Guide - 7.10.21.0 Security Update of Libraries

Product Version

7.10

Product To Version


Status

final

1 Introduction

Several libraries with vulnerabilities were updated and can potentially break the implementation.

LibraryOld VersionNew Version
com.google.guava:guava24.1-jre29.0-jre
com.google.code.gson:gson2.12.8.6
org.apache.commons:commons-dbcp22.1.12.7.0

2 Migration

2.1 Version Conflict

In case of version conflicts of underlying and custom libraries, the version must be defined explicitly. The build.gradle can contain the following block:

build.gradle
versionRecommendation {
    provider {
        // thirdparty.version to resolve version conflicts of custom cartridges
        properties('thirdparty', file('thirdparty.version')) {}
    }
}

Example version file to resolve version conflict for library "error_prone_annotations".

thirdparty.version
com.google.errorprone:error_prone_annotations=2.3.1

2.2 Class Collision Check Failed

Some libraries can contain resources which have the same name. To exclude such resources, a configuration of the task must be adapted:

* What went wrong:
Execution failed for task ':<assembly>:checkClassCollisions'.
> There are class collisions in your dependencies
   > Collision between io.github.classgraph:classgraph:4.6.32 and net.bytebuddy:byte-buddy:1.9.10
      > META-INF.versions.9.module-info
build.gradle of assembly
// verify whole server classpath to be collision-free
checkClassCollisions {
    allCartridges = true
    ignore 'META-INF.versions.\\d+.module-info' // ignore module-info.class files in META-INF/**cd
}

Disclaimer

The information provided in the Knowledge Base may not be applicable to all systems and situations. Intershop Communications will not be liable to any party for any direct or indirect damages resulting from the use of the Customer Support section of the Intershop Corporate Web site, including, without limitation, any lost profits, business interruption, loss of programs or other data on your information handling system.

Customer Support
Knowledge Base
Product Resources
Tickets