diff --git a/.github/workflows/build-timestamped-master.yml b/.github/workflows/build-timestamped-master.yml index 5b880693d..5e241c4f5 100644 --- a/.github/workflows/build-timestamped-master.yml +++ b/.github/workflows/build-timestamped-master.yml @@ -15,5 +15,5 @@ jobs: call_workflow: name: Run Build Workflow if: ${{ github.repository_owner == 'ballerina-platform' }} - uses: ballerina-platform/ballerina-library/.github/workflows/build-timestamp-master-template.yml@main + uses: ballerina-platform/ballerina-library/.github/workflows/build-timestamp-master-template.yml@2201.10.x secrets: inherit diff --git a/.github/workflows/build-with-bal-test-graalvm.yml b/.github/workflows/build-with-bal-test-graalvm.yml index 802926fe2..170c202d2 100644 --- a/.github/workflows/build-with-bal-test-graalvm.yml +++ b/.github/workflows/build-with-bal-test-graalvm.yml @@ -30,7 +30,7 @@ jobs: call_stdlib_workflow: name: Run StdLib Workflow if: ${{ github.event_name != 'schedule' || (github.event_name == 'schedule' && github.repository_owner == 'ballerina-platform') }} - uses: ballerina-platform/ballerina-library/.github/workflows/build-with-bal-test-graalvm-template.yml@main + uses: ballerina-platform/ballerina-library/.github/workflows/build-with-bal-test-graalvm-template.yml@2201.10.x with: lang_tag: ${{ inputs.lang_tag }} lang_version: ${{ inputs.lang_version }} diff --git a/.github/workflows/central-publish.yml b/.github/workflows/central-publish.yml index 6bd74c449..5432941e8 100644 --- a/.github/workflows/central-publish.yml +++ b/.github/workflows/central-publish.yml @@ -16,7 +16,7 @@ jobs: call_workflow: name: Run Central Publish Workflow if: ${{ github.repository_owner == 'ballerina-platform' }} - uses: ballerina-platform/ballerina-library/.github/workflows/central-publish-template.yml@main + uses: ballerina-platform/ballerina-library/.github/workflows/central-publish-template.yml@2201.10.x secrets: inherit with: environment: ${{ github.event.inputs.environment }} diff --git a/.github/workflows/process-load-test-result.yml b/.github/workflows/process-load-test-result.yml index 7460cf05a..40b8ff002 100644 --- a/.github/workflows/process-load-test-result.yml +++ b/.github/workflows/process-load-test-result.yml @@ -6,7 +6,7 @@ on: jobs: call_stdlib_process_load_test_results_workflow: name: Run StdLib Process Load Test Results Workflow - uses: ballerina-platform/ballerina-library/.github/workflows/process-load-test-results-template.yml@main + uses: ballerina-platform/ballerina-library/.github/workflows/process-load-test-results-template.yml@2201.10.x with: results: ${{ toJson(github.event.client_payload.results) }} secrets: diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index efd673294..2e7d0b260 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -9,7 +9,7 @@ jobs: call_workflow: name: Run Release Workflow if: ${{ github.repository_owner == 'ballerina-platform' }} - uses: ballerina-platform/ballerina-library/.github/workflows/release-package-template.yml@main + uses: ballerina-platform/ballerina-library/.github/workflows/release-package-template.yml@2201.10.x secrets: inherit with: package-name: ftp diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index ecfa72cec..936284e61 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -10,5 +10,5 @@ jobs: call_workflow: name: Run PR Build Workflow if: ${{ github.repository_owner == 'ballerina-platform' }} - uses: ballerina-platform/ballerina-library/.github/workflows/pull-request-build-template.yml@main + uses: ballerina-platform/ballerina-library/.github/workflows/pull-request-build-template.yml@2201.10.x secrets: inherit diff --git a/.github/workflows/trigger-load-tests.yml b/.github/workflows/trigger-load-tests.yml index 9daa27faf..e6f0fe2f5 100644 --- a/.github/workflows/trigger-load-tests.yml +++ b/.github/workflows/trigger-load-tests.yml @@ -22,7 +22,7 @@ jobs: call_stdlib_trigger_load_test_workflow: name: Run StdLib Load Test Workflow if: ${{ github.event_name != 'schedule' || (github.event_name == 'schedule' && github.repository_owner == 'ballerina-platform') }} - uses: ballerina-platform/ballerina-library/.github/workflows/trigger-load-tests-template.yml@main + uses: ballerina-platform/ballerina-library/.github/workflows/trigger-load-tests-template.yml@2201.10.x with: repo_name: 'module-ballerina-ftp' runtime_artifacts_url: 'https://api.github.com/repos/ballerina-platform/module-ballerina-ftp/actions/artifacts' diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml index 2f7999ded..64e953a14 100644 --- a/.github/workflows/trivy-scan.yml +++ b/.github/workflows/trivy-scan.yml @@ -9,5 +9,5 @@ jobs: call_workflow: name: Run Trivy Scan Workflow if: ${{ github.repository_owner == 'ballerina-platform' }} - uses: ballerina-platform/ballerina-library/.github/workflows/trivy-scan-template.yml@main + uses: ballerina-platform/ballerina-library/.github/workflows/trivy-scan-template.yml@2201.10.x secrets: inherit diff --git a/ballerina/Ballerina.toml b/ballerina/Ballerina.toml index e72b0cbd1..dbca8843a 100644 --- a/ballerina/Ballerina.toml +++ b/ballerina/Ballerina.toml @@ -1,7 +1,7 @@ [package] org = "ballerina" name = "ftp" -version = "2.11.0" +version = "2.11.1" authors = ["Ballerina"] keywords = ["FTP", "SFTP", "remote file", "file transfer", "client", "service"] repository = "https://github.com/ballerina-platform/module-ballerina-ftp" @@ -15,8 +15,8 @@ graalvmCompatible = true [[platform.java17.dependency]] groupId = "org.apache.commons" artifactId = "commons-vfs2" -version = "2.8.0" -path = "./lib/commons-vfs2-2.8.0.jar" +version = "2.10.0" +path = "./lib/commons-vfs2-2.10.0.jar" [[platform.java17.dependency]] groupId = "com.jcraft" @@ -27,11 +27,23 @@ path = "./lib/jsch-0.1.55.jar" [[platform.java17.dependency]] groupId = "commons-net" artifactId = "commons-net" -version = "3.9.0" -path = "./lib/commons-net-3.9.0.jar" +version = "3.11.1" +path = "./lib/commons-net-3.11.1.jar" + +[[platform.java17.dependency]] +groupId = "commons-io" +artifactId = "commons-io" +version = "2.18.0" +path = "./lib/commons-io-2.18.0.jar" + +[[platform.java17.dependency]] +groupId = "org.apache.commons" +artifactId = "commons-lang3" +version = "3.17.0" +path = "./lib/commons-lang3-3.17.0.jar" [[platform.java17.dependency]] groupId = "io.ballerina.stdlib" artifactId = "ftp-native" -version = "2.11.0" -path = "../native/build/libs/ftp-native-2.11.0.jar" +version = "2.11.1" +path = "../native/build/libs/ftp-native-2.11.1-SNAPSHOT.jar" diff --git a/ballerina/CompilerPlugin.toml b/ballerina/CompilerPlugin.toml index 16a2d84c6..7dac701f3 100644 --- a/ballerina/CompilerPlugin.toml +++ b/ballerina/CompilerPlugin.toml @@ -3,4 +3,4 @@ id = "ftp-compiler-plugin" class = "io.ballerina.stdlib.ftp.plugin.FtpCompilerPlugin" [[dependency]] -path = "../compiler-plugin/build/libs/ftp-compiler-plugin-2.11.0.jar" +path = "../compiler-plugin/build/libs/ftp-compiler-plugin-2.11.1-SNAPSHOT.jar" diff --git a/ballerina/Dependencies.toml b/ballerina/Dependencies.toml index efc75e593..11d660801 100644 --- a/ballerina/Dependencies.toml +++ b/ballerina/Dependencies.toml @@ -10,7 +10,7 @@ distribution-version = "2201.10.0" [[package]] org = "ballerina" name = "ftp" -version = "2.11.0" +version = "2.11.1" dependencies = [ {org = "ballerina", name = "io"}, {org = "ballerina", name = "jballerina.java"}, @@ -27,7 +27,7 @@ modules = [ [[package]] org = "ballerina" name = "io" -version = "1.6.0" +version = "1.6.3" dependencies = [ {org = "ballerina", name = "jballerina.java"}, {org = "ballerina", name = "lang.value"} diff --git a/ballerina/build.gradle b/ballerina/build.gradle index faf7bf4bd..dc4a13efb 100644 --- a/ballerina/build.gradle +++ b/ballerina/build.gradle @@ -89,6 +89,12 @@ dependencies { externalJars(group: 'org.slf4j', name: 'slf4j-api', version: "${slf4jVersion}") { transitive = false } + externalJars(group: 'org.apache.commons', name: 'commons-lang3', version: "${commonsLang3Version}") { + transitive = false + } + externalJars(group: 'commons-io', name: 'commons-io', version: "${commonsIoVersion}") { + transitive = false + } } task updateTomlFiles { @@ -103,6 +109,8 @@ task updateTomlFiles { def stdlibDependentMinaCoreVersion = project.minaCoreVersion def stdlibDependentAopallianceVersion = project.aopallianceVersion def stdlibDependentJclSlf4jVersion = project.jclSlf4jVersion + def stdlibDependentCommonsIoVersion = project.commonsIoVersion + def stdlibDependentCommonsLang3Version = project.commonsLang3Version def newConfig = ballerinaTomlFilePlaceHolder.text.replace("@project.version@", project.version) newConfig = newConfig.replace("@toml.version@", tomlVersion) @@ -116,6 +124,8 @@ task updateTomlFiles { newConfig = newConfig.replace("@mina.core.version@", stdlibDependentMinaCoreVersion) newConfig = newConfig.replace("@aopalliance.version@", stdlibDependentAopallianceVersion) newConfig = newConfig.replace("@jcl.slf4j.version@", stdlibDependentJclSlf4jVersion) + newConfig = newConfig.replace("@commons.io.version@", stdlibDependentCommonsIoVersion) + newConfig = newConfig.replace("@commons.lang3.version@", stdlibDependentCommonsLang3Version) ballerinaTomlFile.text = newConfig diff --git a/build-config/resources/Ballerina.toml b/build-config/resources/Ballerina.toml index f0eb09110..1ebc1de8f 100644 --- a/build-config/resources/Ballerina.toml +++ b/build-config/resources/Ballerina.toml @@ -30,6 +30,18 @@ artifactId = "commons-net" version = "@commons.net.version@" path = "./lib/commons-net-@commons.net.version@.jar" +[[platform.java17.dependency]] +groupId = "commons-io" +artifactId = "commons-io" +version = "@commons.io.version@" +path = "./lib/commons-io-@commons.io.version@.jar" + +[[platform.java17.dependency]] +groupId = "org.apache.commons" +artifactId = "commons-lang3" +version = "@commons.lang3.version@" +path = "./lib/commons-lang3-@commons.lang3.version@.jar" + [[platform.java17.dependency]] groupId = "io.ballerina.stdlib" artifactId = "ftp-native" diff --git a/changelog.md b/changelog.md index 957007d65..60bbddc94 100644 --- a/changelog.md +++ b/changelog.md @@ -3,6 +3,12 @@ This file contains all the notable changes done to the Ballerina Email package t The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [Unreleased] + +### Fixed + +- [Address `CVE-2025-27553` vulnerability in Apache Commons VFS](https://github.com/ballerina-platform/ballerina-library/issues/7740) + ## [2.11.0] - 2024-08-20 ### Fixed diff --git a/gradle.properties b/gradle.properties index a9848da45..4f30e6d2a 100644 --- a/gradle.properties +++ b/gradle.properties @@ -5,8 +5,11 @@ version=2.11.1-SNAPSHOT puppycrawlCheckstyleVersion=10.12.0 testngVersion=7.6.1 slf4jVersion=1.7.30 -commonsVfsVersion=2.8.0 -commonsNetVersion=3.9.0 +commonsIoVersion=2.18.0 +commonsLang3Version=3.17.0 +commonsLoggingVersion=1.3.5 +commonsVfsVersion=2.10.0 +commonsNetVersion=3.11.1 jschVersion=0.1.55 mockFtpServerVersion=3.0.0 sshdMinaVersion=1.1.1 diff --git a/native/build.gradle b/native/build.gradle index e30cd7037..027ec9a10 100644 --- a/native/build.gradle +++ b/native/build.gradle @@ -33,6 +33,8 @@ dependencies { implementation group: 'io.ballerina.stdlib', name: 'io-native', version: "${stdlibIoVersion}" implementation group: 'org.slf4j', name: 'slf4j-jdk14', version: "${slf4jVersion}" implementation group: 'org.apache.commons', name: 'commons-vfs2', version: "${commonsVfsVersion}" + implementation group: 'org.apache.commons', name: 'commons-lang3', version: "${commonsLang3Version}" + implementation group: 'commons-io', name: 'commons-io', version: "${commonsIoVersion}" } checkstyle { diff --git a/native/src/main/java/io/ballerina/stdlib/ftp/transport/server/util/FileTransportUtils.java b/native/src/main/java/io/ballerina/stdlib/ftp/transport/server/util/FileTransportUtils.java index a1ff4e3f5..61173163b 100644 --- a/native/src/main/java/io/ballerina/stdlib/ftp/transport/server/util/FileTransportUtils.java +++ b/native/src/main/java/io/ballerina/stdlib/ftp/transport/server/util/FileTransportUtils.java @@ -89,18 +89,14 @@ private static void setSftpOptions(Map options, FileSystemOption configBuilder.setUserDirIsRoot(opts, false); } if (options.get(FtpConstants.IDENTITY) != null) { - try { - IdentityInfo identityInfo; - if (options.containsKey(IDENTITY_PASS_PHRASE)) { - identityInfo = new IdentityInfo(new File(options.get(FtpConstants.IDENTITY)), - options.get(IDENTITY_PASS_PHRASE).getBytes()); - } else { - identityInfo = new IdentityInfo(new File(options.get(FtpConstants.IDENTITY))); - } - configBuilder.setIdentityInfo(opts, identityInfo); - } catch (FileSystemException e) { - throw new RemoteFileSystemConnectorException(e.getMessage(), e); + IdentityInfo identityInfo; + if (options.containsKey(IDENTITY_PASS_PHRASE)) { + identityInfo = new IdentityInfo(new File(options.get(FtpConstants.IDENTITY)), + options.get(IDENTITY_PASS_PHRASE).getBytes()); + } else { + identityInfo = new IdentityInfo(new File(options.get(FtpConstants.IDENTITY))); } + configBuilder.setIdentityInfo(opts, identityInfo); } if (options.get(FtpConstants.AVOID_PERMISSION_CHECK) != null) { try { diff --git a/native/src/main/java/module-info.java b/native/src/main/java/module-info.java index 919fca86a..7ac071612 100644 --- a/native/src/main/java/module-info.java +++ b/native/src/main/java/module-info.java @@ -17,13 +17,13 @@ */ module io.ballerina.stdlib.ftp { - requires commons.vfs2; requires io.ballerina.runtime; requires io.ballerina.lang; requires io.ballerina.stdlib.io; requires io.ballerina.tools.api; requires org.slf4j; requires java.logging; + requires org.apache.commons.vfs2; exports io.ballerina.stdlib.ftp.client; exports io.ballerina.stdlib.ftp.server; exports io.ballerina.stdlib.ftp.util;