From 4a3ae59a97c3c3dbf4635b689c904ceeebcf06c4 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 9 Feb 2026 14:38:21 +0000 Subject: [PATCH 1/3] chore(deps): update bazel dependencies --- MODULE.bazel | 22 ++--- maven_install.json | 228 ++++++++++++++++++++++++++++++++++++++------- 2 files changed, 206 insertions(+), 44 deletions(-) diff --git a/MODULE.bazel b/MODULE.bazel index cab245335..58be9d908 100644 --- a/MODULE.bazel +++ b/MODULE.bazel @@ -7,28 +7,28 @@ module(name = "jazzer") ################################################################################ bazel_dep(name = "abseil-cpp", version = "20250814.1") -bazel_dep(name = "apple_support", version = "1.24.5") +bazel_dep(name = "apple_support", version = "2.2.0") bazel_dep(name = "bazel_jar_jar", version = "0.1.11") -bazel_dep(name = "bazel_skylib", version = "1.8.2") -bazel_dep(name = "buildifier_prebuilt", version = "8.2.1") +bazel_dep(name = "bazel_skylib", version = "1.9.0") +bazel_dep(name = "buildifier_prebuilt", version = "8.2.1.2") # TODO: Starting with version 0.28.0 the JUnit test runner is compiled for Java 11 which breaks our JDK 8 tests. # https://github.com/bazel-contrib/rules_jvm/pull/307 bazel_dep(name = "contrib_rules_jvm", version = "0.27.0") bazel_dep(name = "googletest", version = "1.17.0.bcr.2") bazel_dep(name = "platforms", version = "1.0.0") -bazel_dep(name = "protobuf", version = "33.1") -bazel_dep(name = "rules_android", version = "0.6.6") +bazel_dep(name = "protobuf", version = "33.5") +bazel_dep(name = "rules_android", version = "0.7.1") bazel_dep(name = "rules_android_ndk", version = "0.1.3") bazel_dep(name = "rules_foreign_cc", version = "0.15.1") -bazel_dep(name = "rules_java", version = "9.1.0") +bazel_dep(name = "rules_java", version = "9.4.0") bazel_dep(name = "rules_jni", version = "0.11.1") -bazel_dep(name = "rules_jvm_external", version = "6.9") -bazel_dep(name = "rules_kotlin", version = "2.2.0") +bazel_dep(name = "rules_jvm_external", version = "6.10") +bazel_dep(name = "rules_kotlin", version = "2.2.2") bazel_dep(name = "rules_license", version = "1.0.0") -bazel_dep(name = "rules_pkg", version = "1.1.0") -bazel_dep(name = "rules_cc", version = "0.2.14") -bazel_dep(name = "toolchains_llvm", version = "1.5.0") +bazel_dep(name = "rules_pkg", version = "1.2.0") +bazel_dep(name = "rules_cc", version = "0.2.16") +bazel_dep(name = "toolchains_llvm", version = "1.6.0") ################################################################################ # Maven dependencies diff --git a/maven_install.json b/maven_install.json index 8dcbe243d..274b298dd 100755 --- a/maven_install.json +++ b/maven_install.json @@ -1,18 +1,198 @@ { "__AUTOGENERATED_FILE_DO_NOT_MODIFY_THIS_FILE_MANUALLY": "THERE_IS_NO_DATA_ONLY_ZUUL", - "__INPUT_ARTIFACTS_HASH": 626146522, - "__RESOLVED_ARTIFACTS_HASH": 2106069497, + "__INPUT_ARTIFACTS_HASH": { + "com.alibaba:fastjson": -681992561, + "com.beust:klaxon": 300212242, + "com.fasterxml.jackson.core:jackson-core": 1010823907, + "com.fasterxml.jackson.core:jackson-databind": -745487957, + "com.fasterxml.jackson.dataformat:jackson-dataformat-cbor": -1896543162, + "com.github.jsqlparser:jsqlparser": -85077207, + "com.google.code.findbugs:jsr305": 495355163, + "com.google.code.gson:gson": 804554938, + "com.google.errorprone:error_prone_annotations": 1088983199, + "com.google.guava:guava": -1791353471, + "com.google.j2objc:j2objc-annotations": 2003271689, + "com.google.truth.extensions:truth-java8-extension": -1240961434, + "com.google.truth.extensions:truth-liteproto-extension": -574439286, + "com.google.truth.extensions:truth-proto-extension": -362698248, + "com.google.truth:truth": -252459521, + "com.h2database:h2": 226402037, + "com.mikesamuel:json-sanitizer": 293386087, + "com.unboundid:unboundid-ldapsdk": 1642354521, + "io.github.classgraph:classgraph": -1461122240, + "jakarta.el:jakarta.el-api": 171705473, + "jakarta.validation:jakarta.validation-api": -186402049, + "javax.el:javax.el-api": 281575833, + "javax.persistence:javax.persistence-api": -631950732, + "javax.validation:validation-api": -236707587, + "javax.xml.bind:jaxb-api": 1419721195, + "junit:junit": -652553691, + "net.bytebuddy:byte-buddy-agent": -1065427230, + "net.jodah:typetools": 1676712931, + "ognl:ognl": 2052829285, + "org.apache.commons:commons-imaging": -713470582, + "org.apache.commons:commons-jexl": 813523241, + "org.apache.commons:commons-text": -202691025, + "org.apache.logging.log4j:log4j-api": 1725824943, + "org.apache.logging.log4j:log4j-core": 1273395248, + "org.apache.xmlgraphics:batik-anim": -305607220, + "org.apache.xmlgraphics:batik-awt-util": -1574868820, + "org.apache.xmlgraphics:batik-bridge": -541969660, + "org.apache.xmlgraphics:batik-css": 991501212, + "org.apache.xmlgraphics:batik-dom": -1684035877, + "org.apache.xmlgraphics:batik-gvt": 913119998, + "org.apache.xmlgraphics:batik-parser": 1947933594, + "org.apache.xmlgraphics:batik-script": -1755688890, + "org.apache.xmlgraphics:batik-svg-dom": -1819522958, + "org.apache.xmlgraphics:batik-svggen": -1381794329, + "org.apache.xmlgraphics:batik-transcoder": 610348408, + "org.apache.xmlgraphics:batik-util": -14027843, + "org.apache.xmlgraphics:batik-xml": -1533097552, + "org.assertj:assertj-core": 1651685074, + "org.freemarker:freemarker": -165087457, + "org.glassfish:javax.el": 2017793333, + "org.hibernate:hibernate-validator": 943779753, + "org.jacoco:org.jacoco.core": -372056147, + "org.junit.jupiter:junit-jupiter-api": -1488163120, + "org.junit.jupiter:junit-jupiter-engine": 479628524, + "org.junit.jupiter:junit-jupiter-params": 1068856624, + "org.junit.platform:junit-platform-commons": 1841586542, + "org.junit.platform:junit-platform-engine": 1419507188, + "org.junit.platform:junit-platform-launcher": -1472631594, + "org.junit.platform:junit-platform-reporting": 1433126619, + "org.junit.platform:junit-platform-testkit": 1121001413, + "org.mockito:mockito-core": -1478341309, + "org.mvel:mvel2": -14427738, + "org.openjdk.jmh:jmh-core": -975784527, + "org.openjdk.jmh:jmh-generator-annprocess": -833845560, + "org.opentest4j:opentest4j": -1152999839, + "org.ow2.asm:asm": 1206815935, + "org.ow2.asm:asm-commons": 1607605466, + "org.ow2.asm:asm-tree": -1365652182, + "org.springframework.cloud:spring-cloud-function-context": -955758783, + "org.springframework.cloud:spring-cloud-function-core": 428800769, + "org.springframework:spring-messaging": 772904355, + "repositories": -1949687017 + }, + "__RESOLVED_ARTIFACTS_HASH": { + "com.alibaba:fastjson": -46287576, + "com.beust:klaxon": 692624817, + "com.fasterxml.jackson.core:jackson-annotations": -1954247452, + "com.fasterxml.jackson.core:jackson-core": 1941349742, + "com.fasterxml.jackson.core:jackson-databind": 150569930, + "com.fasterxml.jackson.dataformat:jackson-dataformat-cbor": -541232238, + "com.fasterxml:classmate": -1940972411, + "com.github.jsqlparser:jsqlparser": 130367484, + "com.google.auto.value:auto-value-annotations": 641018093, + "com.google.code.findbugs:jsr305": 870839855, + "com.google.code.gson:gson": -1575757252, + "com.google.errorprone:error_prone_annotations": 213918278, + "com.google.guava:failureaccess": 1715931538, + "com.google.guava:guava": 716792237, + "com.google.guava:listenablefuture": 1079558157, + "com.google.j2objc:j2objc-annotations": -1008747351, + "com.google.protobuf:protobuf-java": 1555861032, + "com.google.truth.extensions:truth-java8-extension": 1186293162, + "com.google.truth.extensions:truth-liteproto-extension": 2044092816, + "com.google.truth.extensions:truth-proto-extension": -194966365, + "com.google.truth:truth": -1359112801, + "com.h2database:h2": 475457751, + "com.mikesamuel:json-sanitizer": 1715785415, + "com.unboundid:unboundid-ldapsdk": -911278373, + "commons-io:commons-io": -666806869, + "commons-logging:commons-logging": -2131529292, + "io.github.classgraph:classgraph": 1394841189, + "io.projectreactor:reactor-core": 1200961785, + "jakarta.el:jakarta.el-api": -78449182, + "jakarta.validation:jakarta.validation-api": -1708329466, + "javax.activation:javax.activation-api": 1384047725, + "javax.annotation:javax.annotation-api": -1009230154, + "javax.el:javax.el-api": 1306626159, + "javax.persistence:javax.persistence-api": -1773306456, + "javax.validation:validation-api": -1925989691, + "javax.xml.bind:jaxb-api": 238614541, + "junit:junit": -1256429642, + "net.bytebuddy:byte-buddy": -1575917241, + "net.bytebuddy:byte-buddy-agent": 1350687472, + "net.jodah:typetools": -1869254284, + "net.sf.jopt-simple:jopt-simple": -1677351973, + "ognl:ognl": 1948208138, + "org.apache.commons:commons-imaging": -1061935142, + "org.apache.commons:commons-jexl": -336898056, + "org.apache.commons:commons-lang3": 510221269, + "org.apache.commons:commons-math3": -1383243934, + "org.apache.commons:commons-text": -1906378778, + "org.apache.logging.log4j:log4j-api": -1814016300, + "org.apache.logging.log4j:log4j-core": -938085786, + "org.apache.xmlgraphics:batik-anim": -2098269098, + "org.apache.xmlgraphics:batik-awt-util": 462854305, + "org.apache.xmlgraphics:batik-bridge": -467983036, + "org.apache.xmlgraphics:batik-constants": -89901269, + "org.apache.xmlgraphics:batik-css": 524877145, + "org.apache.xmlgraphics:batik-dom": -1354192638, + "org.apache.xmlgraphics:batik-ext": 1903177318, + "org.apache.xmlgraphics:batik-gvt": -1446729210, + "org.apache.xmlgraphics:batik-i18n": 908973681, + "org.apache.xmlgraphics:batik-parser": 179594165, + "org.apache.xmlgraphics:batik-script": 876278343, + "org.apache.xmlgraphics:batik-shared-resources": -175153484, + "org.apache.xmlgraphics:batik-svg-dom": 1817815083, + "org.apache.xmlgraphics:batik-svggen": -1812308407, + "org.apache.xmlgraphics:batik-transcoder": -1430439482, + "org.apache.xmlgraphics:batik-util": 57698886, + "org.apache.xmlgraphics:batik-xml": 1820372382, + "org.apache.xmlgraphics:xmlgraphics-commons": -1151421338, + "org.apiguardian:apiguardian-api": 1279798469, + "org.assertj:assertj-core": -313838767, + "org.freemarker:freemarker": -1834118444, + "org.glassfish:javax.el": 631698101, + "org.hamcrest:hamcrest-core": 649657847, + "org.hibernate:hibernate-validator": 1029552718, + "org.jacoco:org.jacoco.core": -1495664227, + "org.javassist:javassist": 1095674094, + "org.jboss.logging:jboss-logging": 197007362, + "org.jetbrains.kotlin:kotlin-reflect": -1292560044, + "org.jetbrains.kotlin:kotlin-stdlib": 89537549, + "org.jetbrains.kotlin:kotlin-stdlib-common": 1671774946, + "org.jetbrains:annotations": 554168982, + "org.jspecify:jspecify": 117231129, + "org.junit.jupiter:junit-jupiter-api": -972189872, + "org.junit.jupiter:junit-jupiter-engine": -683069364, + "org.junit.jupiter:junit-jupiter-params": 1785431417, + "org.junit.platform:junit-platform-commons": -1124687410, + "org.junit.platform:junit-platform-engine": 732879257, + "org.junit.platform:junit-platform-launcher": -2098019061, + "org.junit.platform:junit-platform-reporting": -1669530782, + "org.junit.platform:junit-platform-testkit": -376494913, + "org.mockito:mockito-core": 674959039, + "org.mvel:mvel2": 1496209357, + "org.objenesis:objenesis": 1798216877, + "org.openjdk.jmh:jmh-core": 262505124, + "org.openjdk.jmh:jmh-generator-annprocess": 554503664, + "org.opentest4j:opentest4j": -1584531193, + "org.ow2.asm:asm": 1614653533, + "org.ow2.asm:asm-commons": 33716409, + "org.ow2.asm:asm-tree": -1173653421, + "org.reactivestreams:reactive-streams": -164947187, + "org.springframework.boot:spring-boot": 2047288717, + "org.springframework.boot:spring-boot-autoconfigure": 1133681824, + "org.springframework.cloud:spring-cloud-function-context": -1370136668, + "org.springframework.cloud:spring-cloud-function-core": -451158638, + "org.springframework:spring-aop": -1818185731, + "org.springframework:spring-beans": 784995803, + "org.springframework:spring-context": 1863606145, + "org.springframework:spring-core": -1382889869, + "org.springframework:spring-expression": 2025602550, + "org.springframework:spring-jcl": -962998374, + "org.springframework:spring-messaging": -1462145322, + "xalan:serializer": 1423473969, + "xalan:xalan": 393750935, + "xml-apis:xml-apis": 632917632, + "xml-apis:xml-apis-ext": 814558833 + }, "conflict_resolution": { - "com.google.code.gson:gson:2.8.6": "com.google.code.gson:gson:2.10.1", - "com.google.code.gson:gson:2.8.9": "com.google.code.gson:gson:2.10.1", - "com.google.errorprone:error_prone_annotations:2.23.0": "com.google.errorprone:error_prone_annotations:2.47.0", - "com.google.errorprone:error_prone_annotations:2.5.1": "com.google.errorprone:error_prone_annotations:2.47.0", - "com.google.guava:guava:32.0.1-jre": "com.google.guava:guava:33.5.0-android", - "com.google.guava:guava:33.0.0-jre": "com.google.guava:guava:33.5.0-android", - "com.google.j2objc:j2objc-annotations:2.8": "com.google.j2objc:j2objc-annotations:3.1", - "com.google.protobuf:protobuf-java:4.27.2": "com.google.protobuf:protobuf-java:4.32.0", - "com.google.truth:truth:1.4.0": "com.google.truth:truth:1.4.5", - "org.mockito:mockito-core:5.4.0": "org.mockito:mockito-core:5.21.0" + "com.google.code.gson:gson:2.8.6": "com.google.code.gson:gson:2.8.9", + "com.google.j2objc:j2objc-annotations:2.8": "com.google.j2objc:j2objc-annotations:3.1" }, "artifacts": { "com.alibaba:fastjson": { @@ -77,9 +257,9 @@ }, "com.google.code.gson:gson": { "shasums": { - "jar": "4241c14a7727c34feea6507ec801318a3d4a90f070e4525681079fb94ee4c593" + "jar": "d3999291855de495c94c743761b8ab5176cfeabe281a5ab0d8e8d45326fd703e" }, - "version": "2.10.1" + "version": "2.8.9" }, "com.google.errorprone:error_prone_annotations": { "shasums": { @@ -117,12 +297,6 @@ }, "version": "4.32.0" }, - "com.google.protobuf:protobuf-java-util": { - "shasums": { - "jar": "a2665294d3e4675482bde593df8283f8c965f0207785e8e9b223f790644f5b08" - }, - "version": "4.27.2" - }, "com.google.truth.extensions:truth-java8-extension": { "shasums": { "jar": "917671963d545be65c8f4e821e8a2794d0f24ffd1d33187a1c022a2e21556d2e" @@ -726,14 +900,6 @@ "com.google.j2objc:j2objc-annotations", "org.jspecify:jspecify" ], - "com.google.protobuf:protobuf-java-util": [ - "com.google.code.findbugs:jsr305", - "com.google.code.gson:gson", - "com.google.errorprone:error_prone_annotations", - "com.google.guava:guava", - "com.google.j2objc:j2objc-annotations", - "com.google.protobuf:protobuf-java" - ], "com.google.truth.extensions:truth-java8-extension": [ "com.google.truth:truth" ], @@ -1196,9 +1362,6 @@ "com.google.protobuf", "com.google.protobuf.compiler" ], - "com.google.protobuf:protobuf-java-util": [ - "com.google.protobuf.util" - ], "com.google.truth.extensions:truth-liteproto-extension": [ "com.google.common.truth.extensions.proto" ], @@ -2823,7 +2986,6 @@ "com.google.guava:listenablefuture", "com.google.j2objc:j2objc-annotations", "com.google.protobuf:protobuf-java", - "com.google.protobuf:protobuf-java-util", "com.google.truth.extensions:truth-java8-extension", "com.google.truth.extensions:truth-liteproto-extension", "com.google.truth.extensions:truth-proto-extension", @@ -3094,5 +3256,5 @@ ] } }, - "version": "2" + "version": "3" } From 1bead43245aa91034684be233cd79cab9c7e7512 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 9 Feb 2026 14:38:21 +0000 Subject: [PATCH 2/3] chore(deps): update github actions --- .github/workflows/check-formatting.yml | 2 +- .github/workflows/fuzzing.yml | 4 ++-- .github/workflows/prerelease.yaml | 24 ++++++++++++------------ .github/workflows/release.yml | 8 ++++---- .github/workflows/run-all-tests-pr.yml | 6 +++--- 5 files changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/workflows/check-formatting.yml b/.github/workflows/check-formatting.yml index 2e18a8f4e..4d95cfeb5 100644 --- a/.github/workflows/check-formatting.yml +++ b/.github/workflows/check-formatting.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - name: Run format.sh and print changes env: diff --git a/.github/workflows/fuzzing.yml b/.github/workflows/fuzzing.yml index 8d768e8db..8e263d3c4 100644 --- a/.github/workflows/fuzzing.yml +++ b/.github/workflows/fuzzing.yml @@ -32,7 +32,7 @@ jobs: bazel_args: "--xcode_version_config=//.github:host_xcodes" steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - name: Set up JDK uses: actions/setup-java@v5 @@ -45,7 +45,7 @@ jobs: shell: bash - name: Cache Fuzzing Corpus - uses: actions/cache@v4 + uses: actions/cache@v5 with: path: | selffuzz/src/test/resources/.corpus diff --git a/.github/workflows/prerelease.yaml b/.github/workflows/prerelease.yaml index 3e0a40693..f621c0db9 100644 --- a/.github/workflows/prerelease.yaml +++ b/.github/workflows/prerelease.yaml @@ -22,7 +22,7 @@ jobs: name: windows steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - name: Set up JDK uses: actions/setup-java@v5 @@ -54,14 +54,14 @@ jobs: cp -L $(bazel cquery --output=files :jazzer_release) jazzer-${{ matrix.name }}.tar.gz - name: Upload jazzer.jar - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@v6 with: name: jazzer_tmp_${{ matrix.name }} path: jazzer-${{ matrix.name }}.jar if-no-files-found: error - name: Upload release archive - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@v6 with: name: jazzer_releases_${{ matrix.name }} path: jazzer-${{ matrix.name }}.tar.gz @@ -72,10 +72,10 @@ jobs: needs: build_release steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - name: Download individual jars - uses: actions/download-artifact@v6 + uses: actions/download-artifact@v7 with: pattern: jazzer_tmp_* merge-multiple: true @@ -88,7 +88,7 @@ jobs: $(find "$(pwd)/_tmp/" -name '*.jar' -printf "--sources %h/%f ") - name: Upload merged jar - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@v6 with: name: jazzer path: _tmp/jazzer.jar @@ -102,7 +102,7 @@ jobs: name: Deploy steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - name: Set up JDK uses: actions/setup-java@v5 @@ -119,7 +119,7 @@ jobs: echo "build --//deploy:jazzer_version=${TAG#v}" >> .bazelrc - name: Download merged jar - uses: actions/download-artifact@v6 + uses: actions/download-artifact@v7 with: name: jazzer path: _tmp/ @@ -135,7 +135,7 @@ jobs: # In case something goes wrong, we can still reupload the bundle manually - name: Upload Jazzer Bundle to Github Artifacts - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@v6 with: name: jazzer-maven-central-bundle path: _tmp/jazzer-maven-central-bundle.tar.gz @@ -163,17 +163,17 @@ jobs: steps: - name: checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Download individual tar.gzs - uses: actions/download-artifact@v6 + uses: actions/download-artifact@v7 with: pattern: jazzer_releases_* merge-multiple: true path: _releases/ - name: create release - uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1 + uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 with: generate_release_notes: true draft: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 15b7b3ce3..07280e2c7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ jobs: steps: - name: checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Build documentation run: | @@ -23,7 +23,7 @@ jobs: cp $(bazel cquery --output=files //deploy:jazzer-junit-docs) ./jazzer-junit-docs.jar - name: Upload jars - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@v6 with: name: jazzer_docs_jars path: | @@ -41,13 +41,13 @@ jobs: steps: - name: checkout docs - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: repository: 'CodeIntelligenceTesting/jazzer-docs' ssh-key: "${{ secrets.JAZZER_DOCS_SSH_KEY_PRIVATE }}" - name: Download jar - uses: actions/download-artifact@v6 + uses: actions/download-artifact@v7 with: name: jazzer_docs_jars path: . diff --git a/.github/workflows/run-all-tests-pr.yml b/.github/workflows/run-all-tests-pr.yml index e94248490..6720bf5c7 100644 --- a/.github/workflows/run-all-tests-pr.yml +++ b/.github/workflows/run-all-tests-pr.yml @@ -35,7 +35,7 @@ jobs: arch: "windows" steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - name: Set up JDK uses: actions/setup-java@v5 @@ -54,7 +54,7 @@ jobs: echo "C:\Program Files\LLVM\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append - name: Load fuzzing corpus cache - uses: actions/cache/restore@v4 + uses: actions/cache/restore@v5 with: path: | selffuzz/src/test/resources/.corpus @@ -74,7 +74,7 @@ jobs: - name: Upload test logs if: always() - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@v6 with: name: testlogs-${{ matrix.arch }}-${{ matrix.jdk }} # https://github.com/actions/upload-artifact/issues/92#issuecomment-711107236 From aa60214f03d8a01b4d507cd2e0db89a097c8c41d Mon Sep 17 00:00:00 2001 From: Simon Resch Date: Tue, 10 Feb 2026 13:43:32 +0100 Subject: [PATCH 3/3] chore: fix versions of vulnerable test deps Prevent version resolution from bumping to fixed versions unintentionally. --- MODULE.bazel | 5 +- .../example/JsonSanitizerValidJsonFuzzer.java | 2 +- maven_install.json | 78 ++++++++++--------- 3 files changed, 45 insertions(+), 40 deletions(-) diff --git a/MODULE.bazel b/MODULE.bazel index 58be9d908..4c4b2ad33 100644 --- a/MODULE.bazel +++ b/MODULE.bazel @@ -77,6 +77,7 @@ TEST_MAVEN_ARTIFACTS_FIXED = [ TEST_MAVEN_ARTIFACTS = [ # keep sorted # renovate: keep updated + "com.google.code.gson:gson:2.13.2", "com.google.truth.extensions:truth-java8-extension:1.4.5", "com.google.truth.extensions:truth-liteproto-extension:1.4.5", "com.google.truth.extensions:truth-proto-extension:1.4.5", @@ -106,7 +107,6 @@ VULNERABLE_TEST_MAVEN_ARTIFACTS = [ "com.fasterxml.jackson.core:jackson-core:2.12.1", "com.fasterxml.jackson.core:jackson-databind:2.12.1", "com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:2.12.1", - "com.google.code.gson:gson:2.8.6", "com.h2database:h2:2.1.212", "com.mikesamuel:json-sanitizer:1.2.1", "com.unboundid:unboundid-ldapsdk:6.0.3", @@ -155,6 +155,9 @@ maven.override( maven.artifact( testonly = True, artifact = coordinate.split(":")[1], + # Force vulnerable versions. Otherwise version selection might land on patched versions if a newer version is + # in the dependeny tree. + force_version = coordinate in VULNERABLE_TEST_MAVEN_ARTIFACTS, group = coordinate.split(":")[0], version = coordinate.split(":")[2], ) diff --git a/examples/src/main/java/com/example/JsonSanitizerValidJsonFuzzer.java b/examples/src/main/java/com/example/JsonSanitizerValidJsonFuzzer.java index d20f16ee2..abef49b7d 100644 --- a/examples/src/main/java/com/example/JsonSanitizerValidJsonFuzzer.java +++ b/examples/src/main/java/com/example/JsonSanitizerValidJsonFuzzer.java @@ -36,7 +36,7 @@ public static void fuzzerTestOneInput(FuzzedDataProvider data) { // that trust the output of the sanitizer. try { Gson gson = new Gson(); - gson.fromJson(validJson, JsonElement.class); + Object unused = gson.fromJson(validJson, JsonElement.class); } catch (Exception e) { throw new FuzzerSecurityIssueLow("Output is invalid JSON", e); } diff --git a/maven_install.json b/maven_install.json index 274b298dd..1791202f0 100755 --- a/maven_install.json +++ b/maven_install.json @@ -1,14 +1,14 @@ { "__AUTOGENERATED_FILE_DO_NOT_MODIFY_THIS_FILE_MANUALLY": "THERE_IS_NO_DATA_ONLY_ZUUL", "__INPUT_ARTIFACTS_HASH": { - "com.alibaba:fastjson": -681992561, - "com.beust:klaxon": 300212242, - "com.fasterxml.jackson.core:jackson-core": 1010823907, - "com.fasterxml.jackson.core:jackson-databind": -745487957, - "com.fasterxml.jackson.dataformat:jackson-dataformat-cbor": -1896543162, + "com.alibaba:fastjson": 1817768268, + "com.beust:klaxon": 338175087, + "com.fasterxml.jackson.core:jackson-core": 723971516, + "com.fasterxml.jackson.core:jackson-databind": 1657199092, + "com.fasterxml.jackson.dataformat:jackson-dataformat-cbor": 524096757, "com.github.jsqlparser:jsqlparser": -85077207, "com.google.code.findbugs:jsr305": 495355163, - "com.google.code.gson:gson": 804554938, + "com.google.code.gson:gson": -2119346406, "com.google.errorprone:error_prone_annotations": 1088983199, "com.google.guava:guava": -1791353471, "com.google.j2objc:j2objc-annotations": 2003271689, @@ -16,42 +16,42 @@ "com.google.truth.extensions:truth-liteproto-extension": -574439286, "com.google.truth.extensions:truth-proto-extension": -362698248, "com.google.truth:truth": -252459521, - "com.h2database:h2": 226402037, - "com.mikesamuel:json-sanitizer": 293386087, - "com.unboundid:unboundid-ldapsdk": 1642354521, + "com.h2database:h2": -342409218, + "com.mikesamuel:json-sanitizer": -1840608028, + "com.unboundid:unboundid-ldapsdk": -1036201052, "io.github.classgraph:classgraph": -1461122240, "jakarta.el:jakarta.el-api": 171705473, "jakarta.validation:jakarta.validation-api": -186402049, - "javax.el:javax.el-api": 281575833, + "javax.el:javax.el-api": -2068634010, "javax.persistence:javax.persistence-api": -631950732, - "javax.validation:validation-api": -236707587, - "javax.xml.bind:jaxb-api": 1419721195, + "javax.validation:validation-api": -1286435650, + "javax.xml.bind:jaxb-api": -1763012100, "junit:junit": -652553691, "net.bytebuddy:byte-buddy-agent": -1065427230, "net.jodah:typetools": 1676712931, "ognl:ognl": 2052829285, - "org.apache.commons:commons-imaging": -713470582, + "org.apache.commons:commons-imaging": -1220018277, "org.apache.commons:commons-jexl": 813523241, - "org.apache.commons:commons-text": -202691025, - "org.apache.logging.log4j:log4j-api": 1725824943, - "org.apache.logging.log4j:log4j-core": 1273395248, - "org.apache.xmlgraphics:batik-anim": -305607220, - "org.apache.xmlgraphics:batik-awt-util": -1574868820, - "org.apache.xmlgraphics:batik-bridge": -541969660, - "org.apache.xmlgraphics:batik-css": 991501212, - "org.apache.xmlgraphics:batik-dom": -1684035877, - "org.apache.xmlgraphics:batik-gvt": 913119998, - "org.apache.xmlgraphics:batik-parser": 1947933594, - "org.apache.xmlgraphics:batik-script": -1755688890, - "org.apache.xmlgraphics:batik-svg-dom": -1819522958, - "org.apache.xmlgraphics:batik-svggen": -1381794329, - "org.apache.xmlgraphics:batik-transcoder": 610348408, - "org.apache.xmlgraphics:batik-util": -14027843, - "org.apache.xmlgraphics:batik-xml": -1533097552, + "org.apache.commons:commons-text": -1377889016, + "org.apache.logging.log4j:log4j-api": -1645212456, + "org.apache.logging.log4j:log4j-core": -521037129, + "org.apache.xmlgraphics:batik-anim": 1816317577, + "org.apache.xmlgraphics:batik-awt-util": -243562583, + "org.apache.xmlgraphics:batik-bridge": 2092183121, + "org.apache.xmlgraphics:batik-css": -571765063, + "org.apache.xmlgraphics:batik-dom": -1814108902, + "org.apache.xmlgraphics:batik-gvt": 1681211415, + "org.apache.xmlgraphics:batik-parser": -496639493, + "org.apache.xmlgraphics:batik-script": 554579407, + "org.apache.xmlgraphics:batik-svg-dom": 1153046051, + "org.apache.xmlgraphics:batik-svggen": -1952728434, + "org.apache.xmlgraphics:batik-transcoder": 1844713309, + "org.apache.xmlgraphics:batik-util": 1754814712, + "org.apache.xmlgraphics:batik-xml": 1285546021, "org.assertj:assertj-core": 1651685074, "org.freemarker:freemarker": -165087457, - "org.glassfish:javax.el": 2017793333, - "org.hibernate:hibernate-validator": 943779753, + "org.glassfish:javax.el": 125177410, + "org.hibernate:hibernate-validator": -1353801614, "org.jacoco:org.jacoco.core": -372056147, "org.junit.jupiter:junit-jupiter-api": -1488163120, "org.junit.jupiter:junit-jupiter-engine": 479628524, @@ -69,9 +69,9 @@ "org.ow2.asm:asm": 1206815935, "org.ow2.asm:asm-commons": 1607605466, "org.ow2.asm:asm-tree": -1365652182, - "org.springframework.cloud:spring-cloud-function-context": -955758783, - "org.springframework.cloud:spring-cloud-function-core": 428800769, - "org.springframework:spring-messaging": 772904355, + "org.springframework.cloud:spring-cloud-function-context": 191971828, + "org.springframework.cloud:spring-cloud-function-core": -1854900684, + "org.springframework:spring-messaging": 328550982, "repositories": -1949687017 }, "__RESOLVED_ARTIFACTS_HASH": { @@ -85,7 +85,7 @@ "com.github.jsqlparser:jsqlparser": 130367484, "com.google.auto.value:auto-value-annotations": 641018093, "com.google.code.findbugs:jsr305": 870839855, - "com.google.code.gson:gson": -1575757252, + "com.google.code.gson:gson": -2092238571, "com.google.errorprone:error_prone_annotations": 213918278, "com.google.guava:failureaccess": 1715931538, "com.google.guava:guava": 716792237, @@ -191,7 +191,6 @@ "xml-apis:xml-apis-ext": 814558833 }, "conflict_resolution": { - "com.google.code.gson:gson:2.8.6": "com.google.code.gson:gson:2.8.9", "com.google.j2objc:j2objc-annotations:2.8": "com.google.j2objc:j2objc-annotations:3.1" }, "artifacts": { @@ -257,9 +256,9 @@ }, "com.google.code.gson:gson": { "shasums": { - "jar": "d3999291855de495c94c743761b8ab5176cfeabe281a5ab0d8e8d45326fd703e" + "jar": "dd0ce1b55a3ed2080cb70f9c655850cda86c206862310009dcb5e5c95265a5e0" }, - "version": "2.8.9" + "version": "2.13.2" }, "com.google.errorprone:error_prone_annotations": { "shasums": { @@ -893,6 +892,9 @@ "com.fasterxml.jackson.core:jackson-core", "com.fasterxml.jackson.core:jackson-databind" ], + "com.google.code.gson:gson": [ + "com.google.errorprone:error_prone_annotations" + ], "com.google.guava:guava": [ "com.google.errorprone:error_prone_annotations", "com.google.guava:failureaccess",