CVE-2022-4065 against TestNG 7.5

[Mark Derricutt]

Noticed this pop up this morning:

[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '5.0':
[ERROR]
[ERROR] testng-7.5.jar: CVE-2022-4065(7.8)

Since 7.5 is the last version to support Java 8 - I wonder if anyones looking at a patch release to resolve this, or shall I just add an exclusion until I can shift to Java 11+ and update (ironically, planned for a week or so finally).

Mark

---

"The ease with which a change can be implemented has no relevance at all to whether it is the right change for the (Java) Platform for all time." — Mark Reinhold.

Mark Derricutt
http://www.chaliceofblood.net
http://www.theoryinpractice.net
http://twitter.com/talios
http://facebook.com/mderricutt

[Paul King]

I'd be keen to see an update too!

--
You received this message because you are subscribed to the Google Groups "testng-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to testng-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/testng-users/44AC37FF-DE24-44F8-BC76-2A9AD8F59EB5%40talios.com.

[Krishnan Mahadevan]

There will not be any patch releases for already released versions for this. 

Request you to please upgrade to 7.7.1 as soon as possible. This contains the vulnerability fix. 

Note: if you are not using testng to run tests from within a jar using “-testjar” argument then this vulnerability is not going to affect you ( am guessing that almost all of us use testng to run our tests via a build tool and in those cases this vulnerability doesnt affect such users ). 

Thanks & Regards
Krishnan Mahadevan

"All the desirable things in life are either illegal, expensive, fattening or in love with someone else!"

---

From: testng...@googlegroups.com <testng...@googlegroups.com> on behalf of Paul King <pa...@asert.com.au>
Sent: Wednesday, March 1, 2023 2:36:52 AM
To: testng...@googlegroups.com <testng...@googlegroups.com>
Subject: Re: [testng-users] CVE-2022-4065 against TestNG 7.5

 

To view this discussion on the web visit https://groups.google.com/d/msgid/testng-users/CAMbkE7SkhwK%3D5fL4HtBk7d4ELp0ck0yWkSvxZHm7qmRx92OycQ%40mail.gmail.com.

[Mark Derricutt]

On 1 Mar 2023, at 16:12, Krishnan Mahadevan wrote:

Request you to please upgrade to 7.7.1 as soon as possible. This contains the vulnerability fix.

If only that didn't include a required MAJOR JVM upgrade under a non-MAJOR version number change.

If I recall correctly, 7.7.x requires JDK11+ (which should have carried a major version change, but we can't change that now).

[Paul King]

My reason for wanting the patch release is for Groovy users still using JDK 8. A significant percentage still.

Folks using later JDKs can exclude the dependency we reference and use later versions if they choose. We have moved to the latest TestNG for Groovy 5 which we will release later this year.

We try hard to remain agnostic wrt our users' test tool of choice. But here we can only recommend that JDK8 users that don't want the CVE warning messages move off TestNG. We aren't a huge project either, so I understand your decisions.

Cheers, Paul.

To view this discussion on the web visit https://groups.google.com/d/msgid/testng-users/PSBPR04MB402328FF852924BE991C3263F2AD9%40PSBPR04MB4023.apcprd04.prod.outlook.com.

[Krishnan Mahadevan]

Paul,

I thought I should clarify the rationale.

TestNG does not have a lot of committers and so we are short of hands in terms of running the show.
If you would like to help us out by creating a branch that can be used to do a 7.5.1 release (patch release with the vulnerability fix and which uses JDK8), we can see how we can have it released.

This is the current release process that we follow to get releases done https://github.com/cbeust/testng/wiki/TestNG-release-process

So the PR should essentially be something that can work with this above cited release process.

I hope that explains where I am coming from.