You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by Andreas Schaefer <sc...@me.com.INVALID> on 2023/02/03 15:40:40 UTC
Upgrade graphgql-java to 17.4
Hi
I am tasked with upgrading grqaphql-java for AEM to at least 17.4 because of a vulnerability https://nvd.nist.gov/vuln/detail/CVE-2022-37734
I saw that Radu created a ticket for upgrading to graphql-java 17: https://github.com/graphql-java/graphql-java/releases/tag/v17.0
I assigned that ticket to me and will see what needs to be done to make this work in Sling as well as in AEM.
Let me know if you have any objections or already worked on it.
Thanks - Andy Schaefer
Re: Upgrade graphgql-java to 17.4
Posted by Andreas Schaefer <sc...@me.com.INVALID>.
Hi
Just an updated on the development of moving to a newer version of grqphql-java:
Testing with Sling Graphql Core and AEM I did test graphql-java 17.4 and 20.0 and both versions seems to work just fine even though 20.0 does lead to a PAX testing issue in Sling Graphql Core but I think that’s not a big issue.
There are a few issues that I am working out with the graphql-java team:
- sun.misc is imported in the bundle (resolved)
- MANIFEST.MF is not 1st entry in the JAR file (work in progresss)
Cheers - Andy
> On Feb 3, 2023, at 10:25 AM, Andreas Schaefer <sc...@me.com.INVALID> wrote:
>
> Right now I am having issues with the SelectionSetWrapper and SelectedFieldWrapper. The way graphql-java is providing the DataFetchingFieldSelectionSet is quite different and I am not sure how to handle it.
>
> The big difference is that there are no sub fields anymore and also no InlineFragment vs Field. The Inline Fragment is not part of the Object Type and a field name with different object types are combined into one. This means I need to handle Object Types either in the caller to create one SelectedFieldWrapper for each type or change the entire logic and make the Sling Graphql Core work similar to graphql-java.
>
> I will start without changing Sling and then see if it works out.
>
> - Andy
>
>> On Feb 3, 2023, at 9:03 AM, Radu Cotescu <ra...@apache.org> wrote:
>>
>> Hi Andy,
>>
>>> On 3 Feb 2023, at 16:40, Andreas Schaefer <sc...@me.com.INVALID> wrote:
>>>
>>> Hi
>>>
>>> I am tasked with upgrading grqaphql-java for AEM to at least 17.4 because of a vulnerability https://nvd.nist.gov/vuln/detail/CVE-2022-37734
>>>
>>> I saw that Radu created a ticket for upgrading to graphql-java 17: https://github.com/graphql-java/graphql-java/releases/tag/v17.0
>>>
>>> I assigned that ticket to me and will see what needs to be done to make this work in Sling as well as in AEM.
>>>
>>> Let me know if you have any objections or already worked on it.
>>>
>>> Thanks - Andy Schaefer
>>
>> No objections on my side. I started looking into this [0], but didn’t get to commit anything. I remember I had issues with dynamically registering our Sling directives [1], but I had to switch to a different task and forgot about [0].
>>
>> Thanks,
>> Radu
>>
>> [0] - https://issues.apache.org/jira/browse/SLING-10900
>> [1] - https://github.com/apache/sling-org-apache-sling-graphql-core/blob/0b1c1dd72ed04324ea84d2227c3223ec65b0b21e/src/main/java/org/apache/sling/graphql/core/directives/Directives.java
>>
>
Re: Upgrade graphgql-java to 17.4
Posted by Andreas Schaefer <sc...@me.com.INVALID>.
Right now I am having issues with the SelectionSetWrapper and SelectedFieldWrapper. The way graphql-java is providing the DataFetchingFieldSelectionSet is quite different and I am not sure how to handle it.
The big difference is that there are no sub fields anymore and also no InlineFragment vs Field. The Inline Fragment is not part of the Object Type and a field name with different object types are combined into one. This means I need to handle Object Types either in the caller to create one SelectedFieldWrapper for each type or change the entire logic and make the Sling Graphql Core work similar to graphql-java.
I will start without changing Sling and then see if it works out.
- Andy
> On Feb 3, 2023, at 9:03 AM, Radu Cotescu <ra...@apache.org> wrote:
>
> Hi Andy,
>
>> On 3 Feb 2023, at 16:40, Andreas Schaefer <sc...@me.com.INVALID> wrote:
>>
>> Hi
>>
>> I am tasked with upgrading grqaphql-java for AEM to at least 17.4 because of a vulnerability https://nvd.nist.gov/vuln/detail/CVE-2022-37734
>>
>> I saw that Radu created a ticket for upgrading to graphql-java 17: https://github.com/graphql-java/graphql-java/releases/tag/v17.0
>>
>> I assigned that ticket to me and will see what needs to be done to make this work in Sling as well as in AEM.
>>
>> Let me know if you have any objections or already worked on it.
>>
>> Thanks - Andy Schaefer
>
> No objections on my side. I started looking into this [0], but didn’t get to commit anything. I remember I had issues with dynamically registering our Sling directives [1], but I had to switch to a different task and forgot about [0].
>
> Thanks,
> Radu
>
> [0] - https://issues.apache.org/jira/browse/SLING-10900
> [1] - https://github.com/apache/sling-org-apache-sling-graphql-core/blob/0b1c1dd72ed04324ea84d2227c3223ec65b0b21e/src/main/java/org/apache/sling/graphql/core/directives/Directives.java
>
Re: Upgrade graphgql-java to 17.4
Posted by Radu Cotescu <ra...@apache.org>.
Hi Andy,
> On 3 Feb 2023, at 16:40, Andreas Schaefer <sc...@me.com.INVALID> wrote:
>
> Hi
>
> I am tasked with upgrading grqaphql-java for AEM to at least 17.4 because of a vulnerability https://nvd.nist.gov/vuln/detail/CVE-2022-37734
>
> I saw that Radu created a ticket for upgrading to graphql-java 17: https://github.com/graphql-java/graphql-java/releases/tag/v17.0
>
> I assigned that ticket to me and will see what needs to be done to make this work in Sling as well as in AEM.
>
> Let me know if you have any objections or already worked on it.
>
> Thanks - Andy Schaefer
No objections on my side. I started looking into this [0], but didn’t get to commit anything. I remember I had issues with dynamically registering our Sling directives [1], but I had to switch to a different task and forgot about [0].
Thanks,
Radu
[0] - https://issues.apache.org/jira/browse/SLING-10900
[1] - https://github.com/apache/sling-org-apache-sling-graphql-core/blob/0b1c1dd72ed04324ea84d2227c3223ec65b0b21e/src/main/java/org/apache/sling/graphql/core/directives/Directives.java