Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gradle issues with cling dependency library (upnp module) #210

Open
aqua-pro opened this issue Oct 12, 2022 · 3 comments
Open

Gradle issues with cling dependency library (upnp module) #210

aqua-pro opened this issue Oct 12, 2022 · 3 comments
Labels
bug

Comments

@aqua-pro
Copy link

Greetings

I have setup Gradle to create a Kotlin project for Torrents

repositories {
mavenCentral()
}
dependencies {
implementation("com.github.atomashpolskiy:bt-core:1.10")
implementation("com.github.atomashpolskiy:bt-dht:1.10")
implementation("com.github.atomashpolskiy:bt-http-tracker-client:1.10")
implementation("com.github.atomashpolskiy:bt-upnp:1.10")
testImplementation(kotlin("test"))
}

I'm getting an error with bt-upnp library, it can't find the cling library. I can however see it available at mvnrepository here
https://mvnrepository.com/artifact/org.fourthline.cling/cling-core/2.1.1

KotlinUpdater5:test: Could not find org.fourthline.cling:cling-core:2.1.1.
Required by:
project : > com.github.atomashpolskiy:bt-upnp:1.10
Possible solution:

Does anyone have the same issue? Any idea how to fix this?

Thank you
Best regards
@aqua-pro aqua-pro added the bug label Oct 12, 2022
@atomashpolskiy
Copy link
Owner

atomashpolskiy commented Oct 12, 2022 via email

@pyckle
Copy link
Collaborator

pyckle commented Oct 12, 2022

Most likely this is due to the gradle equivalent of CVE-2021-26291 - https://maven.apache.org/docs/3.8.1/release-notes.html

As the 4thline.org repo lacks https, there's no easy fix. A release of cling probably should be uploaded to maven central, but as there's no maintainer and it hasn't been updated in years, I doubt this will be done any time soon.

@aqua-pro
Copy link
Author

Greetings, dear friends

I've "fixed" it this way. I know it's insecure, but I really don't know any other way

repositories {
mavenCentral()
maven {
url = uri("http://4thline.org/m2")
isAllowInsecureProtocol = true
}
}

I believe the real fix is making a Cling fork and releasing the artifacts on maven central, and changing the dependencies in the BT project to the new fork. I also see many different CVE on the libraries, it might be interesting maintaining them

Thank you for your support!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pyckle @atomashpolskiy @aqua-pro