Skip to content

Fix for Security Violations#432

Merged
agrasth merged 5 commits intodevfrom
fix-SecurityViolations
Dec 19, 2025
Merged

Fix for Security Violations#432
agrasth merged 5 commits intodevfrom
fix-SecurityViolations

Conversation

@agrasth
Copy link

@agrasth agrasth commented Dec 15, 2025
edited
Loading

  • All tests passed. If this feature is not already covered by the tests, I added new tests.
  • This pull request is on the dev branch.

Fix: Update Dependencies to Address Security Vulnerabilities

Summary

Updated test dependencies to fix CVE-2025-11226 and documented CVE-2024-6763.

Changes

  • logback-classic: 1.3.15 -> 1.3.16 (fixes CVE-2025-11226)
  • wiremock-jre8: 2.35.0 -> 2.35.2 (latest Java 8 compatible version)

Test Fix Changes

Updated BaseRepositoryTests.groovy to handle Artifactory's stricter virtual repository package type validation:

  • Package type matching: Virtual repositories now require child repositories with matching package types. When getRepositorySettings(LOCAL) returns null (e.g., Terraform), the fix uses getRepositorySettings(VIRTUAL) settings instead to ensure correct package type.
  • Separate repo for virtual: For package types that don't support local repos (e.g., P2), a dedicated remote repository (rt-client-java-remote-for-virtual-*) is now created to avoid conflicts with test methods that create their own repos.
  • Proper cleanup: Added repoForVirtual field to track and clean up the dedicated child repository in tearDown().

Tests Fixed

  • TerraformPackageTypeRepositoryTests > testTerraformVirtualRepo
  • P2PackageTypeRepositoryTests > testP2RemoteRepo
  • CustomPropertiesRepositoryTests > testVirtualRepo
  • Various other package type tests that were failing with "package type mismatch" or "key already exists" errors

Notes

CVE-2024-6763 (Jetty) requires Jetty 12.x which is incompatible with Java 8 support.
Since this is test-only and doesn't affect production, the risk is documented and accepted.

@agrasth agrasth requested a review from nitinp19 December 15, 2025 09:10
@agrasth agrasth requested a review from bhanurp December 16, 2025 07:41
@agrasth
Fix virtual repository package type mismatch in tests
d1e0cdd 
- Virtual repositories now use child repositories with matching package types
- Fixes test failures for CustomPropertiesRepositoryTests, P2PackageTypeRepositoryTests, and TerraformPackageTypeRepositoryTests
- Resolves issue where virtual repos tried to include Generic repos when they had specific package types (Composer, P2, Terraform)
@agrasth
Fix: Create dedicated repo for virtual instead of reusing localRepo
f0361ac 
- Creates a separate repository for virtual repos to avoid naming conflicts
- Prevents "Case insensitive repository key already exists" error
- Repository key is now "rt-client-java-for-virtual-{id}" instead of reusing "rt-client-java-local-{id}"
@agrasth
Fix: Use correct package type settings and avoid repo conflicts
a962a88 
- When LOCAL settings are null, use VIRTUAL settings to ensure correct package type
- Create SEPARATE remote repo for virtual (rt-client-java-remote-for-virtual-*) to avoid conflicts with test methods
- Add dedicated repoForVirtual field for proper tracking and cleanup
- Fixes TerraformVirtualRepo, P2RemoteRepo, and other package type mismatch issues
@agrasth agrasth merged commit 768ac32 into dev Dec 19, 2025
2 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bhanurp bhanurp bhanurp approved these changes

@nitinp19 nitinp19 Awaiting requested review from nitinp19

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@agrasth @bhanurp