Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-44487: Replace com.github.tomakehurst:wiremock* with org.wiremock:wiremock* #427

Open
yeikel opened this issue Nov 20, 2023 · 2 comments
Open

CVE-2023-44487: Replace com.github.tomakehurst:wiremock* with org.wiremock:wiremock* #427

yeikel opened this issue Nov 20, 2023 · 2 comments
Labels
enhancement New feature or request good first issue Good for newcomers recipe Recipe request

Comments

@yeikel
Copy link
Contributor

yeikel commented Nov 20, 2023
edited
Loading

What problem are you trying to solve?

Starting with wiremock 3.x, the coordinates of the dependency changed

From

<dependency>
            <groupId>com.github.tomakehurst</groupId>
            <artifactId>wiremock-jre8</artifactId>
        </dependency>

To :

 <dependency>
 <groupId>org.wiremock</groupId>
  <artifactId>wiremock</artifactId>
 </dependency>

Using 2.x versions puts teams at risk such as CVE-2023-44487

Sample diff :

diff --git a/pom.xml b/pom.xml
         <!--Testing framework to allow for mocking external service calls-->
         <dependency>
-            <groupId>com.github.tomakehurst</groupId>
-            <artifactId>wiremock-jre8</artifactId>
-            <version>2.35.1</version>
+            <groupId>org.wiremock</groupId>
+            <artifactId>wiremock</artifactId>
+            <version>3.3.1</version>
             <scope>test</scope>
         </dependency>
     </dependencies>

In my case, changing the coordinates was enough but there are some breaking changes we need to be aware of as well. See the release notes for more details

Describe the solution you'd like

  1. Replace the coordinates
  2. Migrate deprecated APIs

Additional context

  • v3 no longer supports Java 8 so this recipe should not be applied for Java 8 projects

Relevant :

https://www.cve.org/CVERecord?id=CVE-2023-44487
https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/

openrewrite/rewrite-java-dependencies#58
@yeikel yeikel added the enhancement New feature or request label Nov 20, 2023
@timtebeek timtebeek added good first issue Good for newcomers recipe Recipe request labels Nov 20, 2023
@timtebeek
Copy link
Contributor

@oleg-nenashev would you want to take this on together? I think we can reuse quite some existing components to help folks migrate, and would be good to have you involved.

@timtebeek timtebeek moved this to Recipes Wanted in OpenRewrite Nov 20, 2023
@timtebeek
Copy link
Contributor

Can at least be surfaced with the recipe introduced in this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good first issue Good for newcomers recipe Recipe request
Projects
OpenRewrite
Status: Recipes Wanted
Milestone
No milestone
Development

No branches or pull requests
2 participants
@timtebeek @yeikel