc0eb2ef1ed0/library/ubuntu:latest

@munishchouhan
Copy link
Member Author

somehow ci is failing with that change
I will open separate PR for that

@pditommaso pditommaso merged commit 6ae7be3 into master Dec 17, 2024
13 checks passed
@pditommaso pditommaso deleted the WV-14-CLI-Fix-logback-serialization-vulnerability branch December 17, 2024 08:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pditommaso pditommaso Awaiting requested review from pditommaso

Assignees

@munishchouhan munishchouhan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@munishchouhan @pditommaso