workflow

A unidirectional data flow library for Kotlin and Swift, emphasizing:

Strong support for state-machine driven UI and navigation.
Composition and scaling.
Effortless separation of business and UI concerns.

This project is currently experimental and the API subject to breaking changes without notice. Follow Square's engineering blog, The Corner, to see when this project becomes stable.

While the API is not yet stable, this code is in heavy production use in Android and iOS apps with millions of users.

Using Workflows in your project

Swift

Swift Package Manager

If you are developing your own package, be sure that Workflow is included in dependencies in Package.swift:

dependencies: [
    .package(url: "[email protected]:square/workflow.git", from: "0.21.1")
]

In Xcode 11+, add Workflow directly as a dependency to your project with File > Swift Packages > Add Package Dependency.... Provide the git URL when prompted: [email protected]:square/workflow.git.

Cocoapods

If you use CocoaPods to manage your dependencies, simply add Workflow and WorkflowUI to your Podfile:

pod 'Workflow'
pod 'WorkflowUI'

Kotlin

Quick Start

To get started with a fresh, barebones, Workflow-based Android app, we've created a template repository – just click "Use this template" to create a new repository with a simple but runnable app: github.com/square/workflow-android-template

Maven Artifacts

Artifacts are hosted on Maven Central. If you're using Gradle, ensure mavenCentral() appears in your repositories block, and then add dependencies on the following artifacts:

Maven Coordinates	Depend on this if…
`com.squareup.workflow:workflow-core-jvm:x.y.z`	You are writing a library module/project that uses Workflows, but you don't need to interact with the runtime from the outside.
`com.squareup.workflow:workflow-rx2:x.y.z`	You need to interact with RxJava2 from your Workflows.
`com.squareup.workflow:workflow-testing-jvm:x.y.z`	You are writing tests. This should only be included as a test dependency.
`com.squareup.workflow:workflow-ui-core-android:x.y.z`	You're writing an Android app that uses Workflows.
`com.squareup.workflow:workflow-ui-modal-android:x.y.z`	Your Android app uses modals (popups).
`com.squareup.workflow:workflow-ui-backstack-android:x.y.z`	Your android app uses backstacks.

Lower-level Artifacts

Most code shouldn't need to depend on these directly. They should generally only be used to build higher-level integrations with UI frameworks.

Maven Coordinates	Depend on this if…
`com.squareup.workflow:workflow-runtime-jvm:x.y.z`	You need to interact directly with the runtime, i.e. streams of renderings and outputs.
`com.squareup.workflow:workflow-ui-core-jvm:x.y.z`	You are writing workflow-ui-android for another UI framework. Defines the core types used by that artifact.

Resources

Support & Contact

Workflow maintainers hang out in the #squarelibraries channel on the Kotlin Slack and the #square-libraries-wtf channel on the Android Study Group Slack.

Releasing and Deploying

See RELEASING.md.

License

Copyright 2019 Square Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

CVE-2020-8908 (Medium) detected in guava-28.1-android.jar

CVE-2020-8908 - Medium Severity Vulnerability

Vulnerable Library - guava-28.1-android.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Library home page: https://github.com/google/guava

Path to vulnerable library: /tmp/ws-ua_20200424204530/downloadResource_304d0a82-9bcd-48d0-b88e-641a54f81abb/20200424204947/guava-28.1-android.jar,20200424204530/downloadResource_304d0a82-9bcd-48d0-b88e-641a54f81abb/20200424204947/guava-28.1-android.jar,/tmp/ws-ua_20200424204530/downloadResource_304d0a82-9bcd-48d0-b88e-641a54f81abb/20200424204947/guava-28.1-android.jar

Dependency Hierarchy:

❌ guava-28.1-android.jar (Vulnerable Library)

Vulnerability Details

A temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. We recommend updating Guava to version 30.0 or later, or update to Java 7 or later, or to explicitly change the permissions after the creation of the directory if neither are possible.

Publish Date: 2020-12-10

URL: CVE-2020-8908

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908

Release Date: 2020-12-10

Fix Resolution: v30.0

Check this box to open an automated fix PR

levyforchh / workflow Goto Github PK

workflow's Introduction

workflow

Using Workflows in your project

Swift

Swift Package Manager

Cocoapods

Kotlin

Quick Start

Maven Artifacts

Lower-level Artifacts

Resources

Support & Contact

Releasing and Deploying

License

workflow's People

Contributors

Watchers

workflow's Issues

CVE-2020-8908 - Medium Severity Vulnerability

CVE-2017-18640 - High Severity Vulnerability

Recommend Projects

Recommend Topics

Recommend Org