I am trying to follow the instructions posted here: https://docs.katalon.com/katalon-studio/docs/external-libraries.html#add-external-libraries to exclude the following built in libraries: postgresql-42.2.17.jre7.jar and jackson-databind-2.11.2.jar, but the option to add an excluded library is disabled. Please advise.
The option requires Katalon Studio Enterprise license.
I suppose that you use Katalon Studio Free plan, don’t you?
My apologies for not seeing your response sooner. We have a KSE license, and it’s associated my credentials. After entering my credentials and activating KSE, I have the option to add/remove in the External Libraries section, but am I still unable to add/remove in Exclude the following built-in libraries.
@fpva needs assistance by someone from Katalon.
Thank you, escalating internally for more assistance on this.
Hi @fpiva Frank, could you help submit your concern here. This is a dedicated support portal for our paid client only since you’re using KSE. I understand that this requires you to re-submit your concern but this could help centralize the support effort and get you the solution quicker. Community Forum here is more of a crowd-support channels with Katalon experts from many industries and backgrounds globally, its response time may delay due to the crowd-support nature. Hope this helps.
commons-text-v1.6 vulnerability CVE-2022-42889
Can you please advise on how it can be fixed?
At the moment our testing framework is enterprise version of katalon
You can exclude the built-in version of external libraries as documented at
And at the same time you want to add your preferable version in the Driviers folder of your project.
Hi @kazurayam, thank you for answering. I would like to ask you about KRE, we run through katalon runtime engine. How can we do the above procedure in KRE.
Thank you @kazurayam. I will try, but if there is any command line, to exclude them would be nice. Because we have our paid version of katalon for running our tests (KREs) , but locally not everybody has the paid one
I will pass this question to @vu.tran
I think you want to do the setup into the project using Katalon Studio GUI, and commit the settings into the git repository, push it to the remote git repository. The repository should include the version of external jar of your choice in the
Drivers directory. You would checkout the repository from the remote Git repostiory to run the project in KRE. This project inherits the settings, so it should work in KRE the same.
Relates to the issue with commons library appache-commons-text.v1.6 with vulnerability CVE-2022-42889.
Currently we don’t have KSE licenses in order exclude the specific plugin via Katalon studio GUI but we have KRE licenses, how can we overcome this?
You can use Katalon Studio - Standalone Editon, which is free. It is enough for managing external dependencies as we discussed.
You are only affected when this software uses the
StringSubstitutor API without properly sanitizing any untrusted input.
Does anyone know if this issue really affects Katalon Studio and if so, when Katalon Studio will be updated to solve this issue by using Common-text v 1.10?
I manually added ‘v1.10’ as a plugin, but the 1.6.0 file still exists.
Is there a way to know the 1.6.0 version isn’t used?
from Katalon Studio installation details:
org.apache.commons.commons-text (1.10.0) “Apache Commons Text” [Active]
org.apache.commons.commons-text (1.6.0) “Apache Commons Text” [Resolved]
usually, any published vulnerabity came with a proposed exploit, for testing purposes.
feel free to test and let us know if any concern, and what is the attack surface.
No. I was wrong.
Excluding built-in libraries requires an Enterprise license.
Hi @Shin @vu.tran , are there any version updates for katalon to mitigate text4shell vulnerability
apache-commons-text-v1.6 vulnerability CVE-2022-42889 ??
we don’t have the KRE License we can’t exclude the library .
I am not a Katalon employee.
Do not mention my name, please.