Merge pull request #39 from rundeck-plugins/cve-fixes

fdevans · web-flow · commit 363c12e5d42c · 2025-10-07T13:47:18.000-07:00
CVE Fixes
diff --git a/README.md b/README.md
@@ -17,6 +17,8 @@ Run the following command to built the jar file:
 ./gradlew clean build
 ```
 
+**Note:** This plugin requires Rundeck 5.16.0 or later.
+
 ## Install
 
 Copy the `git-plugin-x.y.x.jar` file to the `$RDECK_BASE/libext/` directory inside your Rundeck installation.
diff --git a/build.gradle b/build.gradle
@@ -55,6 +55,9 @@ dependencies {
     implementation(libs.groovyAll)
     implementation(libs.rundeckCore)
     implementation(libs.slf4jApi)
+    
+    // Add secure commons-lang3 to provide alternative to vulnerable commons-lang 2.6
+    implementation(libs.commonsLang3)
 
     pluginLibs(libs.jgit) {
         exclude module: 'slf4j-api'
@@ -70,6 +73,21 @@ dependencies {
     testImplementation libs.bundles.testLibs
 }
 
+configurations.all {
+    resolutionStrategy {
+        // Force secure versions for non-breaking dependency overrides
+        force "com.squareup.okhttp3:okhttp:${libs.versions.okhttp3.get()}"
+        force "com.squareup.okio:okio:${libs.versions.okio.get()}"
+        
+        // Replace vulnerable commons-lang with secure commons-lang3
+        dependencySubstitution {
+            substitute module('commons-lang:commons-lang') using module("org.apache.commons:commons-lang3:${libs.versions.commonsLang3.get()}")
+        }
+        
+        // Note: JGit vulnerabilities left as-is to avoid code breaking changes
+    }
+}
+
 
 task copyToLib(type: Copy) {
     into "$buildDir/output/lib"
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -1,17 +1,21 @@
 [versions]
 # Plugins
 axionRelease = "1.18.18"
+nexusPublish = "1.3.0"
 # Libraries
 groovy = "3.0.22"
 junit = "4.13.2"
-rundeckCore = "5.10.0-20250312"
+rundeckCore = "5.16.0-20251006"
 slf4j = "1.7.36"
 jgit = "6.6.1.202309021850-r"
 jgitSsh = "5.13.3.202401111512-r"
 spock = "2.0-groovy-3.0"
 cglib = "3.3.0"
 objenesis = "1.4"
-nexusPublish = "1.3.0"
+# Security overrides for transitive dependencies
+okhttp3 = "4.12.0"
+okio = "3.9.1"
+commonsLang3 = "3.18.0"
 
 [libraries]
 groovyAll   = { group = "org.codehaus.groovy", name = "groovy-all", version.ref = "groovy" }
@@ -23,6 +27,7 @@ jgitSsh     = { group = "org.eclipse.jgit", name = "org.eclipse.jgit.ssh.jsch",
 spockCore   = { group = "org.spockframework", name = "spock-core", version.ref = "spock" }
 cglibNodep  = { group = "cglib", name = "cglib-nodep", version.ref = "cglib" }
 objenesis   = { group = "org.objenesis", name = "objenesis", version.ref = "objenesis" }
+commonsLang3 = { module = "org.apache.commons:commons-lang3", version.ref = "commonsLang3" }
 
 [bundles]
 testLibs = ["junit", "groovyAll", "spockCore", "cglibNodep", "objenesis"]
