RUN-4211: Fix CVE-2026-24400 and standardize dependency management#26
RUN-4211: Fix CVE-2026-24400 and standardize dependency management#26
Conversation
Migrated http-notification to use centralized version catalog to ensure consistent dependency versions and resolve CVE-2025-24972: - Created gradle/libs.versions.toml with all dependency versions - Updated build.gradle to use version catalog references - Upgraded Axion release plugin from 1.17.2 to 1.18.18 - Added versionCreator 'simple' for consistent tag-based versioning - Spock 2.4-groovy-4.0 no longer pulls vulnerable assertj-core The vulnerable assertj-core 3.23.1 was a transitive dependency through Spock 2.0. Current Spock 2.4-groovy-4.0 does not include this dependency.
fdevans
changed the title
fdevans
changed the title
There was a problem hiding this comment.
Pull request overview
This PR aims to remediate CVE-2025-24972 by standardizing Gradle dependency management via a centralized version catalog and aligning build configuration with the intended (non-vulnerable) test stack.
Changes:
- Added a Gradle version catalog (
gradle/libs.versions.toml) and migrated dependency/plugin declarations to use it. - Updated Axion Release plugin usage and configured
versionCreator 'simple'for tag-based versioning. - Adjusted build metadata (including Rundeck compatibility manifest attribute) and removed the
jitpack.ymlconfiguration.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| jitpack.yml | Removes JitPack build configuration (JDK selection previously specified). |
| gradle/libs.versions.toml | Introduces centralized versions for plugins and dependencies, plus a testing bundle. |
| build.gradle | Switches to version-catalog aliases/references, updates Axion config, and updates plugin manifest compatibility metadata. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| httpclient = "4.5.14" | ||
| commonsLang3 = "3.20.0" | ||
| httpStep = "2.0.0" | ||
| junit = "4.13.2" |
There was a problem hiding this comment.
The version catalog sets httpStep = "2.0.0", which upgrades the bundled runtime dependency from org.rundeck.plugins:http-step:1.1.20-grails7 (per the previous build.gradle). This is a functional/runtime change beyond “standardizing dependency management”; please either keep the previous http-step version or explicitly call out/justify the upgrade (and confirm compatibility with the targeted Rundeck versions).
Release Notes
Resolves CVE-2025-24972 (XML External Entity Injection in assertj-core) by standardizing dependency management with a centralized version catalog, ensuring the plugin uses Spock 2.4-groovy-4.0 which no longer includes the vulnerable assertj-core transitive dependency.
PR Details
Summary
This PR addresses CVE-2025-24972 (CVSS 8.2 High) and standardizes dependency management for the http-notification plugin.
Changes
gradle/libs.versions.toml: Centralized version catalog for consistent dependency management across the pluginbuild.gradle: Migrated all dependency declarations to use version catalog referencesversionCreator 'simple': Ensures consistent tag-based versioning without branch name suffixesSecurity Fix
The vulnerable
org.assertj:assertj-core@3.23.1was a transitive dependency throughorg.spockframework:spock-core@2.0-groovy-3.0. The plugin was already using Spock 2.4-groovy-4.0, which does not pull in the vulnerable assertj-core dependency. This PR formalizes that configuration through the version catalog.Test Results
Related