release: 发布 0.5.2 版本.

CVE-2022-42004 漏洞报告指出, 由于 jackson-databind 的有关错误, 导致对象序列化过程可能存在数据错误的问题,
目前 jackson-databind 已发布 2.13.4.2 版本以解决该问题, 由于引入 jackson-databind 的 telegrambots 库尚未发布针对该问题的修复版本,
故在本项目中引入新版依赖项, 以确保用户不受该问题影响.
该版本已在 TelegramBots 项目(版本 6.1.0)中进行测试, 测试通过.
------------------------------------------
https://devhub.checkmarx.com/cve-details/CVE-2022-42004/

.github/workflows/create-release.yml

@@ -14,7 +14,7 @@ permissions:
   contents: write
 
 jobs:
-  build:
+  create-release:
     timeout-minutes: 10
     runs-on: ubuntu-latest
 

.github/workflows/publish-artifacts.yml

@@ -1,4 +1,4 @@
-name: Release container image
+name: Publish artifacts
 
 on:
   release:
@@ -9,7 +9,7 @@ env:
   IMAGE_NAME: lamgc/scalabot
 
 jobs:
-  release-image:
+  publish-container-image:
     runs-on: ubuntu-latest
     timeout-minutes: 15
 

build.gradle.kts

@@ -12,5 +12,5 @@ allprojects {
 
     }
     group = "net.lamgc"
-    version = "0.5.1"
+    version = "0.5.2"
 }

scalabot-app/build.gradle.kts

@@ -10,9 +10,9 @@ dependencies {
     implementation(project(":scalabot-meta"))
     implementation(project(":scalabot-extension"))
 
-    implementation("org.slf4j:slf4j-api:1.7.36")
+    implementation("org.slf4j:slf4j-api:2.0.0")
     implementation("io.github.microutils:kotlin-logging:2.1.23")
-    implementation("ch.qos.logback:logback-classic:1.2.11")
+    implementation("ch.qos.logback:logback-classic:1.4.0")
 
     val aetherVersion = "1.1.0"
     implementation("org.eclipse.aether:aether-api:$aetherVersion")
@@ -23,7 +23,7 @@ dependencies {
     implementation("org.eclipse.aether:aether-connector-basic:$aetherVersion")
     implementation("org.apache.maven:maven-aether-provider:3.3.9")
 
-    implementation("org.jetbrains.kotlinx:kotlinx-coroutines-core:1.6.2")
+    implementation("org.jetbrains.kotlinx:kotlinx-coroutines-core:1.6.4")
     implementation("org.jetbrains.kotlin:kotlin-reflect:1.6.20")
     implementation("com.google.code.gson:gson:2.9.0")
 
@@ -32,11 +32,15 @@ dependencies {
     implementation("org.telegram:telegrambots-abilities:6.1.0")
     implementation("org.telegram:telegrambots:6.1.0")
 
-    implementation("io.prometheus:simpleclient:0.15.0")
+    // Added as a mitigation measure for vulnerabilities.
-    implementation("io.prometheus:simpleclient_httpserver:0.15.0")
+    // When the relevant reference dependency updates it, it will be removed.
+    implementation("com.fasterxml.jackson.core:jackson-databind:2.13.4.2")
+
+    implementation("io.prometheus:simpleclient:0.16.0")
+    implementation("io.prometheus:simpleclient_httpserver:0.16.0")
 
     testImplementation(kotlin("test"))
-    testImplementation("io.mockk:mockk:1.12.4")
+    testImplementation("io.mockk:mockk:1.12.7")
     testImplementation("com.github.stefanbirkner:system-lambda:1.2.1")
 }
 

scalabot-ext-example/build.gradle.kts

@@ -5,7 +5,7 @@ plugins {
 dependencies {
     compileOnly(project(":scalabot-extension"))
 
-    testImplementation("org.junit.jupiter:junit-jupiter-api:5.8.2")
+    testImplementation("org.junit.jupiter:junit-jupiter-api:5.9.0")
     testRuntimeOnly("org.junit.jupiter:junit-jupiter-engine")
 }
 

scalabot-extension/build.gradle.kts

@@ -4,14 +4,20 @@ plugins {
     jacoco
     `maven-publish`
     signing
+    id("org.jetbrains.kotlinx.binary-compatibility-validator") version "0.11.1"
 }
 
 dependencies {
+    implementation("commons-codec:commons-codec:1.15")
     api("org.telegram:telegrambots-abilities:6.1.0")
-    api("org.slf4j:slf4j-api:1.7.36")
+    api("org.slf4j:slf4j-api:2.0.0")
 
-    testImplementation("org.junit.jupiter:junit-jupiter-api:5.8.2")
+    // Added as a mitigation measure for vulnerabilities.
-    testImplementation("org.mockito:mockito-core:4.6.1")
+    // When the relevant reference dependency updates it, it will be removed.
+    implementation("com.fasterxml.jackson.core:jackson-databind:2.13.4.2")
+
+    testImplementation("org.junit.jupiter:junit-jupiter-api:5.9.0")
+    testImplementation("org.mockito:mockito-core:4.7.0")
     testRuntimeOnly("org.junit.jupiter:junit-jupiter-engine")
 }
 

scalabot-meta/build.gradle.kts

@@ -4,6 +4,7 @@ plugins {
     id("org.jetbrains.dokka") version "1.7.0"
     `maven-publish`
     signing
+    id("org.jetbrains.kotlinx.binary-compatibility-validator") version "0.11.1"
 }
 
 dependencies {
@@ -13,14 +14,18 @@ dependencies {
 
     implementation("org.telegram:telegrambots-meta:6.1.0")
 
+    // Added as a mitigation measure for vulnerabilities.
+    // When the relevant reference dependency updates it, it will be removed.
+    implementation("com.fasterxml.jackson.core:jackson-databind:2.13.4.2")
+
     api("com.google.code.gson:gson:2.9.0")
 
     testImplementation(kotlin("test"))
-    testImplementation("io.mockk:mockk:1.12.4")
+    testImplementation("io.mockk:mockk:1.12.7")
-    testImplementation("org.junit.jupiter:junit-jupiter-api:5.8.2")
+    testImplementation("org.junit.jupiter:junit-jupiter-api:5.9.0")
-    testRuntimeOnly("org.junit.jupiter:junit-jupiter-engine:5.8.2")
+    testRuntimeOnly("org.junit.jupiter:junit-jupiter-engine:5.9.0")
 
-    dokkaHtmlPlugin("org.jetbrains.dokka:javadoc-plugin:1.7.0")
+    dokkaHtmlPlugin("org.jetbrains.dokka:javadoc-plugin:1.7.10")
 }
 
 tasks.withType<org.jetbrains.kotlin.gradle.tasks.KotlinCompile>().configureEach {