Update TestNG Version to avoid Security Vulnerabilities

Question

Update TestNG Version to avoid Security Vulnerabilities

inktomi opened this issue 5 months ago · comments

Matthew Runo commented 5 months ago

Gradle Version

8.6

AGP Version

8.2.2

Code Minifier/Optimizer

R8

Version

4.3.0

Sentry SDK Version

7.4.0

Steps to Reproduce

Include the gradle plugin, then run your build in an environment that blocks libaries with known CVE issues.

Expected Result

Build succeeds because no versions of libraries contain known CVEs.

Actual Result

CVE-2022-4065 is found because of TestNG 7.5

Roman Zavarnitsyn · Answer 1 · Tue Feb 27 2024 07:02:53 GMT+0800 (China Standard Time)

hi @inktomi this was a regression that added unwanted dependencies to the build classpath, which got fixed in #660. We're going to release a new version of the gradle plugin tomorrow CET time with this fixed included. I'll keep you posted, but gonna close this issue as it's been already addressed. Thank you for the report!

Roman Zavarnitsyn · Answer 2 · Wed Feb 28 2024 22:30:15 GMT+0800 (China Standard Time)

@inktomi version 4.3.1 is out, please give it a try and let us know if that works, thanks! https://github.com/getsentry/sentry-android-gradle-plugin/releases/tag/4.3.1

Matthew Runo · Answer 3 · Thu Mar 07 2024 00:21:17 GMT+0800 (China Standard Time)

I was out, but I'll try it today and report back!

Roman Zavarnitsyn · Answer 4 · Thu Mar 07 2024 00:58:01 GMT+0800 (China Standard Time)

apparently this didn't fix it, I'll take another look soon, see #656 (comment)