I am trying to follow the instructions posted here: https://docs.katalon.com/katalon-studio/docs/external-libraries.html#add-external-libraries to exclude the following built in libraries: postgresql-42.2.17.jre7.jar and jackson-databind-2.11.2.jar, but the option to add an excluded library is disabled. Please advise.
1 Like
The option requires Katalon Studio Enterprise license.
I suppose that you use Katalon Studio Free plan, donât you?
My apologies for not seeing your response sooner. We have a KSE license, and itâs associated my credentials. After entering my credentials and activating KSE, I have the option to add/remove in the External Libraries section, but am I still unable to add/remove in Exclude the following built-in libraries.
Thank you, escalating internally for more assistance on this.
Hi @fpiva Frank, could you help submit your concern here. This is a dedicated support portal for our paid client only since youâre using KSE. I understand that this requires you to re-submit your concern but this could help centralize the support effort and get you the solution quicker. Community Forum here is more of a crowd-support channels with Katalon experts from many industries and backgrounds globally, its response time may delay due to the crowd-support nature. Hope this helps.
Hi All,
Kindly be informed we updated PostgreSQL from 42.2.17.jre7 to 42.3.3 to resolve the CVE-2022-26520 and CVE-2022-21724 vulnerabilities in version 8.3.5.
Download version 8.3.5 here and See what has been added in this latest release at Release notes 8.3.5.
Regards,
Shin
2 Likes
Hi @Shin and @kazurayam, currently we observed that Katalon Studio v7.8.2 and v8.4.0 contain appache-commons-text.v1.6 which has the following vulnerabilities issues
commons-text-v1.6 vulnerability CVE-2022-42889
Can you please advise on how it can be fixed?
At the moment our testing framework is enterprise version of katalon
Regards
L
You can exclude the built-in version of external libraries as documented at
And at the same time you want to add your preferable version in the Driviers folder of your project.
Hi @kazurayam, thank you for answering. I would like to ask you about KRE, we run through katalon runtime engine. How can we do the above procedure in KRE.
Thank you @kazurayam. I will try, but if there is any command line, to exclude them would be nice. Because we have our paid version of katalon for running our tests (KREs) , but locally not everybody has the paid one
I think you want to do the setup into the project using Katalon Studio GUI, and commit the settings into the git repository, push it to the remote git repository. The repository should include the version of external jar of your choice in the Drivers directory. You would checkout the repository from the remote Git repostiory to run the project in KRE. This project inherits the settings, so it should work in KRE the same.
1 Like
hello @kazurayam, @vu.tran
Relates to the issue with commons library appache-commons-text.v1.6 with vulnerability CVE-2022-42889.
Currently we donât have KSE licenses in order exclude the specific plugin via Katalon studio GUI but we have KRE licenses, how can we overcome this?
thanks
You can use Katalon Studio - Standalone Editon, which is free. It is enough for managing external dependencies as we discussed.
You are only affected when this software uses the StringSubstitutor API without properly sanitizing any untrusted input.
Does anyone know if this issue really affects Katalon Studio and if so, when Katalon Studio will be updated to solve this issue by using Common-text v 1.10?
edit:
I manually added âv1.10â as a plugin, but the 1.6.0 file still exists.
Is there a way to know the 1.6.0 version isnât used?
from Katalon Studio installation details:
org.apache.commons.commons-text (1.10.0) âApache Commons Textâ [Active]
org.apache.commons.commons-text (1.6.0) âApache Commons Textâ [Resolved]
usually, any published vulnerabity came with a proposed exploit, for testing purposes.
feel free to test and let us know if any concern, and what is the attack surface.
No. I was wrong.
Excluding built-in libraries requires an Enterprise license.