#148 - Aquasec - Criticals - Fix - CVE-2022-31183

[miroslavpojer]

Release Notes:

• Fixed by update to dependencies with solved vulnerability.

Closes #148

Summary by CodeRabbit

• Chores
  • Updated database-related libraries (Doobie and Circe) to newer release candidates; no functional or behavioral changes.
• Tests
  • Clarified test connection setup with explicit parameters (no behavioral change).
  • Removed several legacy non-Postgres time/date metadata tests, narrowing test coverage to Postgres-backed variants.

[coderabbitai]

Walkthrough

Bumped Doobie and Circe versions in project/Dependencies.scala; updated a test Transactor call to use named parameters and logHandler = None; removed several doobie.implicits javatime/javasql-based Meta tests in AvailableMetaInstancesUnitTests.scala. No public API changes.

Changes

Cohort / File(s)	Summary
Dependency updates project/Dependencies.scala	Updated Doobie artifacts (doobie-core, doobie-hikari, doobie-postgres, doobie-postgres-circe) from RC2 → RC11. Updated io.circe:circe-generic from 0.14.9 → 0.14.15 (Test scope preserved). No semantic code changes.
Test Transactor call doobie/src/test/scala/za/co/absa/db/fadb/testing/classes/DoobieTest.scala	Replaced positional Transactor.fromDriverManager[IO](...) arguments with named parameters driver, url, user, password and added logHandler = None. Call semantics remain equivalent.
Test removals / coverage reduction doobie/src/test/scala/za/co/absa/db/fadb/doobie/AvailableMetaInstancesUnitTests.scala	Removed tests that relied on doobie.implicits.javatimedrivernative and doobie.implicits.javasql for various Meta instances (java.time and java.sql variants). Left doobie.postgres.implicits-based tests and other existing cases intact. No public API changes.

Sequence Diagram(s)

(Skipped — changes are dependency/version bumps and test modifications/removals; no control-flow diagrams necessary.)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Review points:
  • Verify dependency coordinates and scopes in project/Dependencies.scala; run CI/build to confirm compilation and test outcomes with Doobie RC11 and Circe 0.14.15.
  • Confirm intended behavior change from logHandler = None in DoobieTest.scala (test logging/suppression).
  • Inspect removed tests in AvailableMetaInstancesUnitTests.scala to ensure no desired compatibility checks were inadvertently dropped for non-Postgres JDBC/time mappings.

Poem

🐇 I hopped through the changelog, versions in tow,

RC11 gleamed where RC2 used to show.
I named the params and hushed the log's tone,
Trimmed tests that relied on JDBC alone.
A tidy hop — the garden's seeds are sown. 🥕

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly references CVE-2022-31183 and mentions it's a fix, directly matching the pull request's main objective of addressing a critical security vulnerability through dependency updates.
Linked Issues check	✅ Passed	The pull request successfully addresses CVE-2022-31183 by updating doobie dependencies (RC2 to RC11) and circe-generic, meeting the objective to update affected dependency versions.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing CVE-2022-31183: dependency updates (Doobie RC2→RC11, circe-generic 0.14.9→0.14.15) and test updates to accommodate the new versions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch infrastructure/148-Aquasec-Criticals-Fix-CVE-2022-31183

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4074a61 and d04902d.

📒 Files selected for processing (2)

• doobie/src/test/scala/za/co/absa/db/fadb/doobie/AvailableMetaInstancesUnitTests.scala (0 hunks)
• project/Dependencies.scala (1 hunks)

💤 Files with no reviewable changes (1)

• doobie/src/test/scala/za/co/absa/db/fadb/doobie/AvailableMetaInstancesUnitTests.scala

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b6ef2df and 6a52fc7.

📒 Files selected for processing (1)

• project/Dependencies.scala (1 hunks)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify transitive Circe dependencies and RC stability.

The version updates appear to address CVE-2022-31183. However, please verify:

1. That doobie-postgres-circe 1.0.0-RC11 transitively brings in Circe >= 0.14.2 (the fixed version)
2. That no other Circe modules in the codebase require updates
3. That Doobie 1.0.0-RC11 is stable enough for production use

Run the following script to check transitive Circe dependencies and search for other Circe usage:

---

🏁 Script executed:

#!/bin/bash
# Check what version of circe is brought in by doobie-postgres-circe 1.0.0-RC11
echo "Checking Doobie 1.0.0-RC11 transitive dependencies..."
curl -s "https://repo1.maven.org/maven2/org/tpolecat/doobie-postgres-circe_2.13/1.0.0-RC11/doobie-postgres-circe_2.13-1.0.0-RC11.pom" | grep -A 2 "circe"

# Search for other circe dependencies in the project
echo -e "\n\nSearching for other circe dependencies in the project..."
rg -n --type=scala 'circe' -C 2

Length of output: 7298

---

---

🌐 Web query:

```web
Doobie 1.0.0 release status stable version RC11

💡 Result:

Short answer: 1.0.0‑RC11 does not appear to be released. The latest published release series on Scala Index / mirrors is 1.0.0‑RC10 (released July 13, 2025). [1][2]

Sources:

• Scala Index listing for doobie artifacts (1.0.0‑RC10). [1]
• Sourceforge mirror showing v1.0.0‑RC10 (and prior RCs). [2]

---

---

🌐 Web query:

```web
Doobie 1.0.0 stable final release latest version

💡 Result:

There is no stable 1.0.0 final release — Doobie is still published as release candidates. The most recent published version I found is 1.0.0‑RC10 (released July 13, 2025). [1][2]

Sources:

• doobie-scalatest 1.0.0‑RC10 (index-dev.scala‑lang). [1]
• doobie-core 1.0.0‑RC9 (index.scala‑lang) — shows RC series leading to RC10. [2]

---

Update Doobie versions from 1.0.0-RC11 to 1.0.0-RC10.

Doobie 1.0.0-RC11 does not exist in public repositories; the latest published version is 1.0.0-RC10 (released July 13, 2025). Update all four Doobie dependencies on lines 48-51 to use 1.0.0-RC10 instead.

The Circe updates to 0.14.15 correctly address CVE-2022-31183 and align with transitive Circe dependencies from doobie-postgres-circe.

🤖 Prompt for AI Agents

In project/Dependencies.scala around lines 48 to 52, the four Doobie
dependencies currently reference the non-existent "1.0.0-RC11"; update
"org.tpolecat" %% "doobie-core", "doobie-hikari", "doobie-postgres", and
"doobie-postgres-circe" to use "1.0.0-RC10" instead; leave the Circe test
dependency ("io.circe" %% "circe-generic" % "0.14.15" % Test) as-is since it is
correct and aligns with the transitive Circe versions.

[github-actions]

JaCoCo core module code coverage report - scala 2.13.11

Build Failed

[github-actions]

JaCoCo doobie module code coverage report - scala 2.13.11

Build Failed

[github-actions]

JaCoCo slick module code coverage report - scala 2.13.11

Build Failed

[miroslavpojer]

The required update of libraries bring complex changes in implicits. The fix is not easy.
Pr used for deeper analysis.

[benedeki]

@miroslavpojer what is the issue identified by Aquasec? And can I delete the branch?