Contact Details
No response
Version
8.x
On which operating system(s) are you experiencing the issue?
Linux
Using which broker(s) did you encounter the issue?
ActiveMQ
What are the steps required to reproduce the issue?
MassTransit.ActiveMQ 8.5.4 has a transitive dependency to Apache.NMS.AMQP version 2.2.0 which is the source of the CVE. I tried upgrading to Apache.NMS.AMQP 2.4.0 but I get the following error:
Apache.NMS.NMSConnectionException: Could not create the IConnectionFactory implementation: Exception has been thrown by the target of an invocation.
---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation.
---> System.InvalidOperationException: Instances of abstract classes cannot be created.
--- End of inner exception stack trace ---
at System.RuntimeMethodHandle.InvokeMethod(Object target, Span`1& arguments, Signature sig, Boolean constructor, Boolean wrapExceptions)
at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture)
at Apache.NMS.NMSConnectionFactory.CreateConnectionFactory(Uri uriProvider, Object[] constructorParams)
--- End of inner exception stack trace ---
at Apache.NMS.NMSConnectionFactory.CreateConnectionFactory(Uri uriProvider, Object[] constructorParams)
at MassTransit.ActiveMqTransport.Configuration.ConfigurationHostSettings.CreateConnection() in /_/src/Transports/MassTransit.ActiveMqTransport/ActiveMqTransport/Configuration/ConfigurationHostSettings.cs:line 90
at MassTransit.ActiveMqTransport.ConnectionContextFactory.CreateConnection(ISupervisor supervisor) in /_/src/Transports/MassTransit.ActiveMqTransport/ActiveMqTransport/ConnectionContextFactory.cs:line 95What is the expected behavior?
MassTransit.ActiveMQ package no longer references library with critical CVE
What actually happened?
MassTransit.ActiveMQ package contains CVE
Related log output, including any exceptions
Link to repository that demonstrates/reproduces the issue
No response
Contact Details
No response
Version
8.x
On which operating system(s) are you experiencing the issue?
Linux
Using which broker(s) did you encounter the issue?
ActiveMQ
What are the steps required to reproduce the issue?
What is the expected behavior?
MassTransit.ActiveMQ package no longer references library with critical CVE
What actually happened?
MassTransit.ActiveMQ package contains CVE
Related log output, including any exceptions
Link to repository that demonstrates/reproduces the issue
No response