Skip to content

Fix for Security Violations #432

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
agrasth merged 5 commits into from
Dec 19, 2025
Merged

Fix for Security Violations #432

agrasth merged 5 commits into from
Dec 19, 2025

Conversation

@agrasth
Copy link

@agrasth agrasth commented Dec 15, 2025
edited
Loading

  • All tests passed. If this feature is not already covered by the tests, I added new tests.
  • This pull request is on the dev branch.

Fix: Update Dependencies to Address Security Vulnerabilities

Summary

Updated test dependencies to fix CVE-2025-11226 and documented CVE-2024-6763.

Changes

  • logback-classic: 1.3.15 -> 1.3.16 (fixes CVE-2025-11226)
  • wiremock-jre8: 2.35.0 -> 2.35.2 (latest Java 8 compatible version)

Test Fix Changes

Updated BaseRepositoryTests.groovy to handle Artifactory's stricter virtual repository package type validation:

  • Package type matching: Virtual repositories now require child repositories with matching package types. When getRepositorySettings(LOCAL) returns null (e.g., Terraform), the fix uses getRepositorySettings(VIRTUAL) settings instead to ensure correct package type.
  • Separate repo for virtual: For package types that don't support local repos (e.g., P2), a dedicated remote repository (rt-client-java-remote-for-virtual-*) is now created to avoid conflicts with test methods that create their own repos.
  • Proper cleanup: Added repoForVirtual field to track and clean up the dedicated child repository in tearDown().

Tests Fixed

  • TerraformPackageTypeRepositoryTests > testTerraformVirtualRepo
  • P2PackageTypeRepositoryTests > testP2RemoteRepo
  • CustomPropertiesRepositoryTests > testVirtualRepo
  • Various other package type tests that were failing with "package type mismatch" or "key already exists" errors

Notes

CVE-2024-6763 (Jetty) requires Jetty 12.x which is incompatible with Java 8 support.
Since this is test-only and doesn't affect production, the risk is documented and accepted.

@agrasth agrasth requested a review from nitinp19 December 15, 2025 09:10
@agrasth agrasth requested a review from bhanurp December 16, 2025 07:41
@agrasth
Fix virtual repository package type mismatch in tests
d1e0cdd 
- Virtual repositories now use child repositories with matching package types
- Fixes test failures for CustomPropertiesRepositoryTests, P2PackageTypeRepositoryTests, and TerraformPackageTypeRepositoryTests
- Resolves issue where virtual repos tried to include Generic repos when they had specific package types (Composer, P2, Terraform)
@agrasth
Fix: Create dedicated repo for virtual instead of reusing localRepo
f0361ac 
- Creates a separate repository for virtual repos to avoid naming conflicts
- Prevents "Case insensitive repository key already exists" error
- Repository key is now "rt-client-java-for-virtual-{id}" instead of reusing "rt-client-java-local-{id}"
@agrasth
Fix: Use correct package type settings and avoid repo conflicts
a962a88 
- When LOCAL settings are null, use VIRTUAL settings to ensure correct package type
- Create SEPARATE remote repo for virtual (rt-client-java-remote-for-virtual-*) to avoid conflicts with test methods
- Add dedicated repoForVirtual field for proper tracking and cleanup
- Fixes TerraformVirtualRepo, P2RemoteRepo, and other package type mismatch issues
@agrasth agrasth merged commit 768ac32 into dev Dec 19, 2025
2 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bhanurp bhanurp bhanurp approved these changes

@nitinp19 nitinp19 Awaiting requested review from nitinp19

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@agrasth @bhanurp