Comments (10)
schrum2
commented on May 27, 2024
1
Agreed. The problem still isn't fixed, so I keep working around by uninstalling/reinstalling gradle for every new codespace I make, despite the reintroduction of the security vulnerability.
Makes me wonder if the default version of gradle or some other component could be changed/lowered to avoid this. It seems odd that such a major build tool simply can't be used.
from images.
samruddhikhandale
commented on May 27, 2024
1
Planning to release this image today/tomorrow (with gradle 8) which should fix the issue/
#422
from images.
schrum2
commented on May 27, 2024
1
I just made a new codespace, and I can confirm that Gradle 8.0 was installed and the basic gradle commands worked without any problem! Thanks!
from images.
samruddhikhandale
commented on May 27, 2024
Hi 👋
Looks like a regression due to #269. According to CVE-2022-36033, jsoup jar file with version less than 1.53 contains a security vulnerability. Hence, the universal image includes a patch for it.
I had reported this issue in gradle/gradle#23316.
Looks like we'd need to wait for gradle version 8 to support this.
However, do you mind creating an issue with gradle and see if they could support [email protected] in current v7*?
In the meanwhile, you could avoid this issue by pinning to an older universal:2.1.2 image to fix this. However, your devcontainer will be at security risk due to CVE-2022-36033.
from images.
schrum2
commented on May 27, 2024
I found that I could fix this with sdk uninstall gradle 7.6 followed by sdk install gradle. Does this reintroduce the security vulnerability?
from images.
samruddhikhandale
commented on May 27, 2024
I found that I could fix this with
sdk uninstall gradle 7.6followed bysdk install gradle. Does this reintroduce the security vulnerability?
Yep, because the jsoup jar file is installed within the gradle folder for v7.6.
from images.
samruddhikhandale
commented on May 27, 2024
Closing as stale. Feel free to reopen the issue if needed.
from images.
madhead
commented on May 27, 2024
It's still an issue. GitHub support sent me here regarding this issue. Also, an issue in Gradle repo: gradle/gradle#23730
from images.
samruddhikhandale
commented on May 27, 2024
Apologies for the inconvenience, looks like gradle has a prerelease for 8.0 - https://github.com/gradle/gradle/releases
We can expect an official release soon, I'll ensure to quickly update the images.
In the meanwhile, can you add the following to you devcontainer.json to help you get inblocked?
"features": {
"ghcr.io/devcontainers/features/java:1": {
"installGradle": true
}
}ℹ️ This would reintroduce the security vulnerability but will help you get unblocked.
from images.
samruddhikhandale
commented on May 27, 2024
universal image is updated to include gradle v8.
The issue should be resolved with vulnerability patched for jsoup
from images.
Related Issues (20)
- Segfault on Ruby 3.3.0 on linux-aarch64 solved in https://bugs.ruby-lang.org/issues/20085 HOT 5
- [Image+Name]+[variant/version]+EOL+scheduled+for+[date]
- Project workspace directory in Rust dev container owned by root user HOT 2
- Support Node 22 scheduled for April 23rd HOT 6
- Support Ubuntu 24.04 scheduled for April 25th HOT 4
- [DERIK GORDON] [ ] EOL scheduled for [January 31, 1969]/[April 03, 2024] HOT 1
- Documentation of publishing custom images HOT 2
- typescript-node npm scripts error access HOT 2
- miniconda image does not install from environment.yml HOT 2
- Fix universal build: Oryx failures
- Please say if you can't simply find or patch boot.img or why it won't work... HOT 1
- Codespaces Pre-cached Image List HOT 4
- [Uploading ironSource Exchange_2024-03-03_19_50_00_2024-03-04_19_50_00_by_au.csv…]() HOT 3
- [Uploading ironSource Exchange_2024-03-03_19_50_00_2024-03-04_19_50_00_by_au.csv…]() HOT 1
- @ababinchak this sounds like an opportunity for pull requests. Can you help? HOT 2
- Library search path related issue in latest miniconda env HOT 4
- <!-- add-pr-comment:pr-test --> HOT 1
- [Image Name] [variant/version] EOL scheduled for [date] HOT 1
- [Image Name [email protected]] [variant/version] EOL scheduled for [date] HOT 1
- Ruby 3.0 EOL scheduled for 31st March 2024 HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from images.