From d2fa0aab8bd80b129f94e554b55932d9526c8025 Mon Sep 17 00:00:00 2001 From: Wojtek Zieba Date: Wed, 17 Jul 2024 11:37:26 +0200 Subject: [PATCH 1/5] Constraint WireMock dependencies So it uses dependencies without reported security vulnerabilities --- build.gradle | 1 - libs/mocks/build.gradle | 22 ++++++++++++++++++++-- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/build.gradle b/build.gradle index 6dfa1c3a6f9d..7140c733222d 100644 --- a/build.gradle +++ b/build.gradle @@ -111,7 +111,6 @@ ext { screengrabVersion = '2.1.1' squareupMockWebServerVersion = '4.12.0' wiremockVersion = '2.26.3' - wiremockHttpClientVersion = '4.3.5.1' // other androidDesugarVersion = '2.0.4' diff --git a/libs/mocks/build.gradle b/libs/mocks/build.gradle index a6ee6d448194..10eabe308ff9 100644 --- a/libs/mocks/build.gradle +++ b/libs/mocks/build.gradle @@ -18,11 +18,29 @@ android { } dependencies { - implementation("com.github.tomakehurst:wiremock:$wiremockVersion") { + implementation("com.github.tomakehurst:wiremock") { exclude group: 'org.apache.httpcomponents', module: 'httpclient' exclude group: 'org.apache.commons', module: 'commons-lang3' exclude group: 'asm', module: 'asm' exclude group: 'org.json', module: 'json' + } + + constraints { + implementation("com.github.tomakehurst:wiremock:$wiremockVersion") { + because("newer versions of WireMock use Java APIs not available on Android") + } + implementation('org.eclipse.jetty:jetty-webapp:9.4.51.v20230217') { + because("version shipped with WireMock 2.26.3 contains security vulnerabilities") + } + implementation('com.fasterxml.jackson.core:jackson-databind:2.12.7.1') { + because("version shipped with WireMock 2.26.3 contains security vulnerabilities") + } + implementation('com.jayway.jsonpath:json-path:2.9.0') { + because("version shipped with WireMock 2.26.3 contains security vulnerabilities") + } + implementation('commons-fileupload:commons-fileupload:1.5') { + because("version shipped with WireMock 2.26.3 contains security vulnerabilities") + } + implementation('org.apache.httpcomponents:httpclient-android:4.3.5.1') } - implementation "org.apache.httpcomponents:httpclient-android:$wiremockHttpClientVersion" } From 59a975dd9c375210c4bc0a0c6d9c5494a2b3ed9e Mon Sep 17 00:00:00 2001 From: Wojtek Zieba Date: Wed, 17 Jul 2024 12:47:24 +0200 Subject: [PATCH 2/5] Update configuration for `wiremock` to not duplicate constraints and setup in both modules Use `runtimeOnly` instead of `constraints` as the later works only if dependency is already in the classpath. --- WordPress/build.gradle | 7 ------- libs/mocks/build.gradle | 6 +++--- 2 files changed, 3 insertions(+), 10 deletions(-) diff --git a/WordPress/build.gradle b/WordPress/build.gradle index 8ebe0ab44ae4..ee287ab6cf7b 100644 --- a/WordPress/build.gradle +++ b/WordPress/build.gradle @@ -512,13 +512,6 @@ dependencies { strictly androidxTestEspressoVersion } } - androidTestImplementation("com.github.tomakehurst:wiremock:$wiremockVersion") { - exclude group: 'org.apache.httpcomponents', module: 'httpclient' - exclude group: 'org.apache.commons', module: 'commons-lang3' - exclude group: 'asm', module: 'asm' - exclude group: 'org.json', module: 'json' - } - androidTestImplementation "org.apache.httpcomponents:httpclient-android:$wiremockHttpClientVersion" androidTestImplementation "androidx.test:runner:$androidxTestCoreVersion" androidTestImplementation "androidx.test:rules:$androidxTestCoreVersion" androidTestImplementation "androidx.test.ext:junit:$androidxTestExtJunitVersion" diff --git a/libs/mocks/build.gradle b/libs/mocks/build.gradle index 10eabe308ff9..cd689145517c 100644 --- a/libs/mocks/build.gradle +++ b/libs/mocks/build.gradle @@ -18,12 +18,13 @@ android { } dependencies { - implementation("com.github.tomakehurst:wiremock") { + api("com.github.tomakehurst:wiremock") { exclude group: 'org.apache.httpcomponents', module: 'httpclient' exclude group: 'org.apache.commons', module: 'commons-lang3' exclude group: 'asm', module: 'asm' exclude group: 'org.json', module: 'json' - } + } + runtimeOnly('org.apache.httpcomponents:httpclient-android:4.3.5.1') constraints { implementation("com.github.tomakehurst:wiremock:$wiremockVersion") { @@ -41,6 +42,5 @@ dependencies { implementation('commons-fileupload:commons-fileupload:1.5') { because("version shipped with WireMock 2.26.3 contains security vulnerabilities") } - implementation('org.apache.httpcomponents:httpclient-android:4.3.5.1') } } From c8bcdaec4bfd2a65a5b71050142b76f33d767231 Mon Sep 17 00:00:00 2001 From: Wojtek Zieba Date: Wed, 17 Jul 2024 13:09:33 +0200 Subject: [PATCH 3/5] Bring back `wiremockHttpClientVersion` As this is replacment dependency, maybe it's worth to keep a version extracted? I'm not sure, so I revert this change to keep things unchanged --- build.gradle | 1 + libs/mocks/build.gradle | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 7140c733222d..6dfa1c3a6f9d 100644 --- a/build.gradle +++ b/build.gradle @@ -111,6 +111,7 @@ ext { screengrabVersion = '2.1.1' squareupMockWebServerVersion = '4.12.0' wiremockVersion = '2.26.3' + wiremockHttpClientVersion = '4.3.5.1' // other androidDesugarVersion = '2.0.4' diff --git a/libs/mocks/build.gradle b/libs/mocks/build.gradle index cd689145517c..34164526b326 100644 --- a/libs/mocks/build.gradle +++ b/libs/mocks/build.gradle @@ -24,7 +24,7 @@ dependencies { exclude group: 'asm', module: 'asm' exclude group: 'org.json', module: 'json' } - runtimeOnly('org.apache.httpcomponents:httpclient-android:4.3.5.1') + runtimeOnly("org.apache.httpcomponents:httpclient-android:$wiremockHttpClientVersion") constraints { implementation("com.github.tomakehurst:wiremock:$wiremockVersion") { From 058d2c001fbe9244e4cd7d2dc72c97a8b8526090 Mon Sep 17 00:00:00 2001 From: Wojtek Zieba Date: Wed, 17 Jul 2024 13:11:19 +0200 Subject: [PATCH 4/5] Extract WireMock transitive dependencies security message To not duplicate strings --- libs/mocks/build.gradle | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libs/mocks/build.gradle b/libs/mocks/build.gradle index 34164526b326..40db9b3997cf 100644 --- a/libs/mocks/build.gradle +++ b/libs/mocks/build.gradle @@ -30,17 +30,20 @@ dependencies { implementation("com.github.tomakehurst:wiremock:$wiremockVersion") { because("newer versions of WireMock use Java APIs not available on Android") } + + def wireMockSecurity = "version shipped with WireMock 2.26.3 contains security vulnerabilities" + implementation('org.eclipse.jetty:jetty-webapp:9.4.51.v20230217') { - because("version shipped with WireMock 2.26.3 contains security vulnerabilities") + because(wireMockSecurity) } implementation('com.fasterxml.jackson.core:jackson-databind:2.12.7.1') { - because("version shipped with WireMock 2.26.3 contains security vulnerabilities") + because(wireMockSecurity) } implementation('com.jayway.jsonpath:json-path:2.9.0') { - because("version shipped with WireMock 2.26.3 contains security vulnerabilities") + because(wireMockSecurity) } implementation('commons-fileupload:commons-fileupload:1.5') { - because("version shipped with WireMock 2.26.3 contains security vulnerabilities") + because(wireMockSecurity) } } } From 372e029862b597f0e51d699a2279d88eb3a2ee9a Mon Sep 17 00:00:00 2001 From: Wojtek Zieba Date: Thu, 18 Jul 2024 11:36:33 +0200 Subject: [PATCH 5/5] Update Dependabot config to ignore WireMock's transitive dependencies --- .github/dependabot.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 17b9023f0012..a2899fa57f15 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -48,3 +48,8 @@ updates: - dependency-name: "org.wordpress.aztec:picasso-loader" - dependency-name: "com.automattic:about" - dependency-name: "com.automattic:Automattic-Tracks-Android" + # Ignore dependencies that were added only to address security vulnerabilities of transitive WireMock dependencies + - dependency-name: "org.eclipse.jetty:jetty-webapp" + - dependency-name: "com.fasterxml.jackson.core:jackson-databind" + - dependency-name: "com.jayway.jsonpath:json-path" + - dependency-name: "commons-fileupload:commons-fileupload"