Merge pull request #591 from rundeck/RUN-3602

RUN-3602: Fix CVE-2024-25710 finding in commons-compress

Author: fdevans

build.gradle

@@ -45,6 +45,13 @@ subprojects{
             options.addBooleanOption('html5', true)
         }
     }
+
+        // Mitigate CVE-2024-25710: Force commons-compress to 1.28.0
+        configurations.all {
+            resolutionStrategy {
+                force libs.commonsCompress
+            }
+        }
 }
 
 /**

gradle.properties

@@ -12,4 +12,4 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-#
+#

gradle/libs.versions.toml

@@ -19,6 +19,7 @@ snakeYaml = "2.0"
 #used for authz lib integration
 rundeck = "4.17.6-20240402"
 testcontainers = "1.21.3"
+commonsCompress = "1.28.0"
 
 [libraries]
 
@@ -50,6 +51,8 @@ rundeckAuthzYaml = { module = "org.rundeck:rundeck-authz-yaml", version.ref = "r
 testcontainers = { module = "org.testcontainers:testcontainers", version.ref = "testcontainers" }
 testcontainersSpock = { module = "org.testcontainers:spock", version.ref = "testcontainers" }
 
+commonsCompress = { module = "org.apache.commons:commons-compress", version.ref = "commonsCompress" }
+
 [bundles]
 
 retrofit = ["retrofitCore", "retrofitJackson", "retrofitJaxb", "okhttpLogging", "okhttpUrlconnection", "jaxb"]