Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Update dependencies in hale-platform to resolve security issues #50

Merged
merged 1 commit into from
Nov 29, 2023
Merged

feat: Update dependencies in hale-platform to resolve security issues #50

merged 1 commit into from
Nov 29, 2023

Conversation

emanuelaepure10
Copy link
Contributor

update slf4jAndLogback from 1.0.13 to 1.2.12

ING-4067

@emanuelaepure10 emanuelaepure10 force-pushed the feat/ING-4067 branch 7 times, most recently from c2855e8 to b7e8ad2 Compare October 26, 2023 20:05
@emanuelaepure10 emanuelaepure10 marked this pull request as draft October 27, 2023 09:03
@emanuelaepure10 emanuelaepure10 marked this pull request as ready for review October 27, 2023 09:03
@emanuelaepure10 emanuelaepure10 force-pushed the feat/ING-4067 branch 2 times, most recently from a274c7e to 7432c00 Compare October 27, 2023 09:13
stempler
stempler reviewed Oct 31, 2023
View reviewed changes
Copy link
Member

@stempler stempler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you perform any tests using an update site your changes for hale studio? What were the results?

Generally the main part of the process of updating/changing the dependencies in the platform is testing these changes in hale studio and applying the related changes/fixes the both the platform and hale studio.

Before merging changes here we need to make sure they have been validated with hale studio. Otherwise we end up with a state in hale-platform that someone else could not work with without resolving the related issues first.

build.gradle Outdated
@@ -91,7 +91,7 @@ include {
}

from('modules/shared/logging.gradle') {
slf4jAndLogback '1.7.10', '1.0.13'
slf4jAndLogback '1.7.25', '1.0.13'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did changing logback to 1.2.12 cause any problems?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why should I change it to a lower version?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The first version is the SLF4J version, with you changes at 1.7.25, the second version is the logback version, now at 1.0.13.

build.gradle Outdated Show resolved Hide resolved
build.gradle Outdated Show resolved Hide resolved
build.gradle Show resolved Hide resolved
@emanuelaepure10
Copy link
Contributor Author

Did you perform any tests using an update site your changes for hale studio? What were the results?

I haven't. As I couldn't conclude successfully the process of updating the resource bundles.
To have an update site changed with this changes I should have a commit in bnb platform. Can I just create a Pr for testing proposes?

@stempler
Copy link
Member

stempler commented Nov 7, 2023

@emanuelaepure10

To have an update site changed with this changes I should have a commit in bnb platform. Can I just create a Pr for testing proposes?

Do you mean hale-build-support?
If you want to do tests with commits there then please create a fork of the repository in GitLab and push your changes to a branch there. That way we can avoid changes used for testing to make it into the main repository, which is already quite big.
A faster way is usually still to test directly in Eclipse. What I always do is the following:

  1. Perform the hale-platform build
  2. Rename the updatesite folder in hale-platform/build to something unique (e.g. append date and an increasing number each time), to avoid any issues with Eclipse caching for the location
  3. Replace the target platform update site in the .target file with the local renamed updatesite folder (file:/ url) and load the target platform from there
  4. Validate HALE.product to look for problems and look into Target Platform state view for details

@emanuelaepure10
Copy link
Contributor Author

Right! I can use a local folder. I'll do that.
Thank you for the workflow.

@emanuelaepure10
Copy link
Contributor Author

emanuelaepure10 commented Nov 7, 2023
edited
Loading

L.E. I have it
I forgot to check
image

  1. build successful
  2. rename folder to updatesite20231107
  3. change .target to
<repository location="file:/C:/Users/EmanuelaEpure/Documents/GitHub/hale-platform-update/hale-platform/build/updatesite20231107"/>
<unit id="eu.esdihumboldt.hale.platform.feature.group" version="4.1.0.i20231107"/>

Not sure how to change the version...if I just change the date I get
image
@stempler also with a 5 i still see the problem
image
Any thoughts on what should I change?
Thank you

@stempler
Copy link
Member

stempler commented Nov 7, 2023

Any thoughts on what should I change?

@emanuelaepure10 When you use the Eclipse editor for the target file (not editing the source XML) you should be able to edit the update site entry, and in the dialog that opens then select the item that is actually contained in the update site.

@emanuelaepure10
Copy link
Contributor Author

@stempler Thank you.
I wrote the later update...that I have forgot to select the HALE target platform libraries.

@emanuelaepure10
Copy link
Contributor Author

emanuelaepure10 commented Nov 8, 2023
edited
Loading

Open points where I would need help to solve them:

  1. upgrading jetty from jettyVersion = '9.2.1.v20140609' to ''9.4.53.v20231009'. Also this in the bundleArtifactMap.json should be changed?

  2. remove commons-fileupload, openid4java, recaptcha4j and everything related to Wicket

  3. Upgrade (or maybe follow up tickets)

modules/shared/orientdb.gradle
modules/shared/spring.gradle
modules/shared/postgis.gradle

which are giving problems.

  1. How to solve the following:

4.1. // force package export versions for hsqldb
bnd group: 'org.hsqldb', name: 'hsqldb', {
instruction 'Export-Package', ";version=$version"
}
4.2. // force correct package export versions for sqlite-jdbc
bnd group: 'org.xerial', name: 'sqlite-jdbc', {
instruction 'Export-Package', ";version=$version"
}
4.3.// make OSGi JDBC service import optional
bnd group: 'com.h2database', name: 'h2', {
optionalImport 'org.osgi.service.jdbc'
}
4.4.// security
bundle 'org.jasig.cas:cas-client:3.1.10'

  1. and last but the most important springframework

Thank you

stempler
stempler reviewed Nov 28, 2023
View reviewed changes
build.gradle Outdated
from('modules/shared/logging.gradle') {
slf4jAndLogback '1.7.10', '1.0.13'
from('modules/logging.gradle') {
slf4jAndLogback '1.7.36', '1.0.13'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please again include the update to logback from 1.0.13 to 1.2.12? Thank you

@stempler stempler merged commit 1e7e00c into halestudio:master Nov 29, 2023
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stempler stempler stempler approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@emanuelaepure10 @stempler