Open Edition

Open Editions

Come for answers. Stay for best practices. All we’re missing is you.

 View Only

  • 1.  BAMOE - 9.2 - Dev - testcontainers

    Posted 3 days ago

    Hi,

    We are trying to migrate to BAMOE 9.2; but we hit a problem where one of the dependencies required for maven-quarkus plugin are quarantined.

    <dependency>

    <groupId>org.testcontainers</groupId>

    <artifactId>testcontainers</artifactId>

    </dependency>


    The required version is 1.20.1 and it was quarantined., so upgraded to 1.20.6 then it was quarantined., so updated to "1.21.2".
    This is also quarantined because of following CVE's

    CVE-2024-26308
    CVE-2024-25710

    Do we have a fix for this? or Do we have a alternative way to run BAMOE(BPMN with persistence)?

    Thanks,

    Chandra



    ------------------------------
    Chandra Krothapalli
    ------------------------------


  • 2.  RE: BAMOE - 9.2 - Dev - testcontainers

    Posted 21 minutes ago

    Hi Chandra,

    unfortunately, at the time of writing, it still doesn't exist a version of `testcontainers` free of CVE, as you said.
    If you notice, those CVE are transitively imported by apache `common-compress` library.
    Considering you mentioned you upgraded `testcontainers`, the workaround you can apply is:

    • Exclude apache common-compress library when declaring `testcontainers` dependency in your project pom.xml
    • Declare apache common-compress with a version not affected with those CVE (latest version 1.27.1) .

    Please keep in mind that some incompatibility may occur (i.e. I'm not aware if any `testcontainers` version is compatible with common-compress version 1.27.1)

    Thank you.



    ------------------------------
    Yeser Amer
    ------------------------------

    Original Message


Related Content