[Java] Vulnerability in version of gradlew generated by default

[grEvenX]

Description

While generating scala-httpclient, Java or android clients, they all use an old template for gradle-wrapper.properties.mustache pointing to Gradle version 2.6.
Our dependency vulnerability scanner picked up on this version being vulnerable as it allows allows remote attackers to execute arbitrary code via a crafted serialized object
See https://nvd.nist.gov/vuln/detail/CVE-2016-6199 for reference.

The configuration files making gradle vulernable are located here:
openapi-generator/modules/openapi-generator/src/main/resources/android/gradle-wrapper.properties.mustache
openapi-generator/modules/openapi-generator/src/main/resources/Java/gradle-wrapper.properties.mustache
openapi-generator/modules/openapi-generator/src/main/resources/scala-httpclient/gradle-wrapper.properties.mustache

openapi-generator version

all versions

Suggest a fix

I'm not familiar into the build process on these clients, so I'm not sure if this version is old just because it has been "forgotten", or if there are valid reasons to use such an old version of Gradle.
I think it should be fairly safe to upgrade the one used to Gradle version 2.14.1 at least (released in Jul 18. 2016.
It could be considered if upgrading it to a more up to date version of gradle would be better.

[jmini]

Thank you for the report. Do you want to open a pull request for that?

[karismann]

I think that the graddle wrapper part should be generated by the user after he has generated the client library to ensure all is always up to date.
In one command, all the wr files can be generated :
gradle wrapper
https://docs.gradle.org/current/userguide/gradle_wrapper.html#sec:adding_wrapper

I suggested to :

• modify the README.mustache to add the gradle wrapper instruction
• remove the gradle-wrapper.jar, gradlew.mustache, gradlew.bat.mustache, gradle-wrapper.properties.mustache who are now generated by the command

@jmini what do you think ?

[grEvenX]

@karismann I guess that could break automation of someone possibly relying on the files being there. But if breaking backward compatibility for the build isn't an issue, that approach would probably be fine, though the gradle page you refer to seems to prefer having them checked in to version control:

To make the Wrapper files available to other developers and execution environments you’ll need to check them into version control. All Wrapper files including the JAR file are very small in size. Adding the JAR file to version control is expected.

[grEvenX]

Pinging the Java technical committee: @bbdouglas, @JFCote, @sreeshas, @jfiala, @lukoyanov, @cbornet, @jeff9finger