dep: Update slf4j to 1.7.36 and switch from log4j1 to reload4j
Replace log4j 1.2.17 with reload4j 1.2.25.
log4j 1.x was caught in the fire of the Log4Shell vulnerability, even
though the 1.x line was not affected by the vulnerability. Still, this
looks bad when it shows up in security scanners even though it doesn't
mean it has the Log4Shell vulnerability.
Switch to reload4j instead. This is a drop-in replacement of log4j.
Actually, it is log4j rebooted by the same author. The reload4j 1.x
line fixes security issues that have since surfaced.
At the same time we update to the latest slf4j version, which also
switched to reload4j for the log4j12 line.
Update JSoup to version 1.16.2.
This requires renaming `Whitelist` to `Safelist`,
because the class name was changed in version 1.15.1
in a breaking change.
This updates Jetty to the latest 9.x version as of writing. The 9.x is
still running on Java 8. The update needs two code changes.
`SessionManager` was replaced with `SessionHandler`. This was documented
in the Jetty documentation.
Adding the `GitblitContext` to the `WebAppContext` will result in two
instances getting created, because the code was changed that prevents
instantiation the same listener class multiple times. (The second time
is when the web.xml is read.) Instead, it must be added to the servlet
handler of the `WebAppContext`. This results in properly adhering to the
changed internal startup flow.
Updating Jetty also resolves #1409.
deps: Update JGit to 4.11.9.201909030838-r and other dependencies
Update JGit, and also update other dependencies where the 4.11 JGit
version uses newer versions than we do:
commond-codec updated to 1.9
commons-compress updated to 1.15
gson updated to 2.8.2
Update Guice to 5.1.0. This version is compatible with Java 17.
The gitblit patch of the servlet extension was ported to Guice 5.1.0,
too.
The update of Guice requires an update of the Guava version, too.
Thus Guava is updated to 27.0.1-jar.
The version 1.69 is chosen instead of 1.70, because the moxie build
would not download the jars, trying to download `...1.7.jar` instead.
Three class deprecations are fixed. `PEMWriter` and `X509Extension`
are replaced with their drop-in replacements `JcaPEMWriter` and
`Extension`. The `PasswordFinder` deprecation note says that "it is
no longer used". It also was never used in Gitblit's code, so it is
removed from the key par provider class.
To support the new PBKDF2 password hashing, the Bouncy Castle provider
needs to be updated to a version that supports PBKDF2 with HMAC SHA265.
The current version doesn't have PBKDF2WithHmacSHA265, and neither does
Java 7, so that under Java 7 it can not be used. This update enables
the new password hashing under Java 7, too.
Add library `lucene-backward-codecs` to migrate indices.
To be able to read and migrate Lucene indices from old (4.x)
formats to new (5.x) ones, add the `lucene-backward-codecs`
library to the project.
It is added to the `ext` directory and therefore to the classpath.
According to the Lucene documentation, having it in the classpath
can affect performance. But right now the `ext` directory is the
only one available and even for a separate tool for offline
migration the library would be needed.
Exclude Lucene dependencies `lucene-spatial` and `lucene-join`.
They were added during the update but are not needed. This patch
excludes them explicitly so that they do not show up in the
generated IDE files and `ext` directory.
Update to explicit versions of JUnit 4.12 and JaCoCo 0.7.8
Use explicit coordinates, and therefor version numbers fro JUnit
in the build.moxie file. It should not be some version that just
happens to be used.
Update JUnit to latest 4.12.
Update JaCoCo to lates 0.7.8, which makes it work under Java 8.
The last used version would fail when tests are run under Java 8.