DEVHIDE
Login Or Sign up

Closure Compiler - Protobuf vulnerability

100 Views Asked by At

We are using Java 8 and the max tag of closure compiler that supports Java 8 is v20220502, Now the protobuf-java version used in this tag is 3.17.0. that is mention is protobuf_proto_rules in WORKSPACE.bazel

http_archive(
    name = "protobuf_proto_rules",
    # output from `sha256sum` on the downloaded tar.gz file
    sha256 = "66bfdf8782796239d3875d37e7de19b1d94301e8972b3cbd2446b332429b4df1",
    strip_prefix = "rules_proto-4.0.0",
    urls = [
        "https://mirror.bazel.build/github.com/bazelbuild/rules_proto/archive/refs/tags/4.0.0.tar.gz",
        "https://github.com/bazelbuild/rules_proto/archive/refs/tags/4.0.0.tar.gz",
    ],
)

We want to use protobuf_java version from https://github.com/bazelbuild/rules_proto/blob/5.3.0-21.7/proto/private/dependencies.bzl 3.21.7 so we edited WORKSPACE.bazel like this

http_archive(
    name = "protobuf_proto_rules",
    sha256 = "dc3fb206a2cb3441b485eb1e423165b231235a1ea9b031b4433cf7bc1fa460dd",
    strip_prefix = "rules_proto-5.3.0-21.7",
    urls = [
        "https://github.com/bazelbuild/rules_proto/archive/refs/tags/5.3.0-21.7.tar.gz",
    ],
)

getting the following error after this

Starting local Bazel server and connecting to it...
ERROR: Traceback (most recent call last):
        File "C:/users/.../_bazel_.../7eswowuu/external/rules_cc/cc/private/rules_impl/cc_flags_supplier.bzl", line 16, column 76, in <toplevel>
                load("@bazel_tools//tools/cpp:toolchain_utils.bzl", "find_cpp_toolchain", "use_cpp_toolchain")
Error: file '@bazel_tools//tools/cpp:toolchain_utils.bzl' does not contain symbol 'use_cpp_toolchain' (did you mean 'find_cpp_toolchain'?)
ERROR: While resolving toolchains for target //:compiler_unshaded: com.google.devtools.build.lib.packages.BuildFileContainsErrorsException: error loading package '@bazel_tools//tools/cpp': in C:/users/.../_bazel_.../7eswowuu/external/rules_cc/cc/defs.bzl: Extension file 'cc/private/rules_impl/cc_flags_supplier.bzl' has errors
ERROR: Analysis of target '//:compiler_unshaded_deploy.jar' failed; build aborted: com.google.devtools.build.lib.packages.BuildFileContainsErrorsException: error loading package '@bazel_tools//tools/cpp': in C:/users/.../_bazel_.../7eswowuu/external/rules_cc/cc/defs.bzl: Extension file 'cc/private/rules_impl/cc_flags_supplier.bzl' has errors
INFO: Elapsed time: 5.810s
INFO: 0 processes.
FAILED: Build did NOT complete successfully (2 packages loaded, 0 targets configured)

How to upgrade protobuf_java version to 3.21.7

protocol-buffers google-closure-compiler protobuf-java
Original Q&A
1

There are 1 best solutions below

0
Bharateesh Diggavi On

We have added the new protobuf rules in the beginning of the WORKSPACE.bazel and it resolved the issue for use. here is the file we used with v20220502

workspace(name = "com_google_javascript_jscomp")

load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")

RULES_JVM_EXTERNAL_TAG = "4.2"
RULES_JVM_EXTERNAL_SHA = "cd1a77b7b02e8e008439ca76fd34f5b07aecb8c752961f9640dea15e9e5ba1ca"

http_archive(
    name = "rules_jvm_external",
    strip_prefix = "rules_jvm_external-%s" % RULES_JVM_EXTERNAL_TAG,
    sha256 = RULES_JVM_EXTERNAL_SHA,
    url = "https://github.com/bazelbuild/rules_jvm_external/archive/%s.zip" % RULES_JVM_EXTERNAL_TAG,
)

#
# To update google_bazel_common, locate the git commit to depend on and
# use something like the following to determine the sha256
#  curl -L https://github.com/google/bazel-common/archive/<git-commit-id>.zip |
#  sha256
#
#

http_archive(
     name = "protobuf_proto_rules",
    sha256 = "dc3fb206a2cb3441b485eb1e423165b231235a1ea9b031b4433cf7bc1fa460dd",
    strip_prefix = "rules_proto-5.3.0-21.7",
    urls = [
        "https://github.com/bazelbuild/rules_proto/archive/refs/tags/5.3.0-21.7.tar.gz",
    ],
)

load("@protobuf_proto_rules//proto:repositories.bzl", "rules_proto_dependencies", "rules_proto_toolchains")
rules_proto_dependencies()
rules_proto_toolchains()

http_archive(
    name = "google_bazel_common",
    # output from `sha256sum` on the downloaded zip file
    sha256 = "cb37c4977b01311f72157897b1b180b6caf2fc88336ee64b39152af61f8708a9",
    strip_prefix = "bazel-common-82a7dd0f4cd8593fdaa40d65a1fa820b14ff3493",
    urls = [
      "https://github.com/google/bazel-common/archive/82a7dd0f4cd8593fdaa40d65a1fa820b14ff3493.zip",
    ],
)

load("@google_bazel_common//:workspace_defs.bzl", "google_common_workspace_rules", "maven_import")

google_common_workspace_rules()

maven_import(
    # http://args4j.kohsuke.org/index.html
    group_id = "args4j",
    artifact_id = "args4j",
    version = "2.33",
    sha256 = "91ddeaba0b24adce72291c618c00bbdce1c884755f6c4dba9c5c46e871c69ed6",
    licenses = ["notice"],
)

maven_import(
    # https://github.com/java-diff-utils/java-diff-utils
    group_id = "io.github.java-diff-utils",
    artifact_id = "java-diff-utils",
    version = "4.0",
    sha256 = "810232374e76a954949f0e2185cd7d9515addb918cf3da3481f77e07c356b49a",
    licenses = ["notice"],
)

maven_import(
    # https://github.com/google/gson
    group_id = "com.google.code.gson",
    artifact_id = "gson",
    version = "2.9.0",
    sha256 = "c96d60551331a196dac54b745aa642cd078ef89b6f267146b705f2c2cbef052d",
    licenses = ["notice"],
)

maven_import(
    # https://github.com/google/re2j
    group_id ="com.google.re2j",
    artifact_id = "re2j",
    version ="1.3",
    sha256 = "d8040fa1c54c1ce208199015b6e599ec2ef37b7780f8f55a8b4b4b4299bade19",
    licenses = ["notice"],
)

maven_import(
    # https://ant.apache.org/
    group_id ="org.apache.ant",
    artifact_id = "ant",
    version ="1.10.12",
    sha256 = "5c6a438c3ebe7a306eba452b09fa307b0e60314926177920bca896c4a504eaf6",
    licenses = ["notice"],
)

maven_import(
    # https://truth.dev/protobufs
    group_id = "com.google.truth.extensions",
    artifact_id = "truth-liteproto-extension",
    version = "1.1",
    sha256 = "f637de4743194a870316a55a1c50c89638355a2323d96b6ced363a22d6ced316",
    licenses = ["notice"],
)

maven_import(
    # https://truth.dev/protobufs
    group_id = "com.google.truth.extensions",
    artifact_id = "truth-proto-extension",
    version = "1.1",
    sha256 = "d2fa8736dcb541813f8f4090ecc0d634b85cb82bd6d486f1af975458d0238afe",
    licenses = ["notice"],
)

maven_import(
    # https://github.com/google/jimfs
    group_id = "com.google.jimfs",
    artifact_id = "jimfs",
    version = "1.2",
    sha256 = "de16d5c8489729a8512f1a02fbd81f58f89249b72066987da4cc5c87ecb9f72d",
    licenses = ["notice"],
)



http_archive(
    name = "protobuf_java_rules",
    sha256 = "7c4bbe11e41c61212a5cf16d9aafaddade3f5b1b6c8bf94270d78215fafd4007",
    strip_prefix = "rules_java-c13e3ead84afb95f81fbddfade2749d8ba7cb77f",
    url = "https://github.com/bazelbuild/rules_java/archive/c13e3ead84afb95f81fbddfade2749d8ba7cb77f.tar.gz",  # 2021-01-25
)

load("@protobuf_java_rules//java:repositories.bzl", "remote_jdk8_repos")

remote_jdk8_repos()

# Jarjar is a Google tool (https://github.com/google/jarjar) for generating
# shaded JARs (https://stackoverflow.com/questions/49810578). This repo contains
# Bazel bindings for Jarjar, under the Apache license.
http_archive(
    name = "com_github_johnynek_bazel_jar_jar",
    # output from `sha256sum` on the downloaded zip file
    sha256 = "fdf2c5276e5c6f27efa1e0b64a301f5a122d84a4c1c0dd80006dbbc530a16773",
    strip_prefix = "bazel_jar_jar-171f268569384c57c19474b04aebe574d85fde0d",
    urls = [
      "https://github.com/johnynek/bazel_jar_jar/archive/171f268569384c57c19474b04aebe574d85fde0d.zip",
    ],
)

load("@com_github_johnynek_bazel_jar_jar//:jar_jar.bzl", "jar_jar_repositories")

jar_jar_repositories()

Related Questions in PROTOCOL-BUFFERS

Related Questions in GOOGLE-CLOSURE-COMPILER

Related Questions in PROTOBUF-JAVA

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.