Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Play 3.0.0 upgrade & vulnerabilty fixes #114

Merged
merged 6 commits into from Nov 17, 2023
Merged

Play 3.0.0 upgrade & vulnerabilty fixes #114

merged 6 commits into from Nov 17, 2023

Conversation

AshCorr
Copy link
Member

@AshCorr AshCorr commented Nov 2, 2023
edited by rtyley

What does this change?

  • Bump Play to 3.0.0 from 2.8.19
  • Override various transient dependency versions

The last vuln is a total pain to fix - it involves updating okhttp to 4.x from 3.x, this should have been easy but com.madgag.play-git-hub makes use of an internal OkHttp package which isn't available anymore in okhttp 4.x

How to test

sbt compile compiles fine.

image

snyk test before:

image

snyk test after:

image

akash1810
akash1810 reviewed Nov 2, 2023
View reviewed changes
Copy link
Member

@akash1810 akash1810 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes LGTM.

This app lives in Heroku, which I think @rtyley manages, and who is best placed to give a 👍🏽.

rtyley added a commit to rtyley/play-git-hub that referenced this pull request Nov 2, 2023
@rtyley
Upgrade to OkHttp 4
74b2155 
This upgrade was prompted by guardian/prout#114,
where Ash noted that updating to OkHttp 4 was blocked by `play-git-hub`s
use of OkHttp 's internal `HttpDate` class.

Thankfully the `java.time` package offers the `RFC_1123_DATE_TIME`
date time formatter, which looks to be a good substitute for parsing
the `Date` header returned by the GitHub API.

https://docs.oracle.com/javase/8/docs/api/java/time/format/DateTimeFormatter.html#RFC_1123_DATE_TIME
@rtyley rtyley mentioned this pull request Nov 2, 2023
Merged
@rtyley
Copy link
Member

rtyley commented Nov 2, 2023

Hi @AshCorr thanks so much for this! I guess the list of vulnerabilities we're looking at here is coming from https://app.snyk.io/org/guardian-devtools/project/1bc32f14-0b81-428e-b01b-9942ba45885c, is that right?

updating okhttp to 4.x from 3.x, this should have been easy but com.madgag.play-git-hub makes use of an internal OkHttp package which isn't available anymore in okhttp 4.x

I've prepared rtyley/play-git-hub#7 to get com.madgag.play-git-hub up to okhttp 4.x, does that look good to you @AshCorr? I can also do another PR to compile it against latest JGit if that helps.

Regarding Play 2.9, it looks like there's a bit of a question about whether this is officially 'released' or not yet?

I can see that it's coming, and I definitely want to upgrade to it when it is, but has there been a proper release statement yet? Is adopting 2.9 this week, rather than next week, a bit early - or is this driven by a Snyk vuln fixed by Play 2.9?

rtyley added a commit to rtyley/play-git-hub that referenced this pull request Nov 2, 2023
@rtyley
Upgrade to OkHttp 4
9580732 
This upgrade was prompted by guardian/prout#114,
where Ash noted that updating to OkHttp 4 was blocked by `play-git-hub`s
use of OkHttp 's internal `HttpDate` class.

Thankfully the `java.time` package offers the `RFC_1123_DATE_TIME`
date time formatter, which looks to be a good substitute for parsing
the `Date` header returned by the GitHub API.

https://docs.oracle.com/javase/8/docs/api/java/time/format/DateTimeFormatter.html#RFC_1123_DATE_TIME
rtyley added a commit to rtyley/play-git-hub that referenced this pull request Nov 2, 2023
@rtyley
Upgrade to OkHttp 4
5b75bf4 
This upgrade was prompted by guardian/prout#114,
where Ash noted that updating to OkHttp 4 was blocked by `play-git-hub`s
use of OkHttp 's internal `HttpDate` class.

Thankfully the `java.time` package offers the `RFC_1123_DATE_TIME`
date time formatter, which looks to be a good substitute for parsing
the `Date` header returned by the GitHub API.

https://docs.oracle.com/javase/8/docs/api/java/time/format/DateTimeFormatter.html#RFC_1123_DATE_TIME
rtyley added a commit to rtyley/play-git-hub that referenced this pull request Nov 2, 2023
@rtyley
Upgrade to OkHttp 4
c4a25ee 
This upgrade was prompted by guardian/prout#114,
where Ash noted that updating to OkHttp 4 was blocked by `play-git-hub`s
use of OkHttp 's internal `HttpDate` class.

Thankfully the `java.time` package offers the `RFC_1123_DATE_TIME`
date time formatter, which looks to be a good substitute for parsing
the `Date` header returned by the GitHub API.

https://docs.oracle.com/javase/8/docs/api/java/time/format/DateTimeFormatter.html#RFC_1123_DATE_TIME
@AshCorr
Copy link
Member Author

AshCorr commented Nov 6, 2023
edited

I can see that it's coming, and I definitely want to upgrade to it when it is, but has there been a proper release statement yet?

Sounds like its a stable release, just no release statement yet. Should hopefully come out today if we want to wait for merging this PR!

EDIT: It's out!

rtyley
rtyley reviewed Nov 8, 2023
View reviewed changes
build.sbt Outdated Show resolved Hide resolved
@AshCorr AshCorr mentioned this pull request Nov 14, 2023
Merged
rtyley
rtyley approved these changes Nov 17, 2023
View reviewed changes
Copy link
Member

@rtyley rtyley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, merging now! Prout has CD, so will auto-deploy after merging.

@rtyley rtyley merged commit 51332cf into main Nov 17, 2023
1 check passed
@rtyley rtyley deleted the ash/VulnFixes branch November 17, 2023 11:31
@prout-bot
Copy link
Contributor

Seen on PROD (created by @AshCorr and merged by @rtyley 11 minutes and 45 seconds ago) Please check your changes!

Sentry Release: prout

@rtyley
Copy link
Member

rtyley commented Nov 17, 2023

This is working well on PROD!

https://prout-bot.herokuapp.com/view/guardian/prout

image

@rtyley rtyley changed the title Ash/vuln fixes Play 3.0.0 upgrade & vulnerabilty fixes Nov 23, 2023
This was referenced Feb 21, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@akash1810 akash1810 akash1810 left review comments

@rtyley rtyley rtyley approved these changes

Assignees
No one assigned
Labels
Seen-on-PROD
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@AshCorr @rtyley @prout-bot @akash1810