Merge pull request #21051 from wordpress-mobile/address_wiremock_tran…

…sitive_dependencies_vulnerabilities Address WireMock transitive dependencies vulnerabilities
wordpress-mobile · Jul 18, 2024 · d943f37 · d943f37
2 parents 3bb4ba4 + 372e029
commit d943f37
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 9 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -48,3 +48,8 @@ updates:
  - dependency-name: "org.wordpress.aztec:picasso-loader"
  - dependency-name: "com.automattic:about"
  - dependency-name: "com.automattic:Automattic-Tracks-Android"
+ # Ignore dependencies that were added only to address security vulnerabilities of transitive WireMock dependencies
+ - dependency-name: "org.eclipse.jetty:jetty-webapp"
+ - dependency-name: "com.fasterxml.jackson.core:jackson-databind"
+ - dependency-name: "com.jayway.jsonpath:json-path"
+ - dependency-name: "commons-fileupload:commons-fileupload"
diff --git a/WordPress/build.gradle b/WordPress/build.gradle
@@ -512,13 +512,6 @@ dependencies {
  strictly androidxTestEspressoVersion
  }
  }
- androidTestImplementation("com.github.tomakehurst:wiremock:$wiremockVersion") {
- exclude group: 'org.apache.httpcomponents', module: 'httpclient'
- exclude group: 'org.apache.commons', module: 'commons-lang3'
- exclude group: 'asm', module: 'asm'
- exclude group: 'org.json', module: 'json'
- }
- androidTestImplementation "org.apache.httpcomponents:httpclient-android:$wiremockHttpClientVersion"
  androidTestImplementation "androidx.test:runner:$androidxTestCoreVersion"
  androidTestImplementation "androidx.test:rules:$androidxTestCoreVersion"
  androidTestImplementation "androidx.test.ext:junit:$androidxTestExtJunitVersion"

diff --git a/libs/mocks/build.gradle b/libs/mocks/build.gradle
@@ -18,11 +18,32 @@ android {
 }
 
 dependencies {
- implementation("com.github.tomakehurst:wiremock:$wiremockVersion") {
+ api("com.github.tomakehurst:wiremock") {
  exclude group: 'org.apache.httpcomponents', module: 'httpclient'
  exclude group: 'org.apache.commons', module: 'commons-lang3'
  exclude group: 'asm', module: 'asm'
  exclude group: 'org.json', module: 'json'
  }
- implementation "org.apache.httpcomponents:httpclient-android:$wiremockHttpClientVersion"
+ runtimeOnly("org.apache.httpcomponents:httpclient-android:$wiremockHttpClientVersion")
+
+ constraints {
+ implementation("com.github.tomakehurst:wiremock:$wiremockVersion") {
+ because("newer versions of WireMock use Java APIs not available on Android")
+ }
+
+ def wireMockSecurity = "version shipped with WireMock 2.26.3 contains security vulnerabilities"
+
+ implementation('org.eclipse.jetty:jetty-webapp:9.4.51.v20230217') {
+ because(wireMockSecurity)
+ }
+ implementation('com.fasterxml.jackson.core:jackson-databind:2.12.7.1') {
+ because(wireMockSecurity)
+ }
+ implementation('com.jayway.jsonpath:json-path:2.9.0') {
+ because(wireMockSecurity)
+ }
+ implementation('commons-fileupload:commons-fileupload:1.5') {
+ because(wireMockSecurity)
+ }
+ }
 }