Vulnerabilities when building a plugin in Webstorm with libraries ion-java 1.8.5 and grpc 2.0.20
Hi. I am facing a problem with a plugin built for Webstorm 2022.3
A scan of my plugin artifact has warned me that there is an open vulnerability with library com.amazon.ion : ion-java 1.8.1 which is added as dependency of library com.jetbrains:ideaIC:2022.3
This is solved by upgrading ion-java to version 1.10.5 or above (right now 1.11.0 is the last one)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21634
However, I have no control over which dependencies library com.jetbrains:ideaIC:2022.3 could select.
I tried to upgrade the webstorm plugin to be build with last version 2023.3, but it mantains this vulnerability and adds another one: io.stargat.grpc: grpc: 2.0.20
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6378
Some extracts from build.gradle
plugins {
id "java"
id "org.jetbrains.intellij" version “1.16.1”
}
intellij {
version.set(getProperty("2023.3"))
}
Are you planning to update these dependencies? Is there any workaround to remove/replace those dependencies from my final plugin artifact?
Thanks
Please sign in to leave a comment.
Hi! Thanks for raising this question. All libraries that are provided with the IntelliJ SDK are provided to end-users — as soon as users will update their IDEs, such a threat sholud be gone. This is the reason we release IDEs patches.
Additionally, you can find all libraries and their versions with: https://www.jetbrains.com/legal/third-party-software
Hi Jakub Chrzanowski
Thanks for your quick response.
Do you have any date when these new release patches will be released? Based on the link you have shared with me I see that ion-java version used is still 1.8.2-1.8.4, but the vulnerability doesn't get solved until using version 1.10.5
We fear our customers could be exposed to security threats because of the use of the plugin.
Also, because our internal process detects these vulnerabilities as high risk, we are completely blocked in the process of publishing the new version of our plugin on time.
Thanks
I got the confirmation that the ion-java library was updated in the IntelliJ Platform with the 5473d91 commit — this change will be available since the 2024.1 release cycle.
As for the io.stargat.grpc:grpc — is that a transitive dependency?
Thanks Jakub,
Good news. We will be waiting for the new release. Are there any plans to include it in a fix to 2023.3 before 2024.1 release?
About io.stargate.grpc:grpc (sorry for the typo), yes it is a transitive dependency that is used in org.jetbrains : annotations : 24.0.1
Thanks