You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@maven.apache.org by sl...@apache.org on 2021/01/22 22:35:58 UTC
[maven-indexer] 01/01: [MINDEXER-126] Remove guava dependency from
indexer-core
This is an automated email from the ASF dual-hosted git repository.
slachiewicz pushed a commit to branch MINDEXER-126
in repository https://gitbox.apache.org/repos/asf/maven-indexer.git
commit 7651b9bf3b7162aa83fa0de5a06864c78a495a38
Author: Alexander Kurtakov <ak...@redhat.com>
AuthorDate: Fri Jan 22 23:51:52 2021 +0200
[MINDEXER-126] Remove guava dependency from indexer-core
It suffers from multiple CVEs:
* guava < 24.1.1 is vulnerable to CVE-2018-10237.
* guava < 30.0 is vulnerable to CVE-2020-8908.
Moving to guava 30.1 will require moving to Java 8 so it's actually
simpler to just remove the dependency altogether.
Signed-off-by: Alexander Kurtakov <ak...@redhat.com>
---
indexer-core/pom.xml | 5 -----
.../src/main/java/org/apache/maven/index/ArtifactInfo.java | 5 ++---
.../org/apache/maven/index/context/TrackingLockFactory.java | 12 +++++++-----
.../org/apache/maven/index/packer/IndexPackingRequest.java | 10 +++++-----
.../java/org/apache/maven/index/updater/IndexDataReader.java | 7 +++----
5 files changed, 17 insertions(+), 22 deletions(-)
diff --git a/indexer-core/pom.xml b/indexer-core/pom.xml
index d6f6fdc..c36de84 100644
--- a/indexer-core/pom.xml
+++ b/indexer-core/pom.xml
@@ -40,11 +40,6 @@ under the License.
<artifactId>slf4j-api</artifactId>
</dependency>
- <dependency>
- <groupId>com.google.guava</groupId>
- <artifactId>guava</artifactId>
- </dependency>
-
<!-- DI -->
<dependency>
<groupId>javax.inject</groupId>
diff --git a/indexer-core/src/main/java/org/apache/maven/index/ArtifactInfo.java b/indexer-core/src/main/java/org/apache/maven/index/ArtifactInfo.java
index 7f75838..ca95342 100644
--- a/indexer-core/src/main/java/org/apache/maven/index/ArtifactInfo.java
+++ b/indexer-core/src/main/java/org/apache/maven/index/ArtifactInfo.java
@@ -37,8 +37,6 @@ import org.eclipse.aether.version.InvalidVersionSpecificationException;
import org.eclipse.aether.version.Version;
import org.eclipse.aether.version.VersionScheme;
-import com.google.common.base.Strings;
-
/**
* ArtifactInfo holds the values known about an repository artifact. This is a simple Value Object kind of stuff.
* Phasing out.
@@ -431,7 +429,8 @@ public class ArtifactInfo
public String toString()
{
final StringBuilder result = new StringBuilder( getUinfo() );
- if ( !Strings.isNullOrEmpty( getPackaging() ) )
+ String packaging = getPackaging();
+ if (packaging != null && !getPackaging().isEmpty())
{
result.append( "[" ).append( getPackaging() ).append( "]" );
}
diff --git a/indexer-core/src/main/java/org/apache/maven/index/context/TrackingLockFactory.java b/indexer-core/src/main/java/org/apache/maven/index/context/TrackingLockFactory.java
index 9bc6a02..fc85f9c 100644
--- a/indexer-core/src/main/java/org/apache/maven/index/context/TrackingLockFactory.java
+++ b/indexer-core/src/main/java/org/apache/maven/index/context/TrackingLockFactory.java
@@ -1,5 +1,7 @@
package org.apache.maven.index.context;
+import static java.util.Objects.requireNonNull;
+
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
@@ -21,13 +23,13 @@ package org.apache.maven.index.context;
import java.io.IOException;
import java.util.Collections;
+import java.util.HashSet;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
+
import org.apache.lucene.store.Directory;
import org.apache.lucene.store.Lock;
import org.apache.lucene.store.LockFactory;
-import static com.google.common.base.Preconditions.checkNotNull;
-import java.util.HashSet;
/**
*
@@ -43,7 +45,7 @@ final class TrackingLockFactory
TrackingLockFactory( final LockFactory delegate )
{
- this.delegate = checkNotNull( delegate );
+ this.delegate = requireNonNull( delegate );
this.emittedLocks = Collections.newSetFromMap( new ConcurrentHashMap<TrackingLock, Boolean>() );
}
@@ -78,8 +80,8 @@ final class TrackingLockFactory
TrackingLock( final Lock delegate, final String name )
{
- this.delegate = checkNotNull( delegate );
- this.name = checkNotNull( name );
+ this.delegate = requireNonNull( delegate );
+ this.name = requireNonNull( name );
}
String getName()
diff --git a/indexer-core/src/main/java/org/apache/maven/index/packer/IndexPackingRequest.java b/indexer-core/src/main/java/org/apache/maven/index/packer/IndexPackingRequest.java
index 850d9d8..98809d2 100644
--- a/indexer-core/src/main/java/org/apache/maven/index/packer/IndexPackingRequest.java
+++ b/indexer-core/src/main/java/org/apache/maven/index/packer/IndexPackingRequest.java
@@ -1,5 +1,7 @@
package org.apache.maven.index.packer;
+import static java.util.Objects.requireNonNull;
+
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
@@ -26,8 +28,6 @@ import java.util.Collection;
import org.apache.lucene.index.IndexReader;
import org.apache.maven.index.context.IndexingContext;
-import static com.google.common.base.Preconditions.checkNotNull;
-
/**
* An index packing request.
*/
@@ -53,11 +53,11 @@ public class IndexPackingRequest
public IndexPackingRequest( final IndexingContext context, final IndexReader indexReader, final File targetDir )
{
- this.context = checkNotNull( context );
+ this.context = requireNonNull( context );
- this.indexReader = checkNotNull( indexReader );
+ this.indexReader = requireNonNull( indexReader );
- this.targetDir = checkNotNull( targetDir );
+ this.targetDir = requireNonNull( targetDir );
this.createIncrementalChunks = true;
diff --git a/indexer-core/src/main/java/org/apache/maven/index/updater/IndexDataReader.java b/indexer-core/src/main/java/org/apache/maven/index/updater/IndexDataReader.java
index c5f1d71..3e80c13 100644
--- a/indexer-core/src/main/java/org/apache/maven/index/updater/IndexDataReader.java
+++ b/indexer-core/src/main/java/org/apache/maven/index/updater/IndexDataReader.java
@@ -27,11 +27,10 @@ import java.io.IOException;
import java.io.InputStream;
import java.io.UTFDataFormatException;
import java.util.Date;
-import java.util.zip.GZIPInputStream;
-
-import com.google.common.base.Strings;
import java.util.LinkedHashSet;
import java.util.Set;
+import java.util.zip.GZIPInputStream;
+
import org.apache.lucene.document.Document;
import org.apache.lucene.document.Field;
import org.apache.lucene.document.FieldType;
@@ -159,7 +158,7 @@ public class IndexDataReader
// Fix up UINFO field wrt MINDEXER-41
final Field uinfoField = (Field) doc.getField( ArtifactInfo.UINFO );
final String info = doc.get( ArtifactInfo.INFO );
- if ( uinfoField != null && !Strings.isNullOrEmpty( info ) )
+ if ( uinfoField != null && info != null && !info.isEmpty() )
{
final String[] splitInfo = ArtifactInfo.FS_PATTERN.split( info );
if ( splitInfo.length > 6 )