Merge pull request #1471 from ballerina-platform/trivy-fix

Update commons vfs version

Author: TharmiganK

ballerina/Ballerina.toml

@@ -1,7 +1,7 @@
 [package]
 org = "ballerina"
 name = "ftp"
-version = "2.13.0"
+version = "2.13.1"
 authors = ["Ballerina"]
 keywords = ["FTP", "SFTP", "remote file", "file transfer", "client", "service"]
 repository = "https://github.com/ballerina-platform/module-ballerina-ftp"
@@ -15,8 +15,8 @@ graalvmCompatible = true
 [[platform.java21.dependency]]
 groupId = "org.apache.commons"
 artifactId = "commons-vfs2"
-version = "2.8.0"
-path = "./lib/commons-vfs2-2.8.0.jar"
+version = "2.10.0"
+path = "./lib/commons-vfs2-2.10.0.jar"
 
 [[platform.java21.dependency]]
 groupId = "com.jcraft"
@@ -27,11 +27,23 @@ path = "./lib/jsch-0.1.55.jar"
 [[platform.java21.dependency]]
 groupId = "commons-net"
 artifactId = "commons-net"
-version = "3.9.0"
-path = "./lib/commons-net-3.9.0.jar"
+version = "3.11.1"
+path = "./lib/commons-net-3.11.1.jar"
+
+[[platform.java21.dependency]]
+groupId = "commons-io"
+artifactId = "commons-io"
+version = "2.18.0"
+path = "./lib/commons-io-2.18.0.jar"
+
+[[platform.java21.dependency]]
+groupId = "org.apache.commons"
+artifactId = "commons-lang3"
+version = "3.17.0"
+path = "./lib/commons-lang3-3.17.0.jar"
 
 [[platform.java21.dependency]]
 groupId = "io.ballerina.stdlib"
 artifactId = "ftp-native"
-version = "2.13.0"
-path = "../native/build/libs/ftp-native-2.13.0.jar"
+version = "2.13.1"
+path = "../native/build/libs/ftp-native-2.13.1-SNAPSHOT.jar"

ballerina/CompilerPlugin.toml

@@ -3,4 +3,4 @@ id = "ftp-compiler-plugin"
 class = "io.ballerina.stdlib.ftp.plugin.FtpCompilerPlugin"
 
 [[dependency]]
-path = "../compiler-plugin/build/libs/ftp-compiler-plugin-2.13.0.jar"
+path = "../compiler-plugin/build/libs/ftp-compiler-plugin-2.13.1-SNAPSHOT.jar"

ballerina/Dependencies.toml

@@ -10,7 +10,7 @@ distribution-version = "2201.12.0"
 [[package]]
 org = "ballerina"
 name = "ftp"
-version = "2.13.0"
+version = "2.13.1"
 dependencies = [
 	{org = "ballerina", name = "io"},
 	{org = "ballerina", name = "jballerina.java"},

ballerina/build.gradle

@@ -73,6 +73,12 @@ dependencies {
     externalJars(group: 'org.slf4j', name: 'slf4j-api', version: "${slf4jVersion}") {
         transitive = false
     }
+    externalJars(group: 'org.apache.commons', name: 'commons-lang3', version: "${commonsLang3Version}") {
+        transitive = false
+    }
+    externalJars(group: 'commons-io', name: 'commons-io', version: "${commonsIoVersion}") {
+        transitive = false
+    }
 }
 
 task updateTomlFiles {
@@ -87,6 +93,8 @@ task updateTomlFiles {
         def stdlibDependentMinaCoreVersion = project.minaCoreVersion
         def stdlibDependentAopallianceVersion = project.aopallianceVersion
         def stdlibDependentJclSlf4jVersion = project.jclSlf4jVersion
+        def stdlibDependentCommonsIoVersion = project.commonsIoVersion
+        def stdlibDependentCommonsLang3Version = project.commonsLang3Version
 
         def newConfig = ballerinaTomlFilePlaceHolder.text.replace("@project.version@", project.version)
         newConfig = newConfig.replace("@toml.version@", tomlVersion)
@@ -100,6 +108,8 @@ task updateTomlFiles {
         newConfig = newConfig.replace("@mina.core.version@", stdlibDependentMinaCoreVersion)
         newConfig = newConfig.replace("@aopalliance.version@", stdlibDependentAopallianceVersion)
         newConfig = newConfig.replace("@jcl.slf4j.version@", stdlibDependentJclSlf4jVersion)
+        newConfig = newConfig.replace("@commons.io.version@", stdlibDependentCommonsIoVersion)
+        newConfig = newConfig.replace("@commons.lang3.version@", stdlibDependentCommonsLang3Version)
 
         ballerinaTomlFile.text = newConfig
 

build-config/resources/Ballerina.toml

@@ -30,6 +30,18 @@ artifactId = "commons-net"
 version = "@commons.net.version@"
 path = "./lib/commons-net-@commons.net.version@.jar"
 
+[[platform.java21.dependency]]
+groupId = "commons-io"
+artifactId = "commons-io"
+version = "@commons.io.version@"
+path = "./lib/commons-io-@commons.io.version@.jar"
+
+[[platform.java21.dependency]]
+groupId = "org.apache.commons"
+artifactId = "commons-lang3"
+version = "@commons.lang3.version@"
+path = "./lib/commons-lang3-@commons.lang3.version@.jar"
+
 [[platform.java21.dependency]]
 groupId = "io.ballerina.stdlib"
 artifactId = "ftp-native"

changelog.md

@@ -3,6 +3,12 @@ This file contains all the notable changes done to the Ballerina Email package t
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [unreleased]
+
+### Fixed
+
+- [Address `CVE-2025-27553` vulnerability in Apache Commons VFS](https://github.com/ballerina-platform/ballerina-library/issues/7740)
+
 ## [2.12.0] - 2025-02-11
 
 ### Changed

gradle.properties

@@ -5,8 +5,11 @@ version=2.13.1-SNAPSHOT
 checkstylePluginVersion=10.12.0
 testngVersion=7.6.1
 slf4jVersion=1.7.30
-commonsVfsVersion=2.8.0
-commonsNetVersion=3.9.0
+commonsIoVersion=2.18.0
+commonsLang3Version=3.17.0
+commonsLoggingVersion=1.3.5
+commonsVfsVersion=2.10.0
+commonsNetVersion=3.11.1
 jschVersion=0.1.55
 mockFtpServerVersion=3.0.0
 sshdMinaVersion=1.1.1

native/build.gradle

@@ -33,6 +33,8 @@ dependencies {
     implementation group: 'io.ballerina.stdlib', name: 'io-native', version: "${stdlibIoVersion}"
     implementation group: 'org.slf4j', name: 'slf4j-jdk14', version: "${slf4jVersion}"
     implementation group: 'org.apache.commons', name: 'commons-vfs2', version: "${commonsVfsVersion}"
+    implementation group: 'org.apache.commons', name: 'commons-lang3', version: "${commonsLang3Version}"
+    implementation group: 'commons-io', name: 'commons-io', version: "${commonsIoVersion}"
 }
 
 checkstyle {

native/src/main/java/io/ballerina/stdlib/ftp/transport/server/util/FileTransportUtils.java

@@ -89,18 +89,14 @@ private static void setSftpOptions(Map<String, String> options, FileSystemOption
             configBuilder.setUserDirIsRoot(opts, false);
         }
         if (options.get(FtpConstants.IDENTITY) != null) {
-            try {
-                IdentityInfo identityInfo;
-                if (options.containsKey(IDENTITY_PASS_PHRASE)) {
-                    identityInfo = new IdentityInfo(new File(options.get(FtpConstants.IDENTITY)),
-                            options.get(IDENTITY_PASS_PHRASE).getBytes());
-                } else {
-                    identityInfo = new IdentityInfo(new File(options.get(FtpConstants.IDENTITY)));
-                }
-                configBuilder.setIdentityInfo(opts, identityInfo);
-            } catch (FileSystemException e) {
-                throw new RemoteFileSystemConnectorException(e.getMessage(), e);
+            IdentityInfo identityInfo;
+            if (options.containsKey(IDENTITY_PASS_PHRASE)) {
+                identityInfo = new IdentityInfo(new File(options.get(FtpConstants.IDENTITY)),
+                        options.get(IDENTITY_PASS_PHRASE).getBytes());
+            } else {
+                identityInfo = new IdentityInfo(new File(options.get(FtpConstants.IDENTITY)));
             }
+            configBuilder.setIdentityInfo(opts, identityInfo);
         }
         if (options.get(FtpConstants.AVOID_PERMISSION_CHECK) != null) {
             try {

native/src/main/java/module-info.java

@@ -17,13 +17,13 @@
  */
 
 module io.ballerina.stdlib.ftp {
-    requires commons.vfs2;
     requires io.ballerina.runtime;
     requires io.ballerina.lang;
     requires io.ballerina.stdlib.io;
     requires io.ballerina.tools.api;
     requires org.slf4j;
     requires java.logging;
+    requires org.apache.commons.vfs2;
     exports io.ballerina.stdlib.ftp.client;
     exports io.ballerina.stdlib.ftp.server;
     exports io.ballerina.stdlib.ftp.util;