Gradle’s stock version of checkstyle and pmd plugins appear to have CVE’s.
build.gradle:
plugins {
id 'checkstyle'
id 'net.ossindex.audit' version '0.4.11'
id 'pmd'
}
Report:
$ gradle audit
> Task :audit FAILED
2 unignored (of 2 total) vulnerabilities found
com.puppycrawl.tools:checkstyle:8.37 introduces com.google.guava:guava:29.0-jre which has 1 vulnerabilities
=> [CVE-2020-8908] A temp directory creation vulnerability exists in all versions of Guava, allowin... (see https://ossindex.sonatype.org/vuln/8e973be2-4220-410d-a4cb-2de7a755bdbe)
net.sourceforge.pmd:pmd-java:6.39.0 introduces commons-io:commons-io:2.6 which has 1 vulnerabilities
=> [CVE-2021-29425] In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normaliz... (see https://ossindex.sonatype.org/vuln/82848549-29bd-4594-b983-e61e4b2c6924)
FAILURE: Build failed with an exception.
* What went wrong:
Execution failed for task ':audit'.
> Too many vulnerabilities (2) found.
* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.
* Get more help at https://help.gradle.org
Deprecated Gradle features were used in this build, making it incompatible with Gradle 8.0.
You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.
See https://docs.gradle.org/7.4.2/userguide/command_line_interface.html#sec:command_line_warnings
BUILD FAILED in 439ms
1 actionable task: 1 executed
When will these components get patched?
I’m using gradle 7.4.2 from Homebrew.