[Java] Vulnerability in version of gradlew generated by default

Created by: grEvenX

Description

While generating scala-httpclient, Java or android clients, they all use an old template for gradle-wrapper.properties.mustache pointing to Gradle version 2.6. Our dependency vulnerability scanner picked up on this version being vulnerable as it allows allows remote attackers to execute arbitrary code via a crafted serialized object See https://nvd.nist.gov/vuln/detail/CVE-2016-6199 for reference.

The configuration files making gradle vulernable are located here: openapi-generator/modules/openapi-generator/src/main/resources/android/gradle-wrapper.properties.mustache openapi-generator/modules/openapi-generator/src/main/resources/Java/gradle-wrapper.properties.mustache openapi-generator/modules/openapi-generator/src/main/resources/scala-httpclient/gradle-wrapper.properties.mustache

openapi-generator version

all versions

Suggest a fix

I'm not familiar into the build process on these clients, so I'm not sure if this version is old just because it has been "forgotten", or if there are valid reasons to use such an old version of Gradle. I think it should be fairly safe to upgrade the one used to Gradle version 2.14.1 at least (released in Jul 18. 2016. It could be considered if upgrading it to a more up to date version of gradle would be better.