You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2022/06/27 13:41:05 UTC
[ofbiz-framework] branch trunk updated: Improved: Update build.gradle to the latest dependencies (OFBIZ-12658)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 18d0d75f43 Improved: Update build.gradle to the latest dependencies (OFBIZ-12658)
18d0d75f43 is described below
commit 18d0d75f439c07329d3ac6209cdb9b3553635d5e
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Mon Jun 27 15:40:08 2022 +0200
Improved: Update build.gradle to the latest dependencies (OFBIZ-12658)
I noticed that JpegImageParser from Apache Commons Imaging never had a write
option. So I commented it out. I tested uploading, it's OK
org.apache.axiom.om.impl.builder.StAXOMBuilder has been replaced by
org.apache.axiom.om.OMXMLParserWrapper
in SOAPEventHandler.java
The rest of information is in the main build.gradle
I got 2 test errors on Win7. I'll see how it goes on GH and BB.
Maybe it's write.lock issues with Lucene or/and Solr indexes
---
build.gradle | 70 ++++++++++++----------
.../org/apache/ofbiz/security/SecuredUpload.java | 12 ++--
.../ofbiz/webapp/event/SOAPEventHandler.java | 11 ++--
3 files changed, 50 insertions(+), 43 deletions(-)
diff --git a/build.gradle b/build.gradle
index b37f717797..267c6bf23a 100644
--- a/build.gradle
+++ b/build.gradle
@@ -29,14 +29,14 @@ plugins {
id 'eclipse'
id 'checkstyle'
id 'maven-publish'
- id 'at.bxm.svntools' version '2.2.1' // Don't update as long as we don't use Java 11, it's needed by version 3
+ id 'at.bxm.svntools' version '3.1' // Java 11 is needed by version 3
id 'org.asciidoctor.convert' version '2.4.0' // About org.asciidoctor.jvm.convert as it says itself: "If you need a production-ready version of the AsciidoctorJ plugin for Gradle use a 1.5.x release of 'org.asciidoctor.convert' instead"
- id 'org.owasp.dependencycheck' version '6.3.1' apply false
- id 'se.patrikerdes.use-latest-versions' version '0.2.17' apply false
- id 'com.github.ben-manes.versions' version '0.39.0' apply false
+ id 'org.owasp.dependencycheck' version '7.1.1' apply false
+ id 'se.patrikerdes.use-latest-versions' version '0.2.18' apply false
+ id 'com.github.ben-manes.versions' version '0.42.0' apply false
id "com.github.ManifestClasspath" version "0.1.0-RELEASE"
id "com.github.jakemarsden.git-hooks" version "0.0.2"
- id "com.github.node-gradle.node" version "3.1.0"
+ id "com.github.node-gradle.node" version "3.4.0"
}
/* OWASP plugin
@@ -160,6 +160,8 @@ allprojects {
maven {
// org/milyn/flute/1.3/flute-1.3.jar
// need artifact only because of wrong pom metadata in maven central
+ // Required by: plugins:birt > org.eclipse.birt.runtime:viewservlets:4.5.0 > org.eclipse.birt.runtime:org.eclipse.birt.runtime:4.4.1
+ // TODO Maybe this will no longer needed wheh upgrading viewservlets to 4.9.0
url "https://repo1.maven.org/maven2"
metadataSources {
artifact()
@@ -168,6 +170,11 @@ allprojects {
maven {
url "https://clojars.org/repo"
}
+ maven {
+ // org.cyberneko.html.parsers (used by UELFunctions, was in esapi before 2.3)
+ url "https://repository.ow2.org/nexus/content/repositories/public/"
+ }
+
}
}
@@ -194,62 +201,63 @@ configurations {
dependencies {
implementation 'xerces:xercesImpl:2.12.2'
- implementation 'com.google.zxing:core:3.4.1'
+ implementation 'com.google.zxing:core:3.5.0'
implementation 'com.googlecode.concurrentlinkedhashmap:concurrentlinkedhashmap-lru:1.4.2'
- implementation 'com.googlecode.ez-vcard:ez-vcard:0.11.2'
- implementation 'com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:20200713.1'
- implementation 'com.googlecode.libphonenumber:libphonenumber:8.12.3'
- implementation 'com.ibm.icu:icu4j:69.1'
+ implementation 'com.googlecode.ez-vcard:ez-vcard:0.11.3'
+ implementation 'com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:20220608.1'
+ implementation 'com.googlecode.libphonenumber:libphonenumber:8.12.50'
+ implementation 'com.ibm.icu:icu4j:71.1'
implementation 'com.lowagie:itext:2.1.7' // Don't update due to license change in newer versions, see OFBIZ-10455
implementation 'com.sun.mail:javax.mail:1.6.2'
- implementation 'com.rometools:rome:1.16.0'
- implementation 'com.thoughtworks.xstream:xstream:1.4.18'
+ implementation 'com.rometools:rome:1.18.0'
+ implementation 'com.thoughtworks.xstream:xstream:1.4.19'
implementation 'commons-fileupload:commons-fileupload:1.4'
implementation 'commons-net:commons-net:3.8.0'
implementation 'commons-validator:commons-validator:1.7'
implementation 'de.odysseus.juel:juel-impl:2.2.7'
implementation 'net.fortuna.ical4j:ical4j:1.0-rc4-atlassian-12'
- implementation 'net.lingala.zip4j:zip4j:2.9.0'
- implementation 'org.apache.ant:ant-junit:1.10.11'
+ implementation 'net.lingala.zip4j:zip4j:2.11.1'
+ implementation 'org.apache.ant:ant-junit:1.10.12'
implementation 'org.apache.commons:commons-collections4:4.4'
implementation 'org.apache.commons:commons-dbcp2:2.9.0'
- implementation 'org.apache.commons:commons-imaging:1.0-alpha2' // Alpha but OK, "Imaging was working and was used by a number of projects in production even before reaching its initial release as an Apache Commons component."
+ implementation 'org.apache.commons:commons-imaging:1.0-alpha3' // Alpha but OK, "Imaging was working and was used by a number of projects in production even before reaching its initial release as an Apache Commons component."
implementation 'org.apache.commons:commons-text:1.9'
- implementation 'org.apache.geronimo.components:geronimo-transaction:3.1.4'
+ implementation 'org.apache.geronimo.components:geronimo-transaction:3.1.5'
implementation 'org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1'
implementation 'org.apache.httpcomponents:httpclient-cache:4.5.13'
implementation 'org.apache.logging.log4j:log4j-api:2.17.2' // the API of log4j 2
implementation 'org.apache.logging.log4j:log4j-core:2.17.2' // Somehow needed by Buildbot to compile OFBizDynamicThresholdFilter.java
implementation 'org.apache.poi:poi:4.1.2' // poi-ooxml-schemas-5.0.0.pom'. Received status code 401 from server
implementation 'org.apache.pdfbox:pdfbox:2.0.24'
- implementation 'org.apache.shiro:shiro-core:1.8.0'
+ implementation 'org.apache.shiro:shiro-core:1.9.0'
implementation 'org.apache.sshd:sshd-core:2.8.0'
implementation 'org.apache.sshd:sshd-sftp:2.8.0'
// Note: The Apache Tika PMC has set September 30, 2022 as the End Of Life for the Tika 1.x branch.
// The PMC will make security fixes for the 1.x branch until that date.
- implementation 'org.apache.tika:tika-core:1.28.4' // version 2 needs more work, see OFBIZ-12572
+ implementation 'org.apache.tika:tika-core:2.4.1'
implementation 'org.apache.tika:tika-parsers:1.28.4' // 2.1.0 does not work,
implementation 'org.apache.tomcat:tomcat-catalina-ha:9.0.60' // Remember to change the version number (9 now) in javadoc block if needed.
implementation 'org.apache.tomcat:tomcat-jasper:9.0.60'
- implementation 'org.apache.axis2:axis2-kernel:1.7.9' // Above: SOAPEventHandler.java:42: error: package org.apache.axiom.om.impl.builder does not exist
+ implementation 'org.apache.axis2:axis2-kernel:1.8.1'
implementation 'batik:batik-svg-dom:1.6-1'
- implementation 'org.apache.xmlgraphics:fop:2.3' // NOTE: since 2.4 dependencies are messed up. See https://github.com/moqui/moqui-fop/blob/master/build.gradle
+ implementation 'org.apache.xmlgraphics:fop:2.7' // NOTE: since 2.4 dependencies are messed up. See https://github.com/moqui/moqui-fop/blob/master/build.gradle
implementation 'org.apache.xmlrpc:xmlrpc-client:3.1.3'
implementation 'org.apache.xmlrpc:xmlrpc-server:3.1.3'
- implementation 'org.clojure:clojure:1.10.2'
+ implementation 'org.clojure:clojure:1.11.1'
implementation 'org.codehaus.groovy:groovy-all:2.5.17' // Compile issue with commons-cli and Groovy 3. Remember to change the version number in javadoc block.
implementation 'org.freemarker:freemarker:2.3.31' // Remember to change the version number in FreeMarkerWorker class when upgrading. See OFBIZ-10019 if >= 2.4
- implementation 'org.owasp.esapi:esapi:2.2.2.0'
- implementation 'org.springframework:spring-test:5.3.9'
+ implementation 'org.owasp.esapi:esapi:2.4.0.0'
+ implementation 'org.cyberneko:html:1.9.8'
+ implementation 'org.springframework:spring-test:5.3.21'
implementation 'org.zapodot:jackson-databind-java-optional:2.6.1'
implementation 'oro:oro:2.0.8'
implementation 'wsdl4j:wsdl4j:1.6.3'
- implementation 'com.auth0:java-jwt:3.18.1'
+ implementation 'com.auth0:java-jwt:4.0.0'
implementation 'org.jdom:jdom:1.1.3' // don't upgrade above 1.1.3, makes a lot of not obvious and useless complications, see last commits of OFBIZ-12092 for more
implementation 'com.google.re2j:re2j:1.6'
testImplementation 'org.hamcrest:hamcrest-library:2.2' // Enable junit4 to not depend on hamcrest-1.3
- testImplementation 'org.mockito:mockito-core:3.12.4'
+ testImplementation 'org.mockito:mockito-core:4.6.1'
testImplementation 'org.jmockit:jmockit:1.49'
testImplementation 'com.pholser:junit-quickcheck-generators:1.0'
@@ -257,9 +265,9 @@ dependencies {
runtimeOnly 'de.odysseus.juel:juel-spi:2.2.7'
runtimeOnly 'net.sf.barcode4j:barcode4j-fop-ext:2.1'
runtimeOnly 'net.sf.barcode4j:barcode4j:2.1'
- runtimeOnly 'org.apache.axis2:axis2-transport-http:1.7.9' // Above: SOAPEventHandler.java:42: error: package org.apache.axiom.om.impl.builder does not exist
- runtimeOnly 'org.apache.axis2:axis2-transport-local:1.7.9' // Above: SOAPEventHandler.java:42: error: package org.apache.axiom.om.impl.builder does not exist
- runtimeOnly 'org.apache.derby:derby:10.14.2.0' // So far we did not update from 10.14.2.0 because of a compile issue. You may try w/ a newer version than 10.15.1.3
+ runtimeOnly 'org.apache.axis2:axis2-transport-http:1.8.1'
+ runtimeOnly 'org.apache.axis2:axis2-transport-local:1.8.1'
+ runtimeOnly 'org.apache.derby:derby:10.14.2.0' // So far we did not update from 10.14.2.0 because of a runtime issue with 10.16.1.1: java.lang.ClassNotFoundException: org.apache.derby.jdbc.EmbeddedDriver
runtimeOnly 'org.apache.geronimo.specs:geronimo-jaxrpc_1.1_spec:2.1'
runtimeOnly 'org.apache.logging.log4j:log4j-1.2-api:2.17.2' // for external jars using the old log4j1.2: routes logging to log4j 2
runtimeOnly 'org.apache.logging.log4j:log4j-jul:2.17.2' // for external jars using the java.util.logging: routes logging to log4j 2
@@ -275,9 +283,9 @@ dependencies {
compileOnly project(path: subProject.path, configuration: 'pluginLibsCompileOnly')
}
- junitReport 'junit:junit:4.13.1'
- junitReport 'org.apache.ant:ant-junit:1.10.11'
- asciidoctor 'org.asciidoctor:asciidoctorj-pdf:1.5.3'
+ junitReport 'junit:junit:4.13.2'
+ junitReport 'org.apache.ant:ant-junit:1.10.12'
+ asciidoctor 'org.asciidoctor:asciidoctorj-pdf:2.1.2'
asciidoctor 'org.jruby:jruby-complete:9.2.19.0' // bug workaround - see OFBIZ-9873
// Libraries downloaded manually
diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
index 52fd639818..0037f607fa 100644
--- a/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
+++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecuredUpload.java
@@ -38,7 +38,6 @@ import java.nio.file.Paths;
import java.nio.file.StandardOpenOption;
import java.util.ArrayList;
import java.util.Collection;
-import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
@@ -61,7 +60,6 @@ import org.apache.commons.imaging.ImageReadException;
import org.apache.commons.imaging.ImageWriteException;
import org.apache.commons.imaging.Imaging;
import org.apache.commons.imaging.formats.gif.GifImageParser;
-import org.apache.commons.imaging.formats.jpeg.JpegImageParser;
import org.apache.commons.imaging.formats.png.PngImageParser;
import org.apache.commons.imaging.formats.tiff.TiffImageParser;
import org.apache.commons.io.FileUtils;
@@ -371,7 +369,7 @@ public class SecuredUpload {
if (!fallbackOnApacheCommonsImaging) {
ImageIO.write(sanitizedImage, formatName, fos);
} else {
- ImageParser imageParser;
+ ImageParser<?> imageParser;
// Handle only formats for which Apache Commons Imaging can successfully write (YES in Write column of the reference link)
// the image format. See reference link in the class header
switch (formatName) {
@@ -384,13 +382,13 @@ public class SecuredUpload {
case "PNG":
imageParser = new PngImageParser();
break;
- case "JPEG":
- imageParser = new JpegImageParser();
- break;
+ // case "JPEG":
+ // imageParser = new JpegImageParser(); // Does not provide imageParser.writeImage used below
+ // break;
default:
throw new IOException("Format of the original image " + fileName + " is not supported for write operation !");
}
- imageParser.writeImage(sanitizedImage, fos, new HashMap<>());
+ imageParser.writeImage(sanitizedImage, fos, null);
}
// Set state flag
safeState = true;
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/SOAPEventHandler.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/SOAPEventHandler.java
index 6462f4971a..1716340bfe 100644
--- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/SOAPEventHandler.java
+++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/SOAPEventHandler.java
@@ -39,7 +39,7 @@ import org.apache.axiom.om.OMAbstractFactory;
import org.apache.axiom.om.OMAttribute;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMXMLBuilderFactory;
-import org.apache.axiom.om.impl.builder.StAXOMBuilder;
+import org.apache.axiom.om.OMXMLParserWrapper;
import org.apache.axiom.soap.SOAPBody;
import org.apache.axiom.soap.SOAPEnvelope;
import org.apache.axiom.soap.SOAPFactory;
@@ -238,7 +238,8 @@ public class SOAPEventHandler implements EventHandler {
String xmlResults = SoapSerializer.serialize(serviceResults);
//Debug.logInfo("xmlResults ==================" + xmlResults, MODULE);
XMLStreamReader reader = XMLInputFactory.newInstance().createXMLStreamReader(new StringReader(xmlResults));
- StAXOMBuilder resultsBuilder = (StAXOMBuilder) OMXMLBuilderFactory.createStAXOMBuilder(OMAbstractFactory.getOMFactory(), reader);
+ OMXMLParserWrapper resultsBuilder = OMXMLBuilderFactory.createStAXOMBuilder(OMAbstractFactory.getOMFactory(),
+ reader);
OMElement resultSer = resultsBuilder.getDocumentElement();
// create the response soap
@@ -265,7 +266,7 @@ public class SOAPEventHandler implements EventHandler {
}
}
- resEnv.serialize(response.getOutputStream());
+ resEnv.serialize(response.getOutputStream(), false);
response.getOutputStream().flush();
} catch (Exception e) {
Debug.logError(e, MODULE);
@@ -290,7 +291,7 @@ public class SOAPEventHandler implements EventHandler {
res.setContentType("text/xml");
String xmlResults = SoapSerializer.serialize(object);
XMLStreamReader xmlReader = XMLInputFactory.newInstance().createXMLStreamReader(new StringReader(xmlResults));
- StAXOMBuilder resultsBuilder = (StAXOMBuilder) OMXMLBuilderFactory.createStAXOMBuilder(OMAbstractFactory.getOMFactory(), xmlReader);
+ OMXMLParserWrapper resultsBuilder = OMXMLBuilderFactory.createStAXOMBuilder(OMAbstractFactory.getOMFactory(), xmlReader);
OMElement resultSer = resultsBuilder.getDocumentElement();
// create the response soap
@@ -317,7 +318,7 @@ public class SOAPEventHandler implements EventHandler {
}
}
- resEnv.serialize(res.getOutputStream());
+ resEnv.serialize(res.getOutputStream(), false);
res.getOutputStream().flush();
} catch (Exception e) {
throw new EventHandlerException(e.getMessage(), e);