You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@royale.apache.org by jo...@apache.org on 2022/10/18 20:52:53 UTC

[royale-compiler] 01/02: Dependencies: upgrade commons-io to v2.11.0 to avoid CVE in old version (closes #218)

This is an automated email from the ASF dual-hosted git repository.

joshtynjala pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/royale-compiler.git

commit 34a2090083fdbc5d7a646786c2b5f99c53369d3a
Author: Josh Tynjala <jo...@apache.org>
AuthorDate: Tue Oct 18 13:40:06 2022 -0700

    Dependencies: upgrade commons-io to v2.11.0 to avoid CVE in old version (closes #218)
---
 compiler-build-tools/pom.xml                 |  2 +-
 compiler-common/pom.xml                      |  2 +-
 compiler-jx/src/main/resources/downloads.xml | 15 +++++++++------
 compiler-playerglobalc/pom.xml               |  2 +-
 compiler-test-utils/pom.xml                  |  2 +-
 compiler/pom.xml                             |  2 +-
 compiler/src/main/resources/downloads.xml    | 15 +++++++++------
 royale-maven-plugin/pom.xml                  |  2 +-
 8 files changed, 24 insertions(+), 18 deletions(-)

diff --git a/compiler-build-tools/pom.xml b/compiler-build-tools/pom.xml
index a2fe1d614..9485bee26 100644
--- a/compiler-build-tools/pom.xml
+++ b/compiler-build-tools/pom.xml
@@ -177,7 +177,7 @@
     <dependency>
       <groupId>commons-io</groupId>
       <artifactId>commons-io</artifactId>
-      <version>2.6</version>
+      <version>2.11.0</version>
     </dependency>
     <dependency>
       <groupId>org.apache.maven</groupId>
diff --git a/compiler-common/pom.xml b/compiler-common/pom.xml
index d5a31654b..708f2f378 100644
--- a/compiler-common/pom.xml
+++ b/compiler-common/pom.xml
@@ -58,7 +58,7 @@
     <dependency>
       <groupId>commons-io</groupId>
       <artifactId>commons-io</artifactId>
-      <version>2.6</version>
+      <version>2.11.0</version>
     </dependency>
     <dependency>
       <groupId>commons-cli</groupId>
diff --git a/compiler-jx/src/main/resources/downloads.xml b/compiler-jx/src/main/resources/downloads.xml
index 1a4a38240..48a7a2eb8 100644
--- a/compiler-jx/src/main/resources/downloads.xml
+++ b/compiler-jx/src/main/resources/downloads.xml
@@ -26,7 +26,7 @@
           For Apache, the JARS must be removed from the repository.
 
           Licenses:
-              commons-io (2.4) - Apache 2.0
+              commons-io (2.11.0) - Apache 2.0
               closure (9.2) - Apache 2.0
   -->
 
@@ -103,13 +103,13 @@
     
     <!--  commons-io -->
     <property name="commons-io.name" value="commons-io"/>
-    <property name="commons-io.version" value="2.4"/>
+    <property name="commons-io.version" value="2.11.0"/>
     <antcall target="download-dependency">
         <param name="name" value="${commons-io.name}"/>
         <param name="src.server" value="${maven.search.url}"/>
         <param name="src.folder" value="commons-io/commons-io/${commons-io.version}"/>
         <param name="src.filename" value="${commons-io.name}-${commons-io.version}.jar"/>
-        <param name="src.checksum" value="7f97854dc04c119d461fed14f5d8bb96"/>
+        <param name="src.checksum" value="3b4b7ccfaeceeac240b804839ee1a1ca"/>
         <param name="dest.folder" value=""/>
         <param name="dest.filename" value="${commons-io.name}.jar"/>
     </antcall>
@@ -375,10 +375,13 @@
   </target>
 
   <target name="check-sum" if="md5" description="Verifies MD5 checksum, and fails if checksum doesn't match">
-    <checksum file="${destDir}/${destFile}" algorithm="MD5" verifyproperty="we.failed" property="${md5}"/>
-    <fail message="${message}">
+    <local name="checksum.result"/>
+    <checksum file="${destDir}/${destFile}" algorithm="MD5" property="checksum.result"/>
+    <fail message="${message} Expected: ${md5} Received: ${checksum.result}">
       <condition>
-        <equals arg1="${we.failed}" arg2="false"/>
+        <not>
+          <equals arg1="${md5}" arg2="${checksum.result}"/>
+        </not>
       </condition>
     </fail>
   </target>
diff --git a/compiler-playerglobalc/pom.xml b/compiler-playerglobalc/pom.xml
index 37ca6c080..d44864787 100644
--- a/compiler-playerglobalc/pom.xml
+++ b/compiler-playerglobalc/pom.xml
@@ -68,7 +68,7 @@
     <dependency>
       <groupId>commons-io</groupId>
       <artifactId>commons-io</artifactId>
-      <version>2.4</version>
+      <version>2.11.0</version>
     </dependency>
     <dependency>
       <groupId>dom4j</groupId>
diff --git a/compiler-test-utils/pom.xml b/compiler-test-utils/pom.xml
index 511869ba2..6091588e1 100644
--- a/compiler-test-utils/pom.xml
+++ b/compiler-test-utils/pom.xml
@@ -42,7 +42,7 @@
     <dependency>
       <groupId>commons-io</groupId>
       <artifactId>commons-io</artifactId>
-      <version>2.4</version>
+      <version>2.11.0</version>
     </dependency>
     <dependency>
       <groupId>junit</groupId>
diff --git a/compiler/pom.xml b/compiler/pom.xml
index 4391365c3..5be048f62 100644
--- a/compiler/pom.xml
+++ b/compiler/pom.xml
@@ -591,7 +591,7 @@
     <dependency>
       <groupId>commons-io</groupId>
       <artifactId>commons-io</artifactId>
-      <version>2.4</version>
+      <version>2.11.0</version>
     </dependency>
     <dependency>
       <groupId>commons-cli</groupId>
diff --git a/compiler/src/main/resources/downloads.xml b/compiler/src/main/resources/downloads.xml
index b3195a2c2..ebb8f60d2 100644
--- a/compiler/src/main/resources/downloads.xml
+++ b/compiler/src/main/resources/downloads.xml
@@ -28,7 +28,7 @@
           Licenses:
               antlr (3) - BSD
               commons-cli (1.2) - Apache 2.0
-              commons-io (2.0.1) - Apache 2.0
+              commons-io (2.11.0) - Apache 2.0
               guava (25.1) - Apache 2.0
               JBurg (1.10.2) - CPL 1.0
               lzma-sdk (9.2) - Public Domain
@@ -105,13 +105,13 @@
 
     <!--  commons-io -->
     <property name="commons-io.name" value="commons-io"/>
-    <property name="commons-io.version" value="2.4"/>
+    <property name="commons-io.version" value="2.11.0"/>
     <antcall target="download-dependency">
       <param name="name" value="${commons-io.name}"/>
       <param name="src.server" value="${maven.search.url}"/>
       <param name="src.folder" value="commons-io/commons-io/${commons-io.version}"/>
       <param name="src.filename" value="${commons-io.name}-${commons-io.version}.jar"/>
-      <param name="src.checksum" value="7f97854dc04c119d461fed14f5d8bb96"/>
+      <param name="src.checksum" value="3b4b7ccfaeceeac240b804839ee1a1ca"/>
       <param name="dest.folder" value=""/>
       <param name="dest.filename" value="${commons-io.name}.jar"/>
     </antcall>
@@ -468,10 +468,13 @@
   </target>
 
   <target name="check-sum" if="md5" description="Verifies MD5 checksum, and fails if checksum doesn't match">
-    <checksum file="${destDir}/${destFile}" algorithm="MD5" verifyproperty="we.failed" property="${md5}"/>
-    <fail message="${message}">
+    <local name="checksum.result"/>
+    <checksum file="${destDir}/${destFile}" algorithm="MD5" property="checksum.result"/>
+    <fail message="${message} Expected: ${md5} Received: ${checksum.result}">
       <condition>
-        <equals arg1="${we.failed}" arg2="false"/>
+        <not>
+          <equals arg1="${md5}" arg2="${checksum.result}"/>
+        </not>
       </condition>
     </fail>
   </target>
diff --git a/royale-maven-plugin/pom.xml b/royale-maven-plugin/pom.xml
index cc2ba519a..570d24bbf 100644
--- a/royale-maven-plugin/pom.xml
+++ b/royale-maven-plugin/pom.xml
@@ -78,7 +78,7 @@
     <dependency>
       <groupId>commons-io</groupId>
       <artifactId>commons-io</artifactId>
-      <version>2.4</version>
+      <version>2.11.0</version>
     </dependency>
     <dependency>
       <groupId>org.apache.commons</groupId>