You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@uima.apache.org by Jaroslaw Cwiklik <ui...@gmail.com> on 2021/06/17 17:11:29 UTC

Re: UIMA-AS latest version security issues

I was able to run UIMA-AS (from
https://github.com/apache/uima-async-scaleout) extended tests with AMQ
5.16.2.
There is a problem building eclipse plugins though. Not enough free time to
address this now.
Regards, Jerry Cwiklik

<!-- level of ActiveMQ this release depends on -->
<org.apache.activemq.version>5.16.2</org.apache.activemq.version>
<!-- level of SpringFramework this release depends on -->
<org.springframework.version>4.3.30.RELEASE</org.springframework.version>
<org.apache.camel.version>2.25.2</org.apache.camel.version>


On Wed, Jun 2, 2021 at 2:38 AM Richard Eckart de Castilho <re...@apache.org>
wrote:

> Hi,
>
> > On 1. Jun 2021, at 21:52, E Khorasani <el...@us.ibm.com> wrote:
> >
> > We are using UIMA-AS 2.10.3  which includes ActiveMQ  5.15.2.  But our
> > AppScan report show High and medium severity security in
> > activemq-broker-5.15.2.jar and activemq-client-5.15.2.jar. Is there a
> way
> > to upgrade ActiveMQ  libraries in UIMA-AS? If so, could you please point
> > me to documents as to how to achieve this?
>
> Have you tried checking out the sources, replacing all the ActiveMQ
> dependency
> versions with the latest 5.x version, building and checking if it still
> works?
>
> Cheers,
>
> -- Richard

Re: UIMA-AS latest version security issues

Posted by Jaroslaw Cwiklik <cw...@apache.org>.

Hi Richard, sorry for the delay in responding. Was away on vacation last
week. Will merge your changes soon.
Thanks for the help. I will work on a new uima-as release when I have free
time.

Jerry

On Mon, Jun 21, 2021 at 2:51 PM Richard Eckart de Castilho <re...@apache.org>
wrote:

> Hi Jerry,
>
> > On 18. Jun 2021, at 19:35, Jaroslaw Cwiklik <ui...@gmail.com> wrote:
> >
> > Thanks Richard. I took a look today at Ruta and compared its eclipse
> > plugins setup to uima-as. Seems like many changes are needed to make them
> > work. Actually made some changes to uima-as poms (including one you've
> > suggested) but am not able to build.
>
> Please have a look at the PR:
> https://github.com/apache/uima-async-scaleout/pull/3
>
> -- Richard

Re: UIMA-AS latest version security issues

Posted by Jaroslaw Cwiklik <cw...@apache.org>.

Hi Richard, sorry for the delay in responding. Was away on vacation last
week. Will merge your changes soon.
Thanks for the help. I will work on a new uima-as release when I have free
time.

Jerry

On Mon, Jun 21, 2021 at 2:51 PM Richard Eckart de Castilho <re...@apache.org>
wrote:

> Hi Jerry,
>
> > On 18. Jun 2021, at 19:35, Jaroslaw Cwiklik <ui...@gmail.com> wrote:
> >
> > Thanks Richard. I took a look today at Ruta and compared its eclipse
> > plugins setup to uima-as. Seems like many changes are needed to make them
> > work. Actually made some changes to uima-as poms (including one you've
> > suggested) but am not able to build.
>
> Please have a look at the PR:
> https://github.com/apache/uima-async-scaleout/pull/3
>
> -- Richard

Re: UIMA-AS latest version security issues

Posted by Richard Eckart de Castilho <re...@apache.org>.

Hi Jerry,

> On 18. Jun 2021, at 19:35, Jaroslaw Cwiklik <ui...@gmail.com> wrote:
> 
> Thanks Richard. I took a look today at Ruta and compared its eclipse
> plugins setup to uima-as. Seems like many changes are needed to make them
> work. Actually made some changes to uima-as poms (including one you've
> suggested) but am not able to build.

Please have a look at the PR: https://github.com/apache/uima-async-scaleout/pull/3

-- Richard

Re: UIMA-AS latest version security issues

Posted by Richard Eckart de Castilho <re...@apache.org>.

Hi Jerry,

> On 18. Jun 2021, at 19:35, Jaroslaw Cwiklik <ui...@gmail.com> wrote:
> 
> Thanks Richard. I took a look today at Ruta and compared its eclipse
> plugins setup to uima-as. Seems like many changes are needed to make them
> work. Actually made some changes to uima-as poms (including one you've
> suggested) but am not able to build.

Please have a look at the PR: https://github.com/apache/uima-async-scaleout/pull/3

-- Richard

Re: UIMA-AS latest version security issues

Posted by Jaroslaw Cwiklik <ui...@gmail.com>.

Thanks Richard. I took a look today at Ruta and compared its eclipse
plugins setup to uima-as. Seems like many changes are needed to make them
work. Actually made some changes to uima-as poms (including one you've
suggested) but am not able to build.
The latest problem is this:

*ERROR*] Failed to execute goal on project
uimaj-ep-runtime-deployeditor: *Could
not resolve dependencies for project
org.apache.uima:uimaj-ep-runtime-deployeditor:jar:2.10.4-SNAPSHOT: Artifact
not found*:
/var/folders/qv/mb2304nn2yg65q0c3n0vrcpm0000gn/T/org.openntf.maven.p2.layout.P2RepositoryLayout-org.eclipse.p2.201812-metadata4232512035347814454/1997609141157123
(No such file or directory) -> *[Help 1]*


*Regards, Jerry*


*I *



On Thu, Jun 17, 2021 at 1:55 PM Richard Eckart de Castilho <re...@apache.org>
wrote:

> Hi Jerry,
>
> On 17. Jun 2021, at 19:11, Jaroslaw Cwiklik <ui...@gmail.com> wrote:
> >
> > There is a problem building eclipse plugins though. Not enough free time
> to
> > address this now.
>
> For the UIMA Java SDK and Ruta, we no longer obtain the Eclipse plugin
> dependencies
> from Maven Central but instead use this plugin to pull the Eclipse bundles
> directly
> from the official P2 repositories:
>
>       <plugin>
>         <groupId>org.openntf.maven</groupId>
>         <artifactId>p2-layout-resolver</artifactId>
>         <version>1.3.0</version>
>         <extensions>true</extensions>
>       </plugin>
>
> That protects us now from the volatility of the version range resolving
> due to Eclipse
> publishing new artifacts to Maven Central as we can lock to a particular
> P2 update site
> and those remain stable.
>
> Cheers,
>
> -- Richard

Re: UIMA-AS latest version security issues

Posted by Jaroslaw Cwiklik <ui...@gmail.com>.

Thanks Richard. I took a look today at Ruta and compared its eclipse
plugins setup to uima-as. Seems like many changes are needed to make them
work. Actually made some changes to uima-as poms (including one you've
suggested) but am not able to build.
The latest problem is this:

*ERROR*] Failed to execute goal on project
uimaj-ep-runtime-deployeditor: *Could
not resolve dependencies for project
org.apache.uima:uimaj-ep-runtime-deployeditor:jar:2.10.4-SNAPSHOT: Artifact
not found*:
/var/folders/qv/mb2304nn2yg65q0c3n0vrcpm0000gn/T/org.openntf.maven.p2.layout.P2RepositoryLayout-org.eclipse.p2.201812-metadata4232512035347814454/1997609141157123
(No such file or directory) -> *[Help 1]*


*Regards, Jerry*


*I *



On Thu, Jun 17, 2021 at 1:55 PM Richard Eckart de Castilho <re...@apache.org>
wrote:

> Hi Jerry,
>
> On 17. Jun 2021, at 19:11, Jaroslaw Cwiklik <ui...@gmail.com> wrote:
> >
> > There is a problem building eclipse plugins though. Not enough free time
> to
> > address this now.
>
> For the UIMA Java SDK and Ruta, we no longer obtain the Eclipse plugin
> dependencies
> from Maven Central but instead use this plugin to pull the Eclipse bundles
> directly
> from the official P2 repositories:
>
>       <plugin>
>         <groupId>org.openntf.maven</groupId>
>         <artifactId>p2-layout-resolver</artifactId>
>         <version>1.3.0</version>
>         <extensions>true</extensions>
>       </plugin>
>
> That protects us now from the volatility of the version range resolving
> due to Eclipse
> publishing new artifacts to Maven Central as we can lock to a particular
> P2 update site
> and those remain stable.
>
> Cheers,
>
> -- Richard

Re: UIMA-AS latest version security issues

Posted by Richard Eckart de Castilho <re...@apache.org>.

Hi Jerry,

On 17. Jun 2021, at 19:11, Jaroslaw Cwiklik <ui...@gmail.com> wrote:
> 
> There is a problem building eclipse plugins though. Not enough free time to
> address this now.

For the UIMA Java SDK and Ruta, we no longer obtain the Eclipse plugin dependencies
from Maven Central but instead use this plugin to pull the Eclipse bundles directly
from the official P2 repositories:

      <plugin>
        <groupId>org.openntf.maven</groupId>
        <artifactId>p2-layout-resolver</artifactId>
        <version>1.3.0</version>
        <extensions>true</extensions>
      </plugin>

That protects us now from the volatility of the version range resolving due to Eclipse
publishing new artifacts to Maven Central as we can lock to a particular P2 update site
and those remain stable.

Cheers,

-- Richard

Re: UIMA-AS latest version security issues

Posted by Richard Eckart de Castilho <re...@apache.org>.

Hi Jerry,

On 17. Jun 2021, at 19:11, Jaroslaw Cwiklik <ui...@gmail.com> wrote:
> 
> There is a problem building eclipse plugins though. Not enough free time to
> address this now.

For the UIMA Java SDK and Ruta, we no longer obtain the Eclipse plugin dependencies
from Maven Central but instead use this plugin to pull the Eclipse bundles directly
from the official P2 repositories:

      <plugin>
        <groupId>org.openntf.maven</groupId>
        <artifactId>p2-layout-resolver</artifactId>
        <version>1.3.0</version>
        <extensions>true</extensions>
      </plugin>

That protects us now from the volatility of the version range resolving due to Eclipse
publishing new artifacts to Maven Central as we can lock to a particular P2 update site
and those remain stable.

Cheers,

-- Richard