diff options
author | Martin Stockhammer <martin_s@apache.org> | 2021-08-29 21:07:38 +0200 |
---|---|---|
committer | Martin Stockhammer <martin_s@apache.org> | 2021-08-29 21:07:38 +0200 |
commit | f40d750c006656fcfb332de8808cf63b17974ef8 (patch) | |
tree | 4b13ba23a1c8fa4ac67203df2cce41c8f0abdad8 /archiva-modules | |
parent | 7c4835ba140de0e30746852a8ff64db442e02065 (diff) | |
download | archiva-f40d750c006656fcfb332de8808cf63b17974ef8.tar.gz archiva-f40d750c006656fcfb332de8808cf63b17974ef8.zip |
Dependency changes and vulnerability check
Diffstat (limited to 'archiva-modules')
4 files changed, 34 insertions, 170 deletions
diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/resources/META-INF/owasp/cve-suppressions.xml b/archiva-modules/archiva-web/archiva-webapp/src/main/resources/META-INF/owasp/cve-suppressions.xml index 2a3f08f77..c18030118 100644 --- a/archiva-modules/archiva-web/archiva-webapp/src/main/resources/META-INF/owasp/cve-suppressions.xml +++ b/archiva-modules/archiva-web/archiva-webapp/src/main/resources/META-INF/owasp/cve-suppressions.xml @@ -73,4 +73,23 @@ <cpe>cpe:/a:jquery_file_upload_project:jquery_file_upload</cpe> </suppress> + <suppress> + <notes><![CDATA[ + file name: jdom2-2.0.6.jar + This is a dependency of rometools/rome (RSS library), they addressed the issue (see https://github.com/rometools/rome/issues/469) + ]]></notes> + <packageUrl regex="true">^pkg:maven/org\.jdom/jdom2@.*$</packageUrl> + <cpe>cpe:/a:jdom:jdom</cpe> + <vulnerabilityName>CVE-2021-33813</vulnerabilityName> + </suppress> + + <suppress> + <notes><![CDATA[ + file name: native-protocol-1.5.0.jar + This is a vulnerability of cassandra server. We will ignore it for the client driver. + ]]></notes> + <packageUrl regex="true">^pkg:maven/com\.datastax\.oss/native\-protocol@.*$</packageUrl> + <cpe>cpe:/a:apache:cassandra</cpe> + <vulnerabilityName>CVE-2020-13946</vulnerabilityName> + </suppress> </suppressions> diff --git a/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml b/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml index 5ac5c6c3b..58bb31b62 100644 --- a/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml +++ b/archiva-modules/metadata/metadata-store-provider/metadata-store-cassandra/pom.xml @@ -31,7 +31,7 @@ <properties> <site.staging.base>${project.parent.parent.basedir}</site.staging.base> - <cassandraVersion>4.0.0</cassandraVersion> + <cassandraVersion>3.11.10</cassandraVersion> <datastax.driver.version>4.13.0</datastax.driver.version> </properties> @@ -103,85 +103,6 @@ <artifactId>modelmapper</artifactId> </dependency> - <!-- - <dependency> - <groupId>org.yaml</groupId> - <artifactId>snakeyaml</artifactId> - <version>1.27</version> - </dependency> ---> - <dependency> - <groupId>org.apache.cassandra</groupId> - <artifactId>cassandra-all</artifactId> - <version>${cassandraVersion}</version> - <scope>test</scope> - <exclusions> - <exclusion> - <groupId>log4j</groupId> - <artifactId>log4j</artifactId> - </exclusion> - <exclusion> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-log4j12</artifactId> - </exclusion> - <exclusion> - <groupId>org.slf4j</groupId> - <artifactId>jcl-over-slf4j</artifactId> - </exclusion> - <exclusion> - <groupId>ch.qos.logback</groupId> - <artifactId>logback-core</artifactId> - </exclusion> - <exclusion> - <groupId>org.mortbay.jetty</groupId> - <artifactId>jetty</artifactId> - </exclusion> - <exclusion> - <groupId>javax.servlet</groupId> - <artifactId>servlet-api</artifactId> - </exclusion> - <exclusion> - <groupId>org.slf4j</groupId> - <artifactId>log4j-over-slf4j</artifactId> - </exclusion> - <exclusion> - <groupId>ch.qos.logback</groupId> - <artifactId>logback-classic</artifactId> - </exclusion> - <exclusion> - <groupId>org.jboss.logging</groupId> - <artifactId>jboss-logging</artifactId> - </exclusion> - <exclusion> - <groupId>javax.inject</groupId> - <artifactId>javax.inject</artifactId> - </exclusion> - <exclusion> - <groupId>javax.validation</groupId> - <artifactId>validation-api</artifactId> - </exclusion> - <exclusion> - <groupId>com.fasterxml.jackson.core</groupId> - <artifactId>jackson-core</artifactId> - </exclusion> - <!-- Brings hibernate-validator dependency with ancient version, which is vulnerable. Not necessary for archiva. --> - <exclusion> - <groupId>com.addthis.metrics</groupId> - <artifactId>reporter-config3</artifactId> - </exclusion> - <exclusion> - <groupId>net.openhft</groupId> - <artifactId>chronicle-wire</artifactId> - </exclusion> - </exclusions> - </dependency> - <dependency> - <groupId>net.openhft</groupId> - <artifactId>chronicle-wire</artifactId> - <version>2.21.89</version> - <scope>test</scope> - </dependency> - <dependency> <groupId>com.datastax.oss</groupId> <artifactId>java-driver-core</artifactId> @@ -198,93 +119,6 @@ <version>${datastax.driver.version}</version> </dependency> - <!-- - <dependency> - <groupId>org.hectorclient</groupId> - <artifactId>hector-core</artifactId> - <version>1.1-4</version> - <exclusions> - <exclusion> - <groupId>javax.servlet</groupId> - <artifactId>servlet-api</artifactId> - </exclusion> - <exclusion> - <groupId>com.ecyrd.speed4j</groupId> - <artifactId>speed4j</artifactId> - </exclusion> - <exclusion> - <groupId>com.yammer.metrics</groupId> - <artifactId>metrics-core</artifactId> - </exclusion> - <exclusion> - <groupId>org.slf4j</groupId> - <artifactId>log4j-over-slf4j</artifactId> - </exclusion> - </exclusions> - </dependency> - --> - <!-- - <dependency> - <groupId>org.apache.cassandra</groupId> - <artifactId>cassandra-thrift</artifactId> - <version>${cassandraVersion}</version> - <exclusions> - <exclusion> - <groupId>javax.servlet</groupId> - <artifactId>servlet-api</artifactId> - </exclusion> - <exclusion> - <groupId>org.apache.ant</groupId> - <artifactId>ant</artifactId> - </exclusion> - </exclusions> - </dependency> - --> - <!-- Transient dependencies of cassandra that are selected to use a higher version --> - <!-- - <dependency> - <groupId>org.apache.thrift</groupId> - <artifactId>libthrift</artifactId> - <version>0.13.0</version> - <exclusions> - <exclusion> - <groupId>javax.annotation</groupId> - <artifactId>javax.annotation-api</artifactId> - </exclusion> - </exclusions> - </dependency> - <dependency> - <groupId>org.mindrot</groupId> - <artifactId>jbcrypt</artifactId> - <version>0.4</version> - </dependency> - <dependency> - <groupId>org.apache.tika</groupId> - <artifactId>tika-core</artifactId> - <version>1.26</version> - </dependency> ---> - <!-- Transitive dependency. Declared here to increase the version. --> - <!-- - <dependency> - <groupId>io.netty</groupId> - <artifactId>netty-all</artifactId> - <version>${netty.version}</version> - </dependency> - --> - <!-- - <dependency> - <groupId>com.fasterxml.jackson.core</groupId> - <artifactId>jackson-core</artifactId> - </dependency> ---> - <!-- Is a dependency of cassandra -> hibernate-validator and replaced by new version --> - <!-- - <dependency> - <groupId>org.jboss.logging</groupId> - <artifactId>jboss-logging</artifactId> - </dependency> - --> <!-- TEST Scope --> <dependency> @@ -352,6 +186,7 @@ <filtering>true</filtering> </testResource> </testResources> + <plugins> <plugin> <groupId>org.codehaus.mojo</groupId> @@ -432,7 +267,7 @@ num_tokens: 1 <dependency> <groupId>org.apache.cassandra</groupId> <artifactId>cassandra-all</artifactId> - <version>3.11.10</version> + <version>${cassandraVersion}</version> </dependency> </dependencies> </plugin> @@ -479,7 +314,6 @@ num_tokens: 1 <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-surefire-plugin</artifactId> <executions> - </executions> <configuration> <skip>true</skip> @@ -492,6 +326,7 @@ num_tokens: 1 <configuration> <excludes> <exclude>src/cassandra/**</exclude> + <exclude>src/test/resources/cassandra-test.yaml</exclude> </excludes> </configuration> </plugin> diff --git a/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/src/main/java/org/apache/archiva/metadata/repository/jcr/OakRepositoryFactory.java b/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/src/main/java/org/apache/archiva/metadata/repository/jcr/OakRepositoryFactory.java index a8cb1a700..84fa5149c 100644 --- a/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/src/main/java/org/apache/archiva/metadata/repository/jcr/OakRepositoryFactory.java +++ b/archiva-modules/metadata/metadata-store-provider/oak-jcr/metadata-store-jcr/src/main/java/org/apache/archiva/metadata/repository/jcr/OakRepositoryFactory.java @@ -131,6 +131,7 @@ public class OakRepositoryFactory int cacheSizeInMB = 20; int cacheExpiryInSecs = 300; int threadPoolSize = 5; + long queueTimeOutMs = 60000; private StatisticsProvider statisticsProvider; @@ -281,7 +282,7 @@ public class OakRepositoryFactory log.info("Hybrid indexing feature disabled"); return; } - documentQueue = new DocumentQueue( queueSize, tracker, getExecutorService(), statisticsProvider); + documentQueue = new DocumentQueue( queueSize, queueTimeOutMs, tracker, getExecutorService(), statisticsProvider); LocalIndexObserver localIndexObserver = new LocalIndexObserver(documentQueue, statisticsProvider); int observerQueueSize = 1000; diff --git a/archiva-modules/metadata/metadata-store-provider/oak-jcr/oak-jcr-lucene/pom.xml b/archiva-modules/metadata/metadata-store-provider/oak-jcr/oak-jcr-lucene/pom.xml index 067be3eda..06f38aa5a 100644 --- a/archiva-modules/metadata/metadata-store-provider/oak-jcr/oak-jcr-lucene/pom.xml +++ b/archiva-modules/metadata/metadata-store-provider/oak-jcr/oak-jcr-lucene/pom.xml @@ -81,6 +81,10 @@ <groupId>org.apache.lucene</groupId> <artifactId>lucene-suggest</artifactId> </exclusion> + <exclusion> + <groupId>org.apache.tika</groupId> + <artifactId>tika-core</artifactId> + </exclusion> </exclusions> </dependency> <!-- We reapply the original transitive dependencies --> @@ -113,6 +117,11 @@ <groupId>org.apache.jackrabbit</groupId> <artifactId>oak-search</artifactId> </dependency> + <dependency> + <groupId>org.apache.tika</groupId> + <artifactId>tika-core</artifactId> + <version>1.27</version> + </dependency> </dependencies> |