From 2237158b89377fe621691183cac908358c4c70ab Mon Sep 17 00:00:00 2001 From: "CORP\\mmrzik" Date: Wed, 25 Oct 2023 12:24:54 +0200 Subject: [PATCH] #103: security warning for CVEs in file tool/edition/security --- .../com/devonfw/tools/ide/tool/ToolCommandlet.java | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/cli/src/main/java/com/devonfw/tools/ide/tool/ToolCommandlet.java b/cli/src/main/java/com/devonfw/tools/ide/tool/ToolCommandlet.java index 43cb012f1..09a8c9637 100644 --- a/cli/src/main/java/com/devonfw/tools/ide/tool/ToolCommandlet.java +++ b/cli/src/main/java/com/devonfw/tools/ide/tool/ToolCommandlet.java @@ -21,6 +21,7 @@ import com.devonfw.tools.ide.process.ProcessErrorHandling; import com.devonfw.tools.ide.property.StringListProperty; import com.devonfw.tools.ide.repo.ToolRepository; +import com.devonfw.tools.ide.url.model.file.UrlSecurityFile; import com.devonfw.tools.ide.util.FilenameUtil; import com.devonfw.tools.ide.version.VersionIdentifier; @@ -260,6 +261,15 @@ protected boolean doInstall(boolean silent) { // check if we already have this version installed (linked) locally in IDE_HOME/software VersionIdentifier installedVersion = getInstalledVersion(); + + UrlSecurityFile securityFile = this.context.getUrls().getEdition(this.tool, this.getEdition()).getSecurityFile(); + // I do not want to use the installed version here, as I want to warn the user whether the tool is installed or not. + VersionIdentifier currentVersion = this.context.getUrls().getVersion(this.tool, this.getEdition(), configuredVersion); + if (securityFile.contains(currentVersion)) { + this.context.warning("Version {} of tool {} is known to have security issues!", currentVersion, + getToolWithEdition()); + } + VersionIdentifier resolvedVersion = installation.resolvedVersion(); if (isInstalledVersion(resolvedVersion, installedVersion, silent)) { return false;