From fe62dd393e16d535a2228e420d249db5008706e0 Mon Sep 17 00:00:00 2001 From: way zheng Date: Thu, 18 Dec 2025 00:30:13 -0800 Subject: [PATCH 1/8] Add debug logging to identify failing testV2IdentityMapUnmapped cases --- src/test/java/suite/operator/OperatorTest.java | 11 +++++++++++ src/test/java/suite/operator/TestData.java | 9 +++++++++ 2 files changed, 20 insertions(+) diff --git a/src/test/java/suite/operator/OperatorTest.java b/src/test/java/suite/operator/OperatorTest.java index 17422fe..0dd99de 100644 --- a/src/test/java/suite/operator/OperatorTest.java +++ b/src/test/java/suite/operator/OperatorTest.java @@ -102,7 +102,18 @@ public void testV2TokenValidate(String label, Operator operator, String operator "suite.operator.TestData#identityMapBatchBadPhoneArgs" }) public void testV2IdentityMapUnmapped(String label, Operator operator, String operatorName, String payload) throws Exception { + System.out.println("========================================"); + System.out.println("TEST: testV2IdentityMapUnmapped"); + System.out.println("Label: " + label); + System.out.println("Operator: " + operatorName); + System.out.println("Payload: " + payload); + JsonNode response = operator.v2IdentityMap(payload); + + System.out.println("Response: " + response.toString()); + System.out.println("Status: " + response.at("/status").asText()); + System.out.println("Unmapped reason: " + response.at("/body/unmapped/0/reason").asText()); + System.out.println("========================================"); assertThat(response.at("/status").asText()).isEqualTo("success"); assertThat(response.at("/body/unmapped/0/reason").asText()).isEqualTo("invalid identifier"); diff --git a/src/test/java/suite/operator/TestData.java b/src/test/java/suite/operator/TestData.java index e55fbb3..54b04a0 100644 --- a/src/test/java/suite/operator/TestData.java +++ b/src/test/java/suite/operator/TestData.java @@ -278,9 +278,12 @@ public static Set identityMapBatchBadEmailArgs() { ); Set args = new HashSet<>(); + int index = 0; for (Operator operator : operators) { for (List input : inputs) { + System.out.println("[EMAIL-BAD-" + index + "] " + input.get(0) + " | Operator: " + operator.getName()); args.add(Arguments.of(input.get(0), operator, operator.getName(), input.get(1))); + index++; } } return args; @@ -297,11 +300,17 @@ public static Set identityMapBatchBadPhoneArgs() { Set args = new HashSet<>(); if (App.PHONE_SUPPORT) { + System.out.println("PHONE_SUPPORT is TRUE - generating phone tests"); + int index = 0; for (Operator operator : operators) { for (List input : inputs) { + System.out.println("[PHONE-BAD-" + index + "] " + input.get(0) + " | Operator: " + operator.getName()); args.add(Arguments.of(input.get(0), operator, operator.getName(), input.get(1))); + index++; } } + } else { + System.out.println("PHONE_SUPPORT is FALSE - skipping phone tests"); } return args; } From 6be54a1e08900cf4da9e381d0df760b6b5e2e8ee Mon Sep 17 00:00:00 2001 From: way zheng Date: Thu, 18 Dec 2025 00:44:05 -0800 Subject: [PATCH 2/8] skip vs --- .trivyignore | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.trivyignore b/.trivyignore index 0a8aa9a..2ed2d7f 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,3 +1,7 @@ # List any vulnerability that are to be accepted # See https://aquasecurity.github.io/trivy/v0.35/docs/vulnerability/examples/filter/ # for more details + + +#skip this cve to unblock debug testing +CVE-2025-55163 \ No newline at end of file From cedb1a5ba8e81cfa09adeb5f7b31e5f8313a0f2a Mon Sep 17 00:00:00 2001 From: way zheng Date: Mon, 12 Jan 2026 16:29:50 -0800 Subject: [PATCH 3/8] UID2-6486: Fix CVE-2025-68973 GnuPG out-of-bounds write vulnerability Update system packages in Docker image to address HIGH severity CVE-2025-68973 affecting GnuPG packages (gnupg, dirmngr, gpg, gpg-agent, gpgconf, gpgsm, gpgv, keyboxd). Vulnerability: Out-of-bounds write in armor_filter function that could lead to memory corruption and potential arbitrary code execution. --- Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Dockerfile b/Dockerfile index 4fa6cf4..9b79b62 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,6 +3,9 @@ ###################### FROM maven:3.9.11-eclipse-temurin-21 +# UID2-6486: Fix CVE-2025-68973 (GnuPG out-of-bounds write) +RUN apt-get update && apt-get upgrade -y && rm -rf /var/lib/apt/lists/* + WORKDIR /app COPY ./pom.xml ./pom.xml From 23e2bf566e6b40951381ee67a14cb49684787e67 Mon Sep 17 00:00:00 2001 From: way zheng Date: Mon, 12 Jan 2026 16:36:37 -0800 Subject: [PATCH 4/8] revert back to files same with main --- Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile b/Dockerfile index 4fa6cf4..a1b762c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,6 +3,8 @@ ###################### FROM maven:3.9.11-eclipse-temurin-21 +RUN apt-get update && apt-get upgrade -y && rm -rf /var/lib/apt/lists/* + WORKDIR /app COPY ./pom.xml ./pom.xml From 19bcd07db3042008c97fcf63f89147a1cfda96df Mon Sep 17 00:00:00 2001 From: way zheng Date: Mon, 12 Jan 2026 16:38:58 -0800 Subject: [PATCH 5/8] Revert debug logging in OperatorTest --- src/test/java/suite/operator/OperatorTest.java | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/src/test/java/suite/operator/OperatorTest.java b/src/test/java/suite/operator/OperatorTest.java index 0dd99de..17422fe 100644 --- a/src/test/java/suite/operator/OperatorTest.java +++ b/src/test/java/suite/operator/OperatorTest.java @@ -102,18 +102,7 @@ public void testV2TokenValidate(String label, Operator operator, String operator "suite.operator.TestData#identityMapBatchBadPhoneArgs" }) public void testV2IdentityMapUnmapped(String label, Operator operator, String operatorName, String payload) throws Exception { - System.out.println("========================================"); - System.out.println("TEST: testV2IdentityMapUnmapped"); - System.out.println("Label: " + label); - System.out.println("Operator: " + operatorName); - System.out.println("Payload: " + payload); - JsonNode response = operator.v2IdentityMap(payload); - - System.out.println("Response: " + response.toString()); - System.out.println("Status: " + response.at("/status").asText()); - System.out.println("Unmapped reason: " + response.at("/body/unmapped/0/reason").asText()); - System.out.println("========================================"); assertThat(response.at("/status").asText()).isEqualTo("success"); assertThat(response.at("/body/unmapped/0/reason").asText()).isEqualTo("invalid identifier"); From b8af4172405943c40ce542462210e45725fd5a11 Mon Sep 17 00:00:00 2001 From: way zheng Date: Mon, 12 Jan 2026 16:39:18 -0800 Subject: [PATCH 6/8] Revert debug changes in .trivyignore and TestData --- .trivyignore | 4 ---- src/test/java/suite/operator/TestData.java | 9 --------- 2 files changed, 13 deletions(-) diff --git a/.trivyignore b/.trivyignore index 2ed2d7f..0a8aa9a 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,7 +1,3 @@ # List any vulnerability that are to be accepted # See https://aquasecurity.github.io/trivy/v0.35/docs/vulnerability/examples/filter/ # for more details - - -#skip this cve to unblock debug testing -CVE-2025-55163 \ No newline at end of file diff --git a/src/test/java/suite/operator/TestData.java b/src/test/java/suite/operator/TestData.java index 54b04a0..e55fbb3 100644 --- a/src/test/java/suite/operator/TestData.java +++ b/src/test/java/suite/operator/TestData.java @@ -278,12 +278,9 @@ public static Set identityMapBatchBadEmailArgs() { ); Set args = new HashSet<>(); - int index = 0; for (Operator operator : operators) { for (List input : inputs) { - System.out.println("[EMAIL-BAD-" + index + "] " + input.get(0) + " | Operator: " + operator.getName()); args.add(Arguments.of(input.get(0), operator, operator.getName(), input.get(1))); - index++; } } return args; @@ -300,17 +297,11 @@ public static Set identityMapBatchBadPhoneArgs() { Set args = new HashSet<>(); if (App.PHONE_SUPPORT) { - System.out.println("PHONE_SUPPORT is TRUE - generating phone tests"); - int index = 0; for (Operator operator : operators) { for (List input : inputs) { - System.out.println("[PHONE-BAD-" + index + "] " + input.get(0) + " | Operator: " + operator.getName()); args.add(Arguments.of(input.get(0), operator, operator.getName(), input.get(1))); - index++; } } - } else { - System.out.println("PHONE_SUPPORT is FALSE - skipping phone tests"); } return args; } From 1df672421f4bb66efd22ae2c8da3b3a6edb230e1 Mon Sep 17 00:00:00 2001 From: way zheng Date: Mon, 12 Jan 2026 16:57:32 -0800 Subject: [PATCH 7/8] UID2-6486: Update uid2-shared to 11.1.124 to fix CVE-2025-55163 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index fc897e2..a5cab32 100644 --- a/pom.xml +++ b/pom.xml @@ -12,7 +12,7 @@ 21 21 4.5.21 - 11.1.13 + 11.1.124 From 4fa59b4744ad7627b4d0b5d4f9a79edb2db452af Mon Sep 17 00:00:00 2001 From: way zheng Date: Mon, 12 Jan 2026 16:57:32 -0800 Subject: [PATCH 8/8] UID2-6486: Update uid2-shared to 11.4.0 to fix CVE-2025-55163 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index fc897e2..bd2737b 100644 --- a/pom.xml +++ b/pom.xml @@ -12,7 +12,7 @@ 21 21 4.5.21 - 11.1.13 + 11.4.0