Dependency changes and vulnerability check

author Martin Stockhammer <martin_s@apache.org>

Sun, 29 Aug 2021 19:07:38 +0000 (21:07 +0200)

committer Martin Stockhammer <martin_s@apache.org>

Sun, 29 Aug 2021 19:07:38 +0000 (21:07 +0200)
author Martin Stockhammer <martin_s@apache.org>
Sun, 29 Aug 2021 19:07:38 +0000 (21:07 +0200)
committer Martin Stockhammer <martin_s@apache.org>
Sun, 29 Aug 2021 19:07:38 +0000 (21:07 +0200)
diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/resources/META-INF/owasp/cve-suppressions.xml b/archiva-modules/archiva-web/archiva-webapp/src/main/resources/META-INF/owasp/cve-suppressions.xml

index 2a3f08f775ca6ebd18697aa66ed49ef8671ce52c..c18030118a9fdcdb5cdb8fc2a85885a2d5242773 100644 (file)
--- a/archiva-modules/archiva-web/archiva-webapp/src/main/resources/META-INF/owasp/cve-suppressions.xml
+++ b/archiva-modules/archiva-web/archiva-webapp/src/main/resources/META-INF/owasp/cve-suppressions.xml
@@ -73,4 +73,23 @@
      <cpe>cpe:/a:jquery_file_upload_project:jquery_file_upload</cpe>
    </suppress>
  
+  <suppress>
+    <notes><![CDATA[
+   file name: jdom2-2.0.6.jar
+   This is a dependency of rometools/rome (RSS library), they addressed the issue (see https://github.com/rometools/rome/issues/469)
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.jdom/jdom2@.*$</packageUrl>
+    <cpe>cpe:/a:jdom:jdom</cpe>
+    <vulnerabilityName>CVE-2021-33813</vulnerabilityName>
+  </suppress>
+
+  <suppress>
+    <notes><![CDATA[
+   file name: native-protocol-1.5.0.jar
+   This is a vulnerability of cassandra server. We will ignore it for the client driver.
+   ]]></notes>
+    <packageUrl regex="true">^pkg:maven/com\.datastax\.oss/native\-protocol@.*$</packageUrl>
+    <cpe>cpe:/a:apache:cassandra</cpe>
+    <vulnerabilityName>CVE-2020-13946</vulnerabilityName>
+  </suppress>
  </suppressions>
diff --git a/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml b/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml

index 5ac5c6c3b134dd62498de7094f3e3cfe96f06f39..58bb31b62dc2c6d1a7bbd4883f6a27fef31613a1 100644 (file)
--- a/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml
+++ b/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml
@@ -31,7 +31,7 @@
  
    <properties>
      <site.staging.base>${project.parent.parent.basedir}</site.staging.base>
-    <cassandraVersion>4.0.0</cassandraVersion>
+    <cassandraVersion>3.11.10</cassandraVersion>
      <datastax.driver.version>4.13.0</datastax.driver.version>
    </properties>
  
@@ -103,85 +103,6 @@
        <artifactId>modelmapper</artifactId>
      </dependency>
  
-    <!--
-    <dependency>
-      <groupId>org.yaml</groupId>
-      <artifactId>snakeyaml</artifactId>
-      <version>1.27</version>
-    </dependency>
--->
-    <dependency>
-      <groupId>org.apache.cassandra</groupId>
-      <artifactId>cassandra-all</artifactId>
-      <version>${cassandraVersion}</version>
-      <scope>test</scope>
-      <exclusions>
-        <exclusion>
-          <groupId>log4j</groupId>
-          <artifactId>log4j</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>org.slf4j</groupId>
-          <artifactId>slf4j-log4j12</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>org.slf4j</groupId>
-          <artifactId>jcl-over-slf4j</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>ch.qos.logback</groupId>
-          <artifactId>logback-core</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>org.mortbay.jetty</groupId>
-          <artifactId>jetty</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>javax.servlet</groupId>
-          <artifactId>servlet-api</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>org.slf4j</groupId>
-          <artifactId>log4j-over-slf4j</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>ch.qos.logback</groupId>
-          <artifactId>logback-classic</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>org.jboss.logging</groupId>
-          <artifactId>jboss-logging</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>javax.inject</groupId>
-          <artifactId>javax.inject</artifactId>
-        </exclusion>
-          <exclusion>
-            <groupId>javax.validation</groupId>
-            <artifactId>validation-api</artifactId>
-          </exclusion>
-        <exclusion>
-          <groupId>com.fasterxml.jackson.core</groupId>
-          <artifactId>jackson-core</artifactId>
-        </exclusion>
-        <!-- Brings hibernate-validator dependency with ancient version, which is vulnerable. Not necessary for archiva. -->
-        <exclusion>
-          <groupId>com.addthis.metrics</groupId>
-          <artifactId>reporter-config3</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>net.openhft</groupId>
-          <artifactId>chronicle-wire</artifactId>
-        </exclusion>
-      </exclusions>
-    </dependency>
-    <dependency>
-      <groupId>net.openhft</groupId>
-      <artifactId>chronicle-wire</artifactId>
-      <version>2.21.89</version>
-      <scope>test</scope>
-    </dependency>
-
      <dependency>
        <groupId>com.datastax.oss</groupId>
        <artifactId>java-driver-core</artifactId>
@@ -198,93 +119,6 @@
        <version>${datastax.driver.version}</version>
      </dependency>
  
-    <!--
-    <dependency>
-      <groupId>org.hectorclient</groupId>
-      <artifactId>hector-core</artifactId>
-      <version>1.1-4</version>
-      <exclusions>
-        <exclusion>
-          <groupId>javax.servlet</groupId>
-          <artifactId>servlet-api</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>com.ecyrd.speed4j</groupId>
-          <artifactId>speed4j</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>com.yammer.metrics</groupId>
-          <artifactId>metrics-core</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>org.slf4j</groupId>
-          <artifactId>log4j-over-slf4j</artifactId>
-        </exclusion>
-      </exclusions>
-    </dependency>
-    -->
-    <!--
-    <dependency>
-      <groupId>org.apache.cassandra</groupId>
-      <artifactId>cassandra-thrift</artifactId>
-      <version>${cassandraVersion}</version>
-      <exclusions>
-        <exclusion>
-          <groupId>javax.servlet</groupId>
-          <artifactId>servlet-api</artifactId>
-        </exclusion>
-          <exclusion>
-            <groupId>org.apache.ant</groupId>
-            <artifactId>ant</artifactId>
-          </exclusion>
-      </exclusions>
-    </dependency>
-    -->
-    <!-- Transient dependencies of cassandra that are selected to use a higher version -->
-    <!--
-    <dependency>
-      <groupId>org.apache.thrift</groupId>
-      <artifactId>libthrift</artifactId>
-      <version>0.13.0</version>
-      <exclusions>
-        <exclusion>
-          <groupId>javax.annotation</groupId>
-          <artifactId>javax.annotation-api</artifactId>
-        </exclusion>
-      </exclusions>
-    </dependency>
-    <dependency>
-      <groupId>org.mindrot</groupId>
-      <artifactId>jbcrypt</artifactId>
-      <version>0.4</version>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.tika</groupId>
-      <artifactId>tika-core</artifactId>
-      <version>1.26</version>
-    </dependency>
--->
-    <!-- Transitive dependency. Declared here to increase the version. -->
-    <!--
-    <dependency>
-      <groupId>io.netty</groupId>
-      <artifactId>netty-all</artifactId>
-      <version>${netty.version}</version>
-    </dependency>
-    -->
-    <!--
-    <dependency>
-      <groupId>com.fasterxml.jackson.core</groupId>
-      <artifactId>jackson-core</artifactId>
-    </dependency>
--->
-    <!-- Is a dependency of cassandra -> hibernate-validator and replaced by new version -->
-    <!--
-    <dependency>
-      <groupId>org.jboss.logging</groupId>
-      <artifactId>jboss-logging</artifactId>
-    </dependency>
-    -->
  
      <!-- TEST Scope -->
      <dependency>
@@ -352,6 +186,7 @@
          <filtering>true</filtering>
        </testResource>
      </testResources>
+
      <plugins>
        <plugin>
          <groupId>org.codehaus.mojo</groupId>
@@ -432,7 +267,7 @@ num_tokens: 1
              <dependency>
                <groupId>org.apache.cassandra</groupId>
                <artifactId>cassandra-all</artifactId>
-              <version>3.11.10</version>
+              <version>${cassandraVersion}</version>
              </dependency>
          </dependencies>
        </plugin>
@@ -479,7 +314,6 @@ num_tokens: 1
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-surefire-plugin</artifactId>
            <executions>
-
            </executions>
            <configuration>
              <skip>true</skip>
@@ -492,6 +326,7 @@ num_tokens: 1
            <configuration>
              <excludes>
                <exclude>src/cassandra/**</exclude>
+              <exclude>src/test/resources/cassandra-test.yaml</exclude>
              </excludes>
            </configuration>
          </plugin>
diff --git a/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/src/main/java/org/apache/archiva/metadata/repository/jcr/OakRepositoryFactory.java b/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/src/main/java/org/apache/archiva/metadata/repository/jcr/OakRepositoryFactory.java

index a8cb1a700c6543f5b379c65cdce2071b6642c240..84fa5149ce605524ab038c84d1204c3baa436083 100644 (file)
--- a/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/src/main/java/org/apache/archiva/metadata/repository/jcr/OakRepositoryFactory.java
+++ b/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/src/main/java/org/apache/archiva/metadata/repository/jcr/OakRepositoryFactory.java
@@ -131,6 +131,7 @@ public class OakRepositoryFactory
      int cacheSizeInMB = 20;
      int cacheExpiryInSecs = 300;
      int threadPoolSize = 5;
+    long queueTimeOutMs = 60000;
  
      private StatisticsProvider statisticsProvider;
  
@@ -281,7 +282,7 @@ public class OakRepositoryFactory
              log.info("Hybrid indexing feature disabled");
              return;
          }
-        documentQueue = new DocumentQueue( queueSize, tracker, getExecutorService(), statisticsProvider);
+        documentQueue = new DocumentQueue( queueSize, queueTimeOutMs, tracker, getExecutorService(), statisticsProvider);
          LocalIndexObserver localIndexObserver = new LocalIndexObserver(documentQueue, statisticsProvider);
  
          int observerQueueSize = 1000;
diff --git a/archiva-modules/metadata/metadata-store-provider/oak-jcr/oak-jcr-lucene/pom.xml b/archiva-modules/metadata/metadata-store-provider/oak-jcr/oak-jcr-lucene/pom.xml

index 067be3edad66d14b49615d01611b1c72700f6ae4..06f38aa5a13524424af8bf4ceb8a90509c6d4559 100644 (file)
--- a/archiva-modules/metadata/metadata-store-provider/oak-jcr/oak-jcr-lucene/pom.xml
+++ b/archiva-modules/metadata/metadata-store-provider/oak-jcr/oak-jcr-lucene/pom.xml
@@ -81,6 +81,10 @@
            <groupId>org.apache.lucene</groupId>
            <artifactId>lucene-suggest</artifactId>
          </exclusion>
+        <exclusion>
+          <groupId>org.apache.tika</groupId>
+          <artifactId>tika-core</artifactId>
+        </exclusion>
        </exclusions>
      </dependency>
      <!-- We reapply the original transitive dependencies -->
@@ -113,6 +117,11 @@
        <groupId>org.apache.jackrabbit</groupId>
        <artifactId>oak-search</artifactId>
      </dependency>
+    <dependency>
+      <groupId>org.apache.tika</groupId>
+      <artifactId>tika-core</artifactId>
+      <version>1.27</version>
+    </dependency>
    </dependencies>
  
  
diff --git a/pom.xml b/pom.xml

index 3acfee38313c2ca629be2cd1f872d770fc9a78c0..403cc372bb9af4ae15c38945af05e6a0daa130dc 100644 (file)
--- a/pom.xml
+++ b/pom.xml
@@ -64,8 +64,8 @@
  
  
      <!-- dependencies of maven modules -->
-    <jsoup.version>1.12.1</jsoup.version>
-    <rome.version>1.13.1</rome.version>
+    <jsoup.version>1.14.2</jsoup.version>
+    <rome.version>1.16.0</rome.version>
      <cronutils.version>9.1.3</cronutils.version>
  
      <lucene.version>4.10.4</lucene.version>
@@ -74,7 +74,7 @@
      <javax.jcr.version>2.0</javax.jcr.version>
      <!-- If you change the JCR OAK version, you may have to update the pom.xml in the module oak-jcr-lucene
           to adapt to dependency changes -->
-    <jcr-oak.version>1.30.0</jcr-oak.version>
+    <jcr-oak.version>1.40.0</jcr-oak.version>
      <netty.version>4.1.50.Final</netty.version>
author	Martin Stockhammer <martin_s@apache.org>
	Sun, 29 Aug 2021 19:07:38 +0000 (21:07 +0200)
committer	Martin Stockhammer <martin_s@apache.org>
	Sun, 29 Aug 2021 19:07:38 +0000 (21:07 +0200)
archiva-modules/archiva-web/archiva-webapp/src/main/resources/META-INF/owasp/cve-suppressions.xml		patch \| blob \| history
archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml		patch \| blob \| history
archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/src/main/java/org/apache/archiva/metadata/repository/jcr/OakRepositoryFactory.java		patch \| blob \| history
archiva-modules/metadata/metadata-store-provider/oak-jcr/oak-jcr-lucene/pom.xml		patch \| blob \| history
pom.xml		patch \| blob \| history