Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release 0.5.0 vulnerabilities report #276

Closed
cstamas opened this issue Nov 2, 2023 · 3 comments · Fixed by #277
Closed

Release 0.5.0 vulnerabilities report #276

cstamas opened this issue Nov 2, 2023 · 3 comments · Fixed by #277

Comments

@cstamas
Copy link
Member

cstamas commented Nov 2, 2023

Seems scala is flagged as vulnerable
https://ossindex.sonatype.org/component/pkg:maven/org.scala-lang/scala-compiler@2.11.12?utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0
@cstamas
Copy link
Member Author

cstamas commented Nov 2, 2023

@lefou

@cstamas
Copy link
Member Author

cstamas commented Nov 2, 2023

The complete report https://sbom.sonatype.com/report/T1-118f0f57da8c6b3097cc-546c0fefd37fe5-1698961020-0f326982c4c0479a9ea423b29d5d01f5

@lefou
Copy link
Contributor

lefou commented Nov 3, 2023

Looks like we finally can update to Scala 2.12, which is AFAIK the last version supported by com.twitter:util-eval. This is possible, since we lifted the minimal supported Java version to 8.

polyglot-maven/polyglot-scala/pom.xml

Lines 23 to 25 in 801746a

<!-- We cannot use 2.12+, as Maven 3.x requires us to run on Java7 -->
<scala.version>2.11.12</scala.version>
<scala.bin.version>2.11</scala.bin.version>

@lefou lefou mentioned this issue Nov 3, 2023
Merged
cstamas pushed a commit that referenced this issue Nov 4, 2023
@lefou
Update Scala to 2.12.18 (#277)
80befd6 
Due to some security vulnerabilities in Scala 2.11 compiler, I switched `polyglot-scala` to Scala 2.12, which is the last version, for which there is a release of `com.twitter:util-eval`, which we use to compile and evaluate the `pom.scala` files.

Unfortunately, `util-eval` throws runtime exceptions when used as-is, which is mostly due to internal changes in the Scala compiler. Since `util-eval` doesn't work with Scala 2.12 and was even removed upstream for quite some time, I vendored the single file `Eval.scala` and applied some small refactorings to make it work. The imported file was licensed under the Apache Licence, version 2, which is identical to this project license.

Due to the version bump from Scala 2.11 to 2.12, I'd consider this pull request a breaking change. The next release number for polyglot(-scala) should be therefore `0.6.0` (if we apply early semantic versioning).

* Fix #276

I think it's worth investigating, whether we can follow up with a bump to Scala 2.13. I haven't tested it yet, due to some dependencies not available. But it looks like `com.googlecode.kiama` has moved to https://github.com/inkytonik/kiama, so there should be no blockers. But the `Eval` might break again due to expected compiler changes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update Scala to 2.12.18 lefou/polyglot-maven
2 participants
@cstamas @lefou