dep: Update slf4j to 1.7.36 and switch from log4j1 to reload4j
Replace log4j 1.2.17 with reload4j 1.2.25.
log4j 1.x was caught in the fire of the Log4Shell vulnerability, even
though the 1.x line was not affected by the vulnerability. Still, this
looks bad when it shows up in security scanners even though it doesn't
mean it has the Log4Shell vulnerability.
Switch to reload4j instead. This is a drop-in replacement of log4j.
Actually, it is log4j rebooted by the same author. The reload4j 1.x
line fixes security issues that have since surfaced.
At the same time we update to the latest slf4j version, which also
switched to reload4j for the log4j12 line.
Update JSoup to version 1.16.2.
This requires renaming `Whitelist` to `Safelist`,
because the class name was changed in version 1.15.1
in a breaking change.
This updates Jetty to the latest 9.x version as of writing. The 9.x is
still running on Java 8. The update needs two code changes.
`SessionManager` was replaced with `SessionHandler`. This was documented
in the Jetty documentation.
Adding the `GitblitContext` to the `WebAppContext` will result in two
instances getting created, because the code was changed that prevents
instantiation the same listener class multiple times. (The second time
is when the web.xml is read.) Instead, it must be added to the servlet
handler of the `WebAppContext`. This results in properly adhering to the
changed internal startup flow.
Updating Jetty also resolves #1409.
deps: Update JGit to 4.11.9.201909030838-r and other dependencies
Update JGit, and also update other dependencies where the 4.11 JGit
version uses newer versions than we do:
commond-codec updated to 1.9
commons-compress updated to 1.15
gson updated to 2.8.2
Update Guice to 5.1.0. This version is compatible with Java 17.
The gitblit patch of the servlet extension was ported to Guice 5.1.0,
too.
The update of Guice requires an update of the Guava version, too.
Thus Guava is updated to 27.0.1-jar.
The version 1.69 is chosen instead of 1.70, because the moxie build
would not download the jars, trying to download `...1.7.jar` instead.
Three class deprecations are fixed. `PEMWriter` and `X509Extension`
are replaced with their drop-in replacements `JcaPEMWriter` and
`Extension`. The `PasswordFinder` deprecation note says that "it is
no longer used". It also was never used in Gitblit's code, so it is
removed from the key par provider class.
When building with Ant, instead of Moxie, JaCoCo is not included in the
classpath. So explicitly initialise the full `jacocoant.jar` from the
`.moxie` repository.
For this we had to switch the dependency to use the `nodeps` jar which
includes all dependencies.
The Eclipse maven repositories changed to only allow HTTPS and not
serve HTTP anymore. HTTP will redirect to HTTPS, which moxie does
not handle well and fails.
So the registered Eclipse repositories are changed to 'https://'
transport.
Fixes #1334
Moxie does have these defined by default, but with transport HTTP.
Since January 2020, Maven Central only accepts HTTPS, no HTTP
anymore. So we add them here explicitly, with `https://`.
We add it to the `build.moxie` file, instead of keeping it in a
local `settings.moxie`, so that a CI server can immediately use it.
Adjust versions of JaCoCo and parboiled to match and work.
Adjust the version of JaCoCo down to 0.8.4 and the version
of parboiled-java up to 1.3.1. They need to match because both
use ASM. This combination has the same dependency on ASM: 7.1.
And it seems to work, at least the docs get generated and the
`moxie test` doesn't fail building the report anymore.
To support the new PBKDF2 password hashing, the Bouncy Castle provider
needs to be updated to a version that supports PBKDF2 with HMAC SHA265.
The current version doesn't have PBKDF2WithHmacSHA265, and neither does
Java 7, so that under Java 7 it can not be used. This update enables
the new password hashing under Java 7, too.
Add build dependency on parboiled to fix build of documentation.
Updating JaCoCo in commit 23072ffb broke the build of the
HTML documentation. As found out by @chirontt, adding parboiled
as a build dependency fixes it.
Fixes #1220 and closes #1313