You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tika.apache.org by ta...@apache.org on 2019/01/03 16:09:15 UTC
[tika] branch master updated: TIKA-2801 -- add
ossindex-maven-plugin and upgrade vulnerable dependencies (skipping
tika-nlp for now).
This is an automated email from the ASF dual-hosted git repository.
tallison pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tika.git
The following commit(s) were added to refs/heads/master by this push:
new 0b286d3 TIKA-2801 -- add ossindex-maven-plugin and upgrade vulnerable dependencies (skipping tika-nlp for now).
0b286d3 is described below
commit 0b286d3efcfd1aa50f0d7fed50b5f39a6a09cf38
Author: TALLISON <ta...@apache.org>
AuthorDate: Thu Jan 3 11:09:02 2019 -0500
TIKA-2801 -- add ossindex-maven-plugin and upgrade vulnerable dependencies
(skipping tika-nlp for now).
---
tika-dl/pom.xml | 38 ++++++++++++++++++++++++++++++++++++++
tika-eval/pom.xml | 11 +++++++++++
tika-example/pom.xml | 2 +-
tika-nlp/pom.xml | 15 +++++++++++++++
tika-parent/pom.xml | 14 ++++++++++++++
tika-parsers/pom.xml | 13 +++++++++++++
6 files changed, 92 insertions(+), 1 deletion(-)
diff --git a/tika-dl/pom.xml b/tika-dl/pom.xml
index dfd7055..d2ee7b4 100644
--- a/tika-dl/pom.xml
+++ b/tika-dl/pom.xml
@@ -37,6 +37,7 @@
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<dl4j.version>1.0.0-beta3</dl4j.version>
+ <twelvemonkeys.version>3.4.1</twelvemonkeys.version>
</properties>
<dependencies>
@@ -200,9 +201,46 @@
<groupId>com.github.jai-imageio</groupId>
<artifactId>jai-imageio-core</artifactId>
</exclusion>
+ <exclusion>
+ <groupId>com.twelvemonkeys.imageio</groupId>
+ <artifactId>imageio-jpeg</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>com.twelvemonkeys.imageio</groupId>
+ <artifactId>imageio-tiff</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>com.twelvemonkeys.imageio</groupId>
+ <artifactId>imageio-psd</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>com.twelvemonkeys.imageio</groupId>
+ <artifactId>imageio-bmp</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
+ <groupId>com.twelvemonkeys.imageio</groupId>
+ <artifactId>imageio-jpeg</artifactId>
+ <version>${twelvemonkeys.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>com.twelvemonkeys.imageio</groupId>
+ <artifactId>imageio-tiff</artifactId>
+ <version>${twelvemonkeys.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>com.twelvemonkeys.imageio</groupId>
+ <artifactId>imageio-psd</artifactId>
+ <version>${twelvemonkeys.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>com.twelvemonkeys.imageio</groupId>
+ <artifactId>imageio-bmp</artifactId>
+ <version>${twelvemonkeys.version}</version>
+ </dependency>
+
+ <dependency>
<groupId>org.datavec</groupId>
<artifactId>datavec-api</artifactId>
<version>${dl4j.version}</version>
diff --git a/tika-eval/pom.xml b/tika-eval/pom.xml
index 5cf5bed..394cf60 100644
--- a/tika-eval/pom.xml
+++ b/tika-eval/pom.xml
@@ -66,6 +66,17 @@
<groupId>com.optimaize.languagedetector</groupId>
<artifactId>language-detector</artifactId>
<version>0.6</version>
+ <exclusions>
+ <exclusion>
+ <groupId>com.google.guava</groupId>
+ <artifactId>guava</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>com.google.guava</groupId>
+ <artifactId>guava</artifactId>
+ <version>27.0.1-jre</version>
</dependency>
<dependency>
<groupId>commons-cli</groupId>
diff --git a/tika-example/pom.xml b/tika-example/pom.xml
index 7bf2ef4..23bdebb 100644
--- a/tika-example/pom.xml
+++ b/tika-example/pom.xml
@@ -143,7 +143,7 @@
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
- <version>3.2.16.RELEASE</version>
+ <version>5.1.3.RELEASE</version>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
diff --git a/tika-nlp/pom.xml b/tika-nlp/pom.xml
index f3a36ae..3b5ef2a 100644
--- a/tika-nlp/pom.xml
+++ b/tika-nlp/pom.xml
@@ -136,6 +136,10 @@
<groupId>org.apache.commons</groupId>
<artifactId>commons-math3</artifactId>
</exclusion>
+ <exclusion>
+ <groupId>com.google.protobuf</groupId>
+ <artifactId>protobuf-java</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
@@ -244,6 +248,17 @@
</execution>
</executions>
</plugin>
+ <!-- dependencies in this module need to be cleaned up.
+ Until TIKA-2368 is resolved, report but ignore
+ vulnerabilities.
+ -->
+ <plugin>
+ <groupId>org.sonatype.ossindex.maven</groupId>
+ <artifactId>ossindex-maven-plugin</artifactId>
+ <configuration>
+ <fail>false</fail>
+ </configuration>
+ </plugin>
<plugin>
<groupId>org.apache.rat</groupId>
<artifactId>apache-rat-plugin</artifactId>
diff --git a/tika-parent/pom.xml b/tika-parent/pom.xml
index c5f6cf6..f7168a9 100644
--- a/tika-parent/pom.xml
+++ b/tika-parent/pom.xml
@@ -359,6 +359,20 @@
</configuration>
</plugin>
<plugin>
+ <groupId>org.sonatype.ossindex.maven</groupId>
+ <artifactId>ossindex-maven-plugin</artifactId>
+ <version>3.0.2</version>
+ <executions>
+ <execution>
+ <id>audit-dependencies</id>
+ <phase>validate</phase>
+ <goals>
+ <goal>audit</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
<groupId>de.thetaphi</groupId>
<artifactId>forbiddenapis</artifactId>
<!-- if this version contains commons-io 2.6, remove hard-coded commons-io version below -->
diff --git a/tika-parsers/pom.xml b/tika-parsers/pom.xml
index 327dd7a..483dcc2 100644
--- a/tika-parsers/pom.xml
+++ b/tika-parsers/pom.xml
@@ -513,6 +513,10 @@
<groupId>org.jdom</groupId>
<artifactId>jdom2</artifactId>
</exclusion>
+ <exclusion>
+ <groupId>com.google.protobuf</groupId>
+ <artifactId>protobuf-java</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<!--TIKA 2672 include a later version of jna as a direct dependency to resolve dependency convergence with tika-dl's
@@ -531,6 +535,11 @@
<version>1.11.3</version>
</dependency>
<dependency>
+ <groupId>com.google.protobuf</groupId>
+ <artifactId>protobuf-java</artifactId>
+ <version>3.6.1</version>
+ </dependency>
+ <dependency>
<groupId>edu.ucar</groupId>
<artifactId>cdm</artifactId>
<version>${netcdf-java.version}</version>
@@ -555,6 +564,10 @@
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
</exclusion>
+ <exclusion>
+ <groupId>com.google.protobuf</groupId>
+ <artifactId>protobuf-java</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>