You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tika.apache.org by ta...@apache.org on 2019/01/03 16:09:15 UTC

[tika] branch master updated: TIKA-2801 -- add ossindex-maven-plugin and upgrade vulnerable dependencies (skipping tika-nlp for now).

This is an automated email from the ASF dual-hosted git repository.

tallison pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tika.git


The following commit(s) were added to refs/heads/master by this push:
     new 0b286d3  TIKA-2801 -- add ossindex-maven-plugin and upgrade vulnerable dependencies (skipping tika-nlp for now).
0b286d3 is described below

commit 0b286d3efcfd1aa50f0d7fed50b5f39a6a09cf38
Author: TALLISON <ta...@apache.org>
AuthorDate: Thu Jan 3 11:09:02 2019 -0500

    TIKA-2801 -- add ossindex-maven-plugin and upgrade vulnerable dependencies
    (skipping tika-nlp for now).
---
 tika-dl/pom.xml      | 38 ++++++++++++++++++++++++++++++++++++++
 tika-eval/pom.xml    | 11 +++++++++++
 tika-example/pom.xml |  2 +-
 tika-nlp/pom.xml     | 15 +++++++++++++++
 tika-parent/pom.xml  | 14 ++++++++++++++
 tika-parsers/pom.xml | 13 +++++++++++++
 6 files changed, 92 insertions(+), 1 deletion(-)

diff --git a/tika-dl/pom.xml b/tika-dl/pom.xml
index dfd7055..d2ee7b4 100644
--- a/tika-dl/pom.xml
+++ b/tika-dl/pom.xml
@@ -37,6 +37,7 @@
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <dl4j.version>1.0.0-beta3</dl4j.version>
+    <twelvemonkeys.version>3.4.1</twelvemonkeys.version>
   </properties>
 
   <dependencies>
@@ -200,9 +201,46 @@
           <groupId>com.github.jai-imageio</groupId>
           <artifactId>jai-imageio-core</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>com.twelvemonkeys.imageio</groupId>
+          <artifactId>imageio-jpeg</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>com.twelvemonkeys.imageio</groupId>
+          <artifactId>imageio-tiff</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>com.twelvemonkeys.imageio</groupId>
+          <artifactId>imageio-psd</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>com.twelvemonkeys.imageio</groupId>
+          <artifactId>imageio-bmp</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
+      <groupId>com.twelvemonkeys.imageio</groupId>
+      <artifactId>imageio-jpeg</artifactId>
+      <version>${twelvemonkeys.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>com.twelvemonkeys.imageio</groupId>
+      <artifactId>imageio-tiff</artifactId>
+      <version>${twelvemonkeys.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>com.twelvemonkeys.imageio</groupId>
+      <artifactId>imageio-psd</artifactId>
+      <version>${twelvemonkeys.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>com.twelvemonkeys.imageio</groupId>
+      <artifactId>imageio-bmp</artifactId>
+      <version>${twelvemonkeys.version}</version>
+    </dependency>
+
+    <dependency>
     <groupId>org.datavec</groupId>
       <artifactId>datavec-api</artifactId>
       <version>${dl4j.version}</version>
diff --git a/tika-eval/pom.xml b/tika-eval/pom.xml
index 5cf5bed..394cf60 100644
--- a/tika-eval/pom.xml
+++ b/tika-eval/pom.xml
@@ -66,6 +66,17 @@
             <groupId>com.optimaize.languagedetector</groupId>
             <artifactId>language-detector</artifactId>
             <version>0.6</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>com.google.guava</groupId>
+                    <artifactId>guava</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+            <version>27.0.1-jre</version>
         </dependency>
         <dependency>
             <groupId>commons-cli</groupId>
diff --git a/tika-example/pom.xml b/tika-example/pom.xml
index 7bf2ef4..23bdebb 100644
--- a/tika-example/pom.xml
+++ b/tika-example/pom.xml
@@ -143,7 +143,7 @@
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-context</artifactId>
-      <version>3.2.16.RELEASE</version>
+      <version>5.1.3.RELEASE</version>
       <exclusions>
         <exclusion>
           <groupId>commons-logging</groupId>
diff --git a/tika-nlp/pom.xml b/tika-nlp/pom.xml
index f3a36ae..3b5ef2a 100644
--- a/tika-nlp/pom.xml
+++ b/tika-nlp/pom.xml
@@ -136,6 +136,10 @@
           <groupId>org.apache.commons</groupId>
           <artifactId>commons-math3</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>com.google.protobuf</groupId>
+          <artifactId>protobuf-java</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
@@ -244,6 +248,17 @@
           </execution>
         </executions>
       </plugin>
+      <!-- dependencies in this module need to be cleaned up.
+          Until TIKA-2368 is resolved, report but ignore
+          vulnerabilities.
+        -->
+      <plugin>
+        <groupId>org.sonatype.ossindex.maven</groupId>
+        <artifactId>ossindex-maven-plugin</artifactId>
+        <configuration>
+          <fail>false</fail>
+        </configuration>
+      </plugin>
       <plugin>
         <groupId>org.apache.rat</groupId>
         <artifactId>apache-rat-plugin</artifactId>
diff --git a/tika-parent/pom.xml b/tika-parent/pom.xml
index c5f6cf6..f7168a9 100644
--- a/tika-parent/pom.xml
+++ b/tika-parent/pom.xml
@@ -359,6 +359,20 @@
         </configuration>
       </plugin>
       <plugin>
+        <groupId>org.sonatype.ossindex.maven</groupId>
+        <artifactId>ossindex-maven-plugin</artifactId>
+        <version>3.0.2</version>
+        <executions>
+          <execution>
+            <id>audit-dependencies</id>
+            <phase>validate</phase>
+            <goals>
+              <goal>audit</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
         <groupId>de.thetaphi</groupId>
         <artifactId>forbiddenapis</artifactId>
         <!-- if this version contains commons-io 2.6, remove hard-coded commons-io version below -->
diff --git a/tika-parsers/pom.xml b/tika-parsers/pom.xml
index 327dd7a..483dcc2 100644
--- a/tika-parsers/pom.xml
+++ b/tika-parsers/pom.xml
@@ -513,6 +513,10 @@
           <groupId>org.jdom</groupId>
           <artifactId>jdom2</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>com.google.protobuf</groupId>
+          <artifactId>protobuf-java</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
     <!--TIKA 2672 include a later version of jna as a direct dependency to resolve dependency convergence with tika-dl's
@@ -531,6 +535,11 @@
       <version>1.11.3</version>
     </dependency>
     <dependency>
+      <groupId>com.google.protobuf</groupId>
+      <artifactId>protobuf-java</artifactId>
+      <version>3.6.1</version>
+    </dependency>
+    <dependency>
       <groupId>edu.ucar</groupId>
       <artifactId>cdm</artifactId>
       <version>${netcdf-java.version}</version>
@@ -555,6 +564,10 @@
           <groupId>com.google.guava</groupId>
           <artifactId>guava</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>com.google.protobuf</groupId>
+          <artifactId>protobuf-java</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>