chore: fix versions of vulnerable test deps

simonresch · simonresch · commit 09ec09f3c6e3 · 2026-02-10T14:55:57.000+01:00
Prevent version resolution from bumping to fixed versions
unintentionally.
diff --git a/MODULE.bazel b/MODULE.bazel
@@ -80,6 +80,7 @@ TEST_MAVEN_ARTIFACTS = [
     "com.google.truth.extensions:truth-java8-extension:1.4.5",
     "com.google.truth.extensions:truth-liteproto-extension:1.4.5",
     "com.google.truth.extensions:truth-proto-extension:1.4.5",
+    "com.google.code.gson:gson:2.13.2",
     "com.google.truth:truth:1.4.5",
     "jakarta.el:jakarta.el-api:6.0.1",
     "jakarta.validation:jakarta.validation-api:3.1.1",
@@ -106,7 +107,6 @@ VULNERABLE_TEST_MAVEN_ARTIFACTS = [
     "com.fasterxml.jackson.core:jackson-core:2.12.1",
     "com.fasterxml.jackson.core:jackson-databind:2.12.1",
     "com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:2.12.1",
-    "com.google.code.gson:gson:2.8.6",
     "com.h2database:h2:2.1.212",
     "com.mikesamuel:json-sanitizer:1.2.1",
     "com.unboundid:unboundid-ldapsdk:6.0.3",
@@ -157,6 +157,9 @@ maven.override(
         artifact = coordinate.split(":")[1],
         group = coordinate.split(":")[0],
         version = coordinate.split(":")[2],
+        # Force vulnerable versions. Otherwise version selection might land on patched versions if a newer version is
+        # in the dependeny tree.
+        force_version = coordinate in VULNERABLE_TEST_MAVEN_ARTIFACTS,
     )
     for coordinate in TEST_MAVEN_ARTIFACTS + TEST_MAVEN_ARTIFACTS_FIXED + VULNERABLE_TEST_MAVEN_ARTIFACTS
 ]
diff --git a/examples/src/main/java/com/example/JsonSanitizerValidJsonFuzzer.java b/examples/src/main/java/com/example/JsonSanitizerValidJsonFuzzer.java
@@ -36,7 +36,7 @@ public static void fuzzerTestOneInput(FuzzedDataProvider data) {
     // that trust the output of the sanitizer.
     try {
       Gson gson = new Gson();
-      gson.fromJson(validJson, JsonElement.class);
+      Object unused = gson.fromJson(validJson, JsonElement.class);
     } catch (Exception e) {
       throw new FuzzerSecurityIssueLow("Output is invalid JSON", e);
     }
diff --git a/maven_install.json b/maven_install.json
@@ -1,57 +1,57 @@
 {
   "__AUTOGENERATED_FILE_DO_NOT_MODIFY_THIS_FILE_MANUALLY": "THERE_IS_NO_DATA_ONLY_ZUUL",
   "__INPUT_ARTIFACTS_HASH": {
-    "com.alibaba:fastjson": -681992561,
-    "com.beust:klaxon": 300212242,
-    "com.fasterxml.jackson.core:jackson-core": 1010823907,
-    "com.fasterxml.jackson.core:jackson-databind": -745487957,
-    "com.fasterxml.jackson.dataformat:jackson-dataformat-cbor": -1896543162,
+    "com.alibaba:fastjson": 1817768268,
+    "com.beust:klaxon": 338175087,
+    "com.fasterxml.jackson.core:jackson-core": 723971516,
+    "com.fasterxml.jackson.core:jackson-databind": 1657199092,
+    "com.fasterxml.jackson.dataformat:jackson-dataformat-cbor": 524096757,
     "com.github.jsqlparser:jsqlparser": -85077207,
     "com.google.code.findbugs:jsr305": 495355163,
-    "com.google.code.gson:gson": 804554938,
+    "com.google.code.gson:gson": -2119346406,
     "com.google.errorprone:error_prone_annotations": 1088983199,
     "com.google.guava:guava": -1791353471,
     "com.google.j2objc:j2objc-annotations": 2003271689,
     "com.google.truth.extensions:truth-java8-extension": -1240961434,
     "com.google.truth.extensions:truth-liteproto-extension": -574439286,
     "com.google.truth.extensions:truth-proto-extension": -362698248,
     "com.google.truth:truth": -252459521,
-    "com.h2database:h2": 226402037,
-    "com.mikesamuel:json-sanitizer": 293386087,
-    "com.unboundid:unboundid-ldapsdk": 1642354521,
+    "com.h2database:h2": -342409218,
+    "com.mikesamuel:json-sanitizer": -1840608028,
+    "com.unboundid:unboundid-ldapsdk": -1036201052,
     "io.github.classgraph:classgraph": -1461122240,
     "jakarta.el:jakarta.el-api": 171705473,
     "jakarta.validation:jakarta.validation-api": -186402049,
-    "javax.el:javax.el-api": 281575833,
+    "javax.el:javax.el-api": -2068634010,
     "javax.persistence:javax.persistence-api": -631950732,
-    "javax.validation:validation-api": -236707587,
-    "javax.xml.bind:jaxb-api": 1419721195,
+    "javax.validation:validation-api": -1286435650,
+    "javax.xml.bind:jaxb-api": -1763012100,
     "junit:junit": -652553691,
     "net.bytebuddy:byte-buddy-agent": -1065427230,
     "net.jodah:typetools": 1676712931,
     "ognl:ognl": 2052829285,
-    "org.apache.commons:commons-imaging": -713470582,
+    "org.apache.commons:commons-imaging": -1220018277,
     "org.apache.commons:commons-jexl": 813523241,
-    "org.apache.commons:commons-text": -202691025,
-    "org.apache.logging.log4j:log4j-api": 1725824943,
-    "org.apache.logging.log4j:log4j-core": 1273395248,
-    "org.apache.xmlgraphics:batik-anim": -305607220,
-    "org.apache.xmlgraphics:batik-awt-util": -1574868820,
-    "org.apache.xmlgraphics:batik-bridge": -541969660,
-    "org.apache.xmlgraphics:batik-css": 991501212,
-    "org.apache.xmlgraphics:batik-dom": -1684035877,
-    "org.apache.xmlgraphics:batik-gvt": 913119998,
-    "org.apache.xmlgraphics:batik-parser": 1947933594,
-    "org.apache.xmlgraphics:batik-script": -1755688890,
-    "org.apache.xmlgraphics:batik-svg-dom": -1819522958,
-    "org.apache.xmlgraphics:batik-svggen": -1381794329,
-    "org.apache.xmlgraphics:batik-transcoder": 610348408,
-    "org.apache.xmlgraphics:batik-util": -14027843,
-    "org.apache.xmlgraphics:batik-xml": -1533097552,
+    "org.apache.commons:commons-text": -1377889016,
+    "org.apache.logging.log4j:log4j-api": -1645212456,
+    "org.apache.logging.log4j:log4j-core": -521037129,
+    "org.apache.xmlgraphics:batik-anim": 1816317577,
+    "org.apache.xmlgraphics:batik-awt-util": -243562583,
+    "org.apache.xmlgraphics:batik-bridge": 2092183121,
+    "org.apache.xmlgraphics:batik-css": -571765063,
+    "org.apache.xmlgraphics:batik-dom": -1814108902,
+    "org.apache.xmlgraphics:batik-gvt": 1681211415,
+    "org.apache.xmlgraphics:batik-parser": -496639493,
+    "org.apache.xmlgraphics:batik-script": 554579407,
+    "org.apache.xmlgraphics:batik-svg-dom": 1153046051,
+    "org.apache.xmlgraphics:batik-svggen": -1952728434,
+    "org.apache.xmlgraphics:batik-transcoder": 1844713309,
+    "org.apache.xmlgraphics:batik-util": 1754814712,
+    "org.apache.xmlgraphics:batik-xml": 1285546021,
     "org.assertj:assertj-core": 1651685074,
     "org.freemarker:freemarker": -165087457,
-    "org.glassfish:javax.el": 2017793333,
-    "org.hibernate:hibernate-validator": 943779753,
+    "org.glassfish:javax.el": 125177410,
+    "org.hibernate:hibernate-validator": -1353801614,
     "org.jacoco:org.jacoco.core": -372056147,
     "org.junit.jupiter:junit-jupiter-api": -1488163120,
     "org.junit.jupiter:junit-jupiter-engine": 479628524,
@@ -69,9 +69,9 @@
     "org.ow2.asm:asm": 1206815935,
     "org.ow2.asm:asm-commons": 1607605466,
     "org.ow2.asm:asm-tree": -1365652182,
-    "org.springframework.cloud:spring-cloud-function-context": -955758783,
-    "org.springframework.cloud:spring-cloud-function-core": 428800769,
-    "org.springframework:spring-messaging": 772904355,
+    "org.springframework.cloud:spring-cloud-function-context": 191971828,
+    "org.springframework.cloud:spring-cloud-function-core": -1854900684,
+    "org.springframework:spring-messaging": 328550982,
     "repositories": -1949687017
   },
   "__RESOLVED_ARTIFACTS_HASH": {
@@ -85,7 +85,7 @@
     "com.github.jsqlparser:jsqlparser": 130367484,
     "com.google.auto.value:auto-value-annotations": 641018093,
     "com.google.code.findbugs:jsr305": 870839855,
-    "com.google.code.gson:gson": -1575757252,
+    "com.google.code.gson:gson": -2092238571,
     "com.google.errorprone:error_prone_annotations": 213918278,
     "com.google.guava:failureaccess": 1715931538,
     "com.google.guava:guava": 716792237,
@@ -191,7 +191,6 @@
     "xml-apis:xml-apis-ext": 814558833
   },
   "conflict_resolution": {
-    "com.google.code.gson:gson:2.8.6": "com.google.code.gson:gson:2.8.9",
     "com.google.j2objc:j2objc-annotations:2.8": "com.google.j2objc:j2objc-annotations:3.1"
   },
   "artifacts": {
@@ -257,9 +256,9 @@
     },
     "com.google.code.gson:gson": {
       "shasums": {
-        "jar": "d3999291855de495c94c743761b8ab5176cfeabe281a5ab0d8e8d45326fd703e"
+        "jar": "dd0ce1b55a3ed2080cb70f9c655850cda86c206862310009dcb5e5c95265a5e0"
       },
-      "version": "2.8.9"
+      "version": "2.13.2"
     },
     "com.google.errorprone:error_prone_annotations": {
       "shasums": {
@@ -893,6 +892,9 @@
       "com.fasterxml.jackson.core:jackson-core",
       "com.fasterxml.jackson.core:jackson-databind"
     ],
+    "com.google.code.gson:gson": [
+      "com.google.errorprone:error_prone_annotations"
+    ],
     "com.google.guava:guava": [
       "com.google.errorprone:error_prone_annotations",
       "com.google.guava:failureaccess",

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ public static void fuzzerTestOneInput(FuzzedDataProvider data) {`
`36`	`36`	`// that trust the output of the sanitizer.`
`37`	`37`	`try {`
`38`	`38`	`Gson gson = new Gson();`
`39`		`- gson.fromJson(validJson, JsonElement.class);`
	`39`	`+ Object unused = gson.fromJson(validJson, JsonElement.class);`
`40`	`40`	`} catch (Exception e) {`
`41`	`41`	`throw new FuzzerSecurityIssueLow("Output is invalid JSON", e);`
`42`	`42`	`}`