Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update gradle/gradle-build-action action to v2 [SECURITY] - autoclosed #33

Closed
wants to merge 1 commit into from
Closed

Update gradle/gradle-build-action action to v2 [SECURITY] - autoclosed #33

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented May 28, 2023
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Type Update Change
gradle/gradle-build-action action major v1.5.0 -> v2.4.2

GitHub Vulnerability Alerts

CVE-2023-30853

Impact

This vulnerability impacts GitHub workflows using the Gradle Build Action that have executed the Gradle Build Tool with the configuration cache enabled, potentially exposing secrets configured for the repository.

Secrets configured for GitHub Actions are normally passed to the Gradle Build Tool via environment variables. Due to the way that the Gradle Build Tool records these environment variables, they may be persisted into an entry in the GitHub Actions cache. This data stored in the GitHub Actions cache can be read by a GitHub Actions workflow running in an untrusted context, such as that running for a Pull Request submitted by a developer via a repository fork.

This vulnerability was discovered internally through code review, and we have not seen any evidence of it being exploited in the wild. However, in addition to upgrading the Gradle Build Action, you should delete any potentially vulnerable cache entries and may choose to rotate any potentially affected secrets (see Remediation).

Patches

Gradle Build Action v2.4.2 (and newer) no longer save this sensitive data for later use, preventing ongoing leakage of secrets via the GitHub Actions Cache. We strongly recommend that all users of the Gradle Build Action upgrade to v2.4.2 (or simply v2) immediately.

Remediation

While upgrading to the latest version of the Gradle Build Action will prevent leakage of secrets going forward, additional actions may be required due to current or previous GitHub Actions Cache entries containing this information.

Current cache entries will remain vulnerable until they are forcibly deleted or they expire naturally after 7 days of not being used. Potentially vulnerable entries can be easily identified in the GitHub UI by searching for a cache entry with key matching configuration-cache-*. We recommend that users of the Gradle Build Action inspect their list of cache entries and manually delete any that match this pattern.

While we have not seen any evidence of this vulnerability being exploited, we recommend cycling any repository secrets if you cannot be certain that these have not been compromised. Compromise could occur if you run a GitHub Actions workflow for a pull request attempting to exploit this data.
Warning signs to look for in a pull request include:

  • Making changes to GitHub Actions workflow files in a way that may attempt to read/extract data from the Gradle User Home or /.gradle directories.
  • Making changes to Gradle build files or other executable files that may be invoked by a GitHub Actions workflow, in a way that may attempt to read/extract information from these locations.

Workarounds

We strongly recommend that all users upgrade to the latest version of the Gradle Build Action as soon as possible, and delete any potentially vulnerable cache entries from the GitHub Actions cache (see Remediation).

If for some reason this is not possible, users can limit the impact of this vulnerability:

  • If the Gradle project does not opt-in to using the configuration cache, then it is not vulnerable.
  • If the Gradle project does opt-in to using the configuration-cache by default, then the --no-configuration-cache command-line argument can be used to disable this feature in a GitHub Actions workflow.

In any case, we recommend that users carefully inspect any pull request before approving the execution of GitHub Actions workflows. It may be prudent to require approval for all PRs from external contributors, as described here.

Release Notes

gradle/gradle-build-action (gradle/gradle-build-action)

v2.4.2

Compare Source

This release disables the save/restore of configuration-cache data, since this functionality has been shown to be problematic.
Gradle 8.1 has made changes to this functionality which will require a more comprehensive rework of the action before we can re-enable this.

v2.4.1

Compare Source

This patch release updates a number of dependencies, including xmljs which was reported to have a security vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2023-0842).
There is no evidence that this vulnerability affected the gradle-build-action.

Full changelog: gradle/gradle-build-action@v2.4.0...v2.4.1

v2.4.0

Compare Source

What's new

The v.2.4.0 release contains various library updates and fixes to fully support Gradle 8.

Notable changes:

  • Update to @actions/cache: 3.1.3 should improve cache save/restore performance on Windows by using gnu tar and zstd when available.
  • Fix caching of extracted JDK toolchains for Gradle 7.6+ (e444647)

Full Changelog: gradle/gradle-build-action@v2.3.3...v2.4.0

v2.3.3

Compare Source

This patch release removes all uses of the deprecated set-output and set-state commands, and should remove deprecation warnings from build logs. See #​461 and #​477 for more details.

Full Changelog: gradle/gradle-build-action@v2.3.2...v2.3.3

v2.3.2

Compare Source

This patch release fixes an issue which could result in errors in the post-action step. See #​441 for details.

Full Changelog: gradle/gradle-build-action@v2.3.1...v2.3.2

v2.3.1

Compare Source

This patch release addresses some security vulnerabilities reported by the CodeQL check:

The release contains no functional changes.

Full Changelog: gradle/gradle-build-action@v2.3.0...v2.3.1

v2.3.0

Compare Source

What's new

With v2.3.0, the gradle-build-action can now attempt to remove any unused files from the Gradle User Home directory before storing to the GitHub Actions cache. This can prevent cases where the size of cache entry grows over time.

Gradle Home cache cleanup is disabled by default. You can enable this feature for the action as follows:

gradle-home-cache-cleanup: true

See the README for more details.

Full Changelog: gradle/gradle-build-action@v2.2.5...v2.3.0

v2.2.5

Compare Source

What's fixed

Fixes a bug where a corrupted cache entry caused an error in beforeSave (#​408). This meant that the entry was never purged.
By allowing @actions/globber to follow symlinks and ignore broken symlinks, the bad files in the cache entry are ignored and the corrupted cache entry can be replaced by a good one.

Full Changelog: gradle/gradle-build-action@v2.2.4...v2.2.5

v2.2.4

Compare Source

What's fixed

The fix for #​383 introduced a bug that caused the post-action to fail when attempting to resolve cache-read-only for scheduled jobs.
This has been fixed with an explicit (rather than implicit) check for 'event.repository != null'. (#​409)

Full Changelog: gradle/gradle-build-action@v2.2.3...v2.2.4

v2.2.3

Compare Source

What's fixed

This release updates a number of key dependencies and fixes some cache-related issues:

  • Do not set cache-read-only=true for scheduled workflows on default branch (#​383)
  • Fix reporting of caching errors that was broken in v2.2.2 (#​407)
  • Abort cache download operations after 10 minutes (configurable). Previously cache download operations could hang the build. (#​369)

Full Changelog: gradle/gradle-build-action@v2.2.2...v2.2.3

v2.2.2

Compare Source

What's fixed

This release fixes some issues that were discovered in the v2.2.1 release, and updates a number of dependencies.

  • Improved support for GitHub Enterprise
    • Do not attempt to use GitHub Actions cache when the feature is not available
    • Write Gradle Build summary to log files when Job Summary functionality not available
  • Only attempt to stop Gradle daemons when caching Gradle User Home (#​341)
  • Only write build-results file when GitHub Actions env vars are available (#​350)

Full Changelog: gradle/gradle-build-action@v2.2.1...v2.2.2

v2.2.1

Compare Source

What's fixed

This release fixes some issues that were exposed by the v2.2.0 release, as well as improving the content and layout of the Job Summary.

  • Don't try to generate Job Summary when functionality is not available (GitHub Enterprise): #​319
  • Fix warning when attempting to delete non-existent file: #​308
  • Fix Entry not saved: reason unknown message in Job Summary cache details: #​309
  • Report failure to publish build scan in Job Summary: #​326

Full Changelog: gradle/gradle-build-action@v2.2.0...v2.2.1

v2.2.0

Compare Source

Summary

This release brings a new Job Summary report, as well as numerous improvements and bug fixes:

  • Capture all Gradle build executions for a job and write them to the GitHub Actions Job Summary.
  • Default to cache-read-only for non-default branches (see 0a36ca9)
  • Allow the Gradle Daemon to run across build steps in a workflow Job (see #​113)
Issues resolved

https://github.com/gradle/gradle-build-action/milestone/7?closed=1

What's Changed

Full Changelog: gradle/gradle-build-action@v2.1.7...v2.2.0

v2.1.7

Compare Source

Fixes #​293, which prevented v2.1.6 from allowing Gradle to re-use previously downloaded wrapper distributions. This slowed down build executions and could result in build flakiness when the wrapper zip failed to download.

  • [FIX] Retain more items in the wrapper folder of Gradle User Home, avoiding re-download of wrapper distributions.

v2.1.6

Compare Source

This release contains an fix for changed behaviour in Gradle 7.6, as well as numerous library upgrades.

Earlier versions of the gradle-build-action were saving and restoring the downloaded Gradle wrapper zip file as part of caching the Gradle User Home. This will no longer work with Gradle 7.6, as the wrapper zip is now removed after expanding. This release of gradle-build-action contains a fix for this change in Gradle 7.6. Using an older version of the GitHub action with Gradle 7.6 will likely result in the wrapper being downloaded on every GitHub actions invocation.

What's Changed
  • [FIX] Save/restore exploded Gradle dist rather than zip
  • [FIX] Update to the latest versions of @actions/core, @actions/cache, @actions/github, @actions/http-client and @actions/tool-cache.

Full changelog: gradle/gradle-build-action@v2.1.5...v2.1.6

v2.1.5

Compare Source

This release addresses a potential security issue by upgrading minimist, and fixes a bug with very large cache entries by upgrading @actions/cache. No other changes are included.

What's Changed

  • [FIX] - Upgrade minimist from 1.2.5 -> 1.2.6
  • [FIX] - Support cache entries > 2Gb via library upgrade to @​actions/cache from 1.0.10 -> 2.0.0.

Full changelog: gradle/gradle-build-action@v2.1.4...v2.1.5

v2.1.4

Compare Source

What's Changed

  • Updated dependency versions: d700906.
  • Log stack trace for cache errors that are reported as warnings.

Full Changelog: gradle/gradle-build-action@v2.1.3...v2.1.4

v2.1.3

Compare Source

This patch release fixes an issue that prevented the Gradle User Home from being restored from cache on macos-latest runners. #​155

What's Changed

Full Changelog: gradle/gradle-build-action@v2.1.2...v2.1.3

v2.1.2

Compare Source

This patch release fixes a minor bug and updates some NPM dependencies, including one dependency with a reported security advisory.

What's Changed

  • Fixed #​147: existing gradle.properties is no longer overwritten by action initialization
  • Updated all NPM dependencies to the latest version
    • This included updating node-fetch to a version that isn't impacted by GHSA-r683-j2x4-v87g. Note that this CVE has been determined not to impact the action.

Full Changelog: gradle/gradle-build-action@v2.1.1...v2.1.2

v2.1.1

Compare Source

This release improves logging and fixes a number of minor issues.

  • Fix misleading error message when gradlew script is not executable #​76
  • Differentiate between build scan links generated for different steps in the same Job #​124
  • Avoid overwriting existing Gradle User Home #​138
  • Capture build scan links even when cache is disabled #​139

In addition, 2 experimental configuration parameters have been added:

  • gradle-home-cache-strict-match: Only reuse cache entries generated by previous invocations for the same job
  • cache-write-only: Do not restore cache entries but save on Job completion

Full Changelog: gradle/gradle-build-action@v2.1.0...v2.1.1

v2.1.0

Compare Source

Overview

This release brings a major improvement in usability, allowing the action to be used to "setup Gradle" without requiring all Gradle invocations to be managed by the action.

jobs:
  build-my-app:
    steps:
    - uses: actions/checkout@v2
    - name: Setup Gradle
      uses: gradle/gradle-build-action@v2
    - name: Execute Gradle build
      run: ./gradlew build

Any Gradle invocation after the first gradle-build-action step will benefit from caching and build-scan capture just as if it was invoked through a subsequent gradle-build-action. This is achieved via init scripts added when initializing/restoring the Gradle User Home.

This change makes it easier to adopt the gradle-build-action into an existing GitHub Actions workflow and enables usages such as:

  • Redirect all Gradle log output to a file #​72
  • Run a script to configure the environment prior to Gradle invocation #​15
  • Capture Gradle output for use in a subsequent step #​112
Usability improvements
  • Can use regular run step to invoke Gradle and still benefit from Gradle User Home caching as well as build-scan integration.
Caching improvements
  • Wrapper distributions and generated API jars are now cached individually, allowing for better reuse and more efficient storage: #​78
  • Java distributions downloaded by Gradle are cached: #​33

Changes in detail

Full Changelog: gradle/gradle-build-action@v2.0.0...v2.1.0

v2.0.1

Compare Source

What's Changed

This patch release fixes a couple of cases where a failure to store caches would cause the entire Job to fail. The goal of the gradle-build-action is to warn-and-continue on all recoverable cache failures.

Issues fixed

  • Cache upload failure because file read failed should not cause step to fail #​120
  • SyntaxError: Unexpected end of JSON input should not cause step to fail #​119

Full Changelog: gradle/gradle-build-action@v2.0.0...v2.0.1

v2.0.0

Compare Source

This is the initial release of gradle-build-action@v2, which brings significant performance and usability improvements over v1. A few key improvements are outlined here, but see the project README for more details.

Thanks for trying it out!

Usability improvements:

The gradle-build-action has been redesigned from the ground up to work well with minimal configuration, avoiding the need for most users to tweak multiple configuration options to benefit.

Highlights:

  • Simplified and improved configuration options, with better support for more Gradle builds "out of the box".
  • More robust capture of Build Scan™ links, which are now added directly as Notice annotations to your workflow run.
  • Support for multi-line arguments in workflow definitions.
Performance improvements:

A key benefit of gradle-build-action over other solutions is the sophisticated support for saving and restoring relevant Gradle state between build invocations. This caching support speeds up build invocations and is designed to work in most scenarios without further tweaking.

Highlights:

  • Support for caching of more state between Gradle invocations, including compiled build scripts and generated Gradle API jars as well as downloaded dependencies and Gradle distributions.
  • Common files such as downloaded dependencies and wrapper distributions are cached in a more efficient manner, with the goal to cut cache-entry size and reduce eviction pressure.
  • Detailed reporting of cache usage and cache configuration options allow you to optimize the use of the GitHub actions cache.

v1.5.1

Compare Source

Fixes issue where invalid cache keys could be generated if the Gradle arguments list was overly long.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot changed the title Update gradle/gradle-build-action action to v2 [SECURITY] Update gradle/gradle-build-action action to v2 [SECURITY] - autoclosed Aug 6, 2024
@renovate renovate bot closed this Aug 6, 2024
@renovate renovate bot deleted the renovate/github-tags-gradle/gradle-build-action-vulnerability branch August 6, 2024 20:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants