From ddc420f0e887e3b6b6a4182487a46a0240b56d63 Mon Sep 17 00:00:00 2001 From: agrasth Date: Fri, 3 Apr 2026 12:44:39 +0530 Subject: [PATCH 1/5] Fix Security Violations --- build.gradle | 35 +++++++++++------------------------ httpClient/build.gradle | 2 +- 2 files changed, 12 insertions(+), 25 deletions(-) diff --git a/build.gradle b/build.gradle index 14729690..bf8d4537 100644 --- a/build.gradle +++ b/build.gradle @@ -64,30 +64,17 @@ subprojects { // Force secure versions to fix vulnerabilities configurations.all { resolutionStrategy { - // Use latest confirmed available Jetty 9.4.x versions - consistent versions - force 'org.eclipse.jetty:jetty-server:9.4.58.v20250814' - force 'org.eclipse.jetty:jetty-servlets:9.4.58.v20250814' - force 'org.eclipse.jetty:jetty-http:9.4.58.v20250814' - force 'org.eclipse.jetty:jetty-util:9.4.58.v20250814' - force 'org.eclipse.jetty:jetty-io:9.4.58.v20250814' - force 'org.eclipse.jetty:jetty-client:9.4.58.v20250814' - force 'org.eclipse.jetty:jetty-security:9.4.58.v20250814' - force 'org.eclipse.jetty:jetty-servlet:9.4.58.v20250814' - force 'org.eclipse.jetty:jetty-webapp:9.4.58.v20250814' - force 'org.eclipse.jetty:jetty-proxy:9.4.58.v20250814' - force 'org.eclipse.jetty:jetty-continuation:9.4.58.v20250814' - force 'org.eclipse.jetty:jetty-util-ajax:9.4.58.v20250814' - force 'org.eclipse.jetty:jetty-xml:9.4.58.v20250814' - force 'org.eclipse.jetty.http2:http2-server:9.4.58.v20250814' - force 'org.eclipse.jetty.http2:http2-common:9.4.58.v20250814' - force 'org.eclipse.jetty.http2:http2-hpack:9.4.58.v20250814' - // Force ALPN modules that wiremock depends on - force 'org.eclipse.jetty:jetty-alpn-server:9.4.58.v20250814' - force 'org.eclipse.jetty:jetty-alpn-java-server:9.4.58.v20250814' - force 'org.eclipse.jetty:jetty-alpn-openjdk8-server:9.4.58.v20250814' - force 'org.eclipse.jetty:jetty-alpn-java-client:9.4.58.v20250814' - force 'org.eclipse.jetty:jetty-alpn-openjdk8-client:9.4.58.v20250814' - force 'org.eclipse.jetty:jetty-alpn-client:9.4.58.v20250814' + // Force Jetty 12.x (used by wiremock 3.x) - fixes CVE-2026-1225 + force 'org.eclipse.jetty:jetty-server:12.0.12' + force 'org.eclipse.jetty:jetty-http:12.0.12' + force 'org.eclipse.jetty:jetty-util:12.0.12' + force 'org.eclipse.jetty:jetty-io:12.0.12' + force 'org.eclipse.jetty:jetty-client:12.0.12' + force 'org.eclipse.jetty:jetty-util-ajax:12.0.12' + force 'org.eclipse.jetty:jetty-xml:12.0.12' + force 'org.eclipse.jetty.http2:http2-server:12.0.12' + force 'org.eclipse.jetty.http2:http2-common:12.0.12' + force 'org.eclipse.jetty.http2:http2-hpack:12.0.12' // Latest secure versions force 'commons-io:commons-io:2.18.0' force 'net.minidev:json-smart:2.5.2' diff --git a/httpClient/build.gradle b/httpClient/build.gradle index b5ca94e0..45052119 100644 --- a/httpClient/build.gradle +++ b/httpClient/build.gradle @@ -8,5 +8,5 @@ repositories { dependencies { testImplementation group: 'org.testng', name: 'testng', version: '7.5.1' - testImplementation group: 'com.github.tomakehurst', name: 'wiremock-jre8', version: '2.35.2' + testImplementation group: 'org.wiremock', name: 'wiremock', version: '3.12.1' } \ No newline at end of file From 2c0b2b2c71f1596aad66cbd3d1a63a2eaab1d553 Mon Sep 17 00:00:00 2001 From: agrasth Date: Fri, 3 Apr 2026 13:48:11 +0530 Subject: [PATCH 2/5] Fix wiremock 3.x Java 11 compatibility for test classpath resolution --- httpClient/build.gradle | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/httpClient/build.gradle b/httpClient/build.gradle index 45052119..8e49c6b6 100644 --- a/httpClient/build.gradle +++ b/httpClient/build.gradle @@ -9,4 +9,19 @@ repositories { dependencies { testImplementation group: 'org.testng', name: 'testng', version: '7.5.1' testImplementation group: 'org.wiremock', name: 'wiremock', version: '3.12.1' +} + +// wiremock 3.x requires Java 11+; override test classpath attributes so Gradle +// resolves it correctly while keeping production code at Java 8 +configurations { + testCompileClasspath { + attributes { + attribute(Attribute.of("org.gradle.jvm.version", Integer), 11) + } + } + testRuntimeClasspath { + attributes { + attribute(Attribute.of("org.gradle.jvm.version", Integer), 11) + } + } } \ No newline at end of file From 63fa670985fe3490e23cae48cc95f24412021eb0 Mon Sep 17 00:00:00 2001 From: agrasth Date: Fri, 3 Apr 2026 13:58:45 +0530 Subject: [PATCH 3/5] Remove Jetty force entries - WireMock 3.x manages Jetty 11 transitively --- build.gradle | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/build.gradle b/build.gradle index bf8d4537..a3f852f1 100644 --- a/build.gradle +++ b/build.gradle @@ -64,17 +64,6 @@ subprojects { // Force secure versions to fix vulnerabilities configurations.all { resolutionStrategy { - // Force Jetty 12.x (used by wiremock 3.x) - fixes CVE-2026-1225 - force 'org.eclipse.jetty:jetty-server:12.0.12' - force 'org.eclipse.jetty:jetty-http:12.0.12' - force 'org.eclipse.jetty:jetty-util:12.0.12' - force 'org.eclipse.jetty:jetty-io:12.0.12' - force 'org.eclipse.jetty:jetty-client:12.0.12' - force 'org.eclipse.jetty:jetty-util-ajax:12.0.12' - force 'org.eclipse.jetty:jetty-xml:12.0.12' - force 'org.eclipse.jetty.http2:http2-server:12.0.12' - force 'org.eclipse.jetty.http2:http2-common:12.0.12' - force 'org.eclipse.jetty.http2:http2-hpack:12.0.12' // Latest secure versions force 'commons-io:commons-io:2.18.0' force 'net.minidev:json-smart:2.5.2' From cba53fead6973e49a5d33ef1aca854110553657d Mon Sep 17 00:00:00 2001 From: agrasth Date: Fri, 3 Apr 2026 14:08:18 +0530 Subject: [PATCH 4/5] Use wiremock-jre8-standalone to remove Jetty transitive dependency --- httpClient/build.gradle | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/httpClient/build.gradle b/httpClient/build.gradle index 8e49c6b6..d6e5b8f0 100644 --- a/httpClient/build.gradle +++ b/httpClient/build.gradle @@ -8,20 +8,5 @@ repositories { dependencies { testImplementation group: 'org.testng', name: 'testng', version: '7.5.1' - testImplementation group: 'org.wiremock', name: 'wiremock', version: '3.12.1' + testImplementation group: 'com.github.tomakehurst', name: 'wiremock-jre8-standalone', version: '2.35.2' } - -// wiremock 3.x requires Java 11+; override test classpath attributes so Gradle -// resolves it correctly while keeping production code at Java 8 -configurations { - testCompileClasspath { - attributes { - attribute(Attribute.of("org.gradle.jvm.version", Integer), 11) - } - } - testRuntimeClasspath { - attributes { - attribute(Attribute.of("org.gradle.jvm.version", Integer), 11) - } - } -} \ No newline at end of file From 6fc789999ec73722b565d9da0da86a7db0c6f07c Mon Sep 17 00:00:00 2001 From: agrasth Date: Fri, 3 Apr 2026 14:21:14 +0530 Subject: [PATCH 5/5] Add explicit Guava and Hamcrest deps missing from wiremock-standalone --- httpClient/build.gradle | 2 ++ 1 file changed, 2 insertions(+) diff --git a/httpClient/build.gradle b/httpClient/build.gradle index d6e5b8f0..da089bdb 100644 --- a/httpClient/build.gradle +++ b/httpClient/build.gradle @@ -9,4 +9,6 @@ repositories { dependencies { testImplementation group: 'org.testng', name: 'testng', version: '7.5.1' testImplementation group: 'com.github.tomakehurst', name: 'wiremock-jre8-standalone', version: '2.35.2' + testImplementation group: 'com.google.guava', name: 'guava', version: '33.4.0-jre' + testImplementation group: 'org.hamcrest', name: 'hamcrest-core', version: '2.2' }