Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WM-2400] Upgrade logback-classic dependency to fix vulnerability #331

Merged
merged 24 commits into from
Dec 21, 2023

Conversation

salonishah11
Copy link
Contributor

Based on Maven Repository for logback-classic, it seems that the patched version 1.2.13 also has the same vulnerability. Hence I update the dependency to latest version 1.4.14 (which doesn't have that vulnerability)

Closes https://broadworkbench.atlassian.net/browse/WM-2400


  • Submitter: Include the JIRA issue number in the PR description
  • Submitter: Make sure Swagger is updated if API changes
  • Submitter: If updating admin endpoints, also update firecloud-admin-cli
  • Submitter: Check documentation and code comments. Add explanatory PR comments if helpful.
  • Submitter: JIRA ticket checks:
    • Acceptance criteria exists and is met
    • Note any changes to implementation from the description
    • To Demo flag is set
    • Release Summary is filled out, if applicable
    • Add notes on how to QA
  • Submitter: Update RC_XXX release ticket with any config or environment changes necessary
  • Submitter: Update FISMA documentation if changes to:
    • Authentication
    • Authorization
    • Encryption
    • Audit trails
  • Submitter: If you're adding new libraries, sign us up to security updates for them
  • Tell the tech lead (TL) that the PR exists if they wants to look at it
  • Anoint a lead reviewer (LR). Assign PR to LR
  • Review cycle:
    • LR reviews
    • Rest of team may comment on PR at will
    • LR assigns to submitter for feedback fixes
    • Submitter rebases to develop again if necessary
    • Submitter makes further commits. DO NOT SQUASH
    • Submitter updates documentation as needed
    • Submitter reassigns to LR for further feedback
  • TL sign off
  • LR sign off
  • Product Owner sign off
  • Assign to submitter to finalize
  • Submitter: Verify all tests go green, including CI tests
  • Submitter: Squash commits and merge to develop
  • Submitter: Delete branch after merge
  • Submitter: Test this change works on dev environment after deployment. YOU own getting it fixed if dev isn't working for ANY reason!
  • Submitter: Verify swagger UI on dev environment still works after deployment
  • Submitter: Inform other teams of any API changes via Slack and/or email
  • Submitter: Mark JIRA issue as resolved once this checklist is completed

@salonishah11 salonishah11 changed the title [WM-2400] Update logback-classic dependency to fix vulnerability [WM-2400] Upgrade logback-classic dependency to fix vulnerability Dec 20, 2023
@salonishah11 salonishah11 merged commit a445491 into develop Dec 21, 2023
4 checks passed
@salonishah11 salonishah11 deleted the sps_update_logback_dependency branch December 21, 2023 20:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants