You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tika.apache.org by ta...@apache.org on 2022/05/27 18:26:04 UTC
[tika] branch main updated: TIKA-3777 -- rearrange excludes for ossindex and add minimal documentation per dependency.
This is an automated email from the ASF dual-hosted git repository.
tallison pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tika.git
The following commit(s) were added to refs/heads/main by this push:
new bdae06605 TIKA-3777 -- rearrange excludes for ossindex and add minimal documentation per dependency.
bdae06605 is described below
commit bdae0660513e0bb652ff1020685b7173fe50f896
Author: tallison <ta...@apache.org>
AuthorDate: Fri May 27 14:25:53 2022 -0400
TIKA-3777 -- rearrange excludes for ossindex and add minimal documentation per dependency.
---
tika-example/pom.xml | 30 ---------------
tika-parent/pom.xml | 29 +++++++++++++-
.../tika-parser-scientific-module/pom.xml | 18 ---------
.../tika-parsers-ml/tika-parser-nlp-module/pom.xml | 44 ----------------------
4 files changed, 27 insertions(+), 94 deletions(-)
diff --git a/tika-example/pom.xml b/tika-example/pom.xml
index 22421a16a..9bc9a42ff 100644
--- a/tika-example/pom.xml
+++ b/tika-example/pom.xml
@@ -155,36 +155,6 @@
</execution>
</executions>
</plugin>
- <plugin>
- <groupId>org.sonatype.ossindex.maven</groupId>
- <artifactId>ossindex-maven-plugin</artifactId>
- <version>3.2.0</version>
- <configuration>
- <excludeCoordinates>
- <exclude>
- <groupId>com.google.guava</groupId>
- <artifactId>guava</artifactId>
- <version>${guava.version}</version>
- </exclude>
- <exclude>
- <groupId>com.ibm.icu</groupId>
- <artifactId>icu4j</artifactId>
- <version>${icu4j.version}</version>
- </exclude>
- <exclude>
- <groupId>xerces</groupId>
- <artifactId>xercesImpl</artifactId>
- <version>${xerces.version}</version>
- </exclude>
- <exclude>
- <groupId>commons-dbcp</groupId>
- <artifactId>commons-dbcp</artifactId>
- <version>1.4</version>
- </exclude>
- </excludeCoordinates>
- <fail>true</fail>
- </configuration>
- </plugin>
</plugins>
</build>
diff --git a/tika-parent/pom.xml b/tika-parent/pom.xml
index 54f05dd56..dd0f721c8 100644
--- a/tika-parent/pom.xml
+++ b/tika-parent/pom.xml
@@ -762,14 +762,19 @@
<version>2.18.0</version>
</exclude>
<exclude>
+ <!-- sonatype https://github.com/google/guava/issues/4011 -->
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>31.1-jre</version>
</exclude>
+ <!-- sonatype points to a sve in 1.4.199 for this ?!
+ https://www.exploit-db.com/exploits/49384
+ https://codewhitesec.blogspot.com/2019/08/exploit-h2-database-native-libraries-jni.html
+ -->
<exclude>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
- <version>2.1.212</version>
+ <version>${h2.version}</version>
</exclude>
<exclude>
<!-- CVE-2018-18928 seems to be about the c++ library, not the java library -->
@@ -783,9 +788,29 @@
<version>4.1.77.Final</version>
</exclude>
<exclude>
+ <!-- the most recent cve in sonatype for this artifact is 2.11.0,
+ not at all the version we're using...smh-->
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
- <version>2.12.2</version>
+ <version>${xerces.version}</version>
+ </exclude>
+ <!-- these are used by the nlp-module -->
+ <exclude>
+ <groupId>org.apache.lucene</groupId>
+ <artifactId>lucene-queryparser</artifactId>
+ <version>4.0.0</version>
+ </exclude>
+ <exclude>
+ <groupId>log4j</groupId>
+ <artifactId>log4j</artifactId>
+ <version>1.2.17</version>
+ </exclude>
+ <!-- this one is used in tika-example -->
+ <exclude>
+ <!-- sonatype: https://github.com/apache/commons-dbcp/commit/a4c5af0da1de3a7f50c72fc7edaa1f653ca276dd -->
+ <groupId>commons-dbcp</groupId>
+ <artifactId>commons-dbcp</artifactId>
+ <version>1.4</version>
</exclude>
</excludeCoordinates>
<fail>true</fail>
diff --git a/tika-parsers/tika-parsers-extended/tika-parser-scientific-module/pom.xml b/tika-parsers/tika-parsers-extended/tika-parser-scientific-module/pom.xml
index e989900a8..697a1cacd 100644
--- a/tika-parsers/tika-parsers-extended/tika-parser-scientific-module/pom.xml
+++ b/tika-parsers/tika-parsers-extended/tika-parser-scientific-module/pom.xml
@@ -132,24 +132,6 @@ May the gods of dependency management fix this in the future.
</execution>
</executions>
</plugin>
- <plugin>
- <groupId>org.sonatype.ossindex.maven</groupId>
- <artifactId>ossindex-maven-plugin</artifactId>
- <configuration>
- <excludeCoordinates>
- <exclude>
- <groupId>com.google.guava</groupId>
- <artifactId>guava</artifactId>
- <version>31.1-jre</version>
- </exclude>
- <exclude>
- <groupId>xerces</groupId>
- <artifactId>xercesImpl</artifactId>
- <version>2.12.2</version>
- </exclude>
- </excludeCoordinates>
- </configuration>
- </plugin>
</plugins>
</build>
diff --git a/tika-parsers/tika-parsers-ml/tika-parser-nlp-module/pom.xml b/tika-parsers/tika-parsers-ml/tika-parser-nlp-module/pom.xml
index 3f76b5786..ac2b993c9 100644
--- a/tika-parsers/tika-parsers-ml/tika-parser-nlp-module/pom.xml
+++ b/tika-parsers/tika-parsers-ml/tika-parser-nlp-module/pom.xml
@@ -210,50 +210,6 @@
</build>
</profile>
</profiles>
- <build>
- <plugins>
- <plugin>
- <groupId>org.sonatype.ossindex.maven</groupId>
- <artifactId>ossindex-maven-plugin</artifactId>
- <version>3.2.0</version>
- <configuration>
- <fail>true</fail>
- <excludeCoordinates>
- <exclude>
- <groupId>log4j</groupId>
- <artifactId>log4j</artifactId>
- <version>1.2.17</version>
- </exclude>
- <exclude>
- <groupId>com.google.guava</groupId>
- <artifactId>guava</artifactId>
- <version>31.1-jre</version>
- </exclude>
- <exclude>
- <groupId>xerces</groupId>
- <artifactId>xercesImpl</artifactId>
- <version>2.12.2</version>
- </exclude>
- <exclude>
- <groupId>org.apache.lucene</groupId>
- <artifactId>lucene-queryparser</artifactId>
- <version>4.0.0</version>
- </exclude>
- </excludeCoordinates>
- </configuration>
- <executions>
- <execution>
- <id>audit-dependencies</id>
- <phase>validate</phase>
- <goals>
- <goal>audit</goal>
- </goals>
- </execution>
- </executions>
- </plugin>
- </plugins>
- </build>
-
<scm>
<tag>2.2.1-rc2</tag>
</scm>