SORMAS-Foundation / SORMAS-Project

SORMAS (Surveillance, Outbreak Response Management and Analysis System) is an early warning and management system to fight the spread of infectious diseases.
https://sormas.org
GNU General Public License v3.0
294 stars 142 forks source link

Update dependencies (2023-Q1) [3] #11032

Closed StefanKock closed 1 year ago

StefanKock commented 1 year ago

Problem Description

Some dependencies have newer versions that should be updated.

Proposed Change

Update easy to increase dependencies all at once.

Acceptance Criteria

Implementation Details

  1. Move this from sormas-api to dependencyManagement in sormas-base:

        <dependency>
            <groupId>uk.co.jemos.podam</groupId>
            <artifactId>podam</artifactId>
            <version>7.2.8.RELEASE</version>
            <scope>test</scope>
        </dependency>
  2. Update the following maven plugins:

    • io.swagger.core.v3:swagger-jaxrs2 .................... 2.1.13 -> 2.2.7
  3. ~50 dependencies have newer versions, from which most are probably due to be updated (if no incompatibilies face up).

    Dependency Update analysis
mvn versions:display-dependency-updates

[INFO] --------------------< de.symeda.sormas:sormas-api >---------------------
[INFO] Building sormas-api 1.77.0-SNAPSHOT                               [3/10]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]   uk.co.jemos.podam:podam .............. 7.2.8.RELEASE -> 7.2.11.RELEASE

[INFO] --------------------< de.symeda.sormas:sormas-base >--------------------
[INFO] Building sormas-base 1.77.0-SNAPSHOT                              [1/10]
[INFO] --------------------------------[ pom ]---------------------------------
[INFO] 
[INFO] The following dependencies in Dependency Management have newer versions:
[INFO]   ca.uhn.hapi.fhir:hapi-fhir-structures-r4 .............. 5.7.0 -> 6.2.1
[INFO]   ca.uhn.hapi.fhir:org.hl7.fhir.r4 .................... 5.6.36 -> 5.6.80
[INFO]   ch.qos.logback:logback-classic ....................... 1.2.10 -> 1.4.5
[INFO]   ch.qos.logback:logback-core .......................... 1.2.10 -> 1.4.5
[INFO]   com.google.guava:guava ........................ 31.0.1-jre -> 31.1-jre
[INFO]   com.google.http-client:google-http-client ........... 1.41.4 -> 1.42.3
[INFO]   com.google.http-client:google-http-client-gson ...... 1.41.4 -> 1.42.3
[INFO]   com.googlecode.libphonenumber:libphonenumber ....... 8.12.43 -> 8.13.1
[INFO]   com.h2database:h2 ................................. 2.1.210 -> 2.1.214
[INFO]   com.ibm.etcd:etcd-java .............................. 0.0.19 -> 0.0.22
[INFO]   com.sun.xml.fastinfoset:FastInfoset .................. 1.2.18 -> 2.1.0  (watch hibernate compatibility)
[INFO]   com.tngtech.archunit:archunit-junit5 ................. 0.22.0 -> 1.0.1
[INFO]   com.vladmihalcea:hibernate-types-55 ................. 2.14.0 -> 2.20.0
[INFO]   commons-beanutils:commons-beanutils ......... 1.9.4 -> 20030211.134440
[INFO]   commons-codec:commons-codec .................. 1.15 -> 20041127.091804
[INFO]   commons-collections:commons-collections ............ 3.2.2 -> 20040616
[INFO]   commons-io:commons-io ...................... 2.11.0 -> 20030203.000550
[INFO]   commons-logging:commons-logging ........... 1.2 -> 99.0-does-not-exist
[INFO]   fr.opensagres.xdocreport:xdocreport ................... 2.0.3 -> 2.0.4
[INFO]   io.swagger.core.v3:swagger-jaxrs2 .................... 2.1.13 -> 2.2.7
[INFO]   io.swagger.core.v3:swagger-jaxrs2-servlet-initializer-v2 ...
[INFO]                                                          2.1.13 -> 2.2.7
[INFO]   org.apache.geronimo.config:geronimo-config-impl ....... 1.2.2 -> 1.2.3
[INFO]   org.apache.poi:poi-ooxml .............................. 5.2.0 -> 5.2.3
[INFO]   org.apache.xmlgraphics:fop-events ......................... 2.7 -> 2.8
[INFO]   org.apache.xmlgraphics:xmlgraphics-commons ................ 2.7 -> 2.8
[INFO]   org.docx4j:docx4j-JAXB-ReferenceImpl ................. 8.3.2 -> 11.4.8
[INFO]   org.docx4j:docx4j-docx-anon .......................... 8.3.2 -> 11.4.8
[INFO]   org.glassfish.jaxb:jaxb-runtime ....................... 2.3.3 -> 4.0.1  (watch hibernate compatibility)
[INFO]   org.glassfish.jaxb:txw2 ............................... 2.3.3 -> 4.0.1  (watch hibernate compatibility)
[INFO]   org.hibernate:hibernate-ehcache .......... 5.6.5.Final -> 6.0.0.Alpha7
[INFO]   org.hibernate.validator:hibernate-validator ...
[INFO]                                               6.1.6.Final -> 8.0.0.Final  (watch test compatibility)
[INFO]   org.jboss.resteasy:resteasy-client ....... 3.15.3.Final -> 6.2.1.Final
[INFO]   org.jboss.resteasy:resteasy-jackson2-provider ...
[INFO]                                              3.15.3.Final -> 6.2.1.Final
[INFO]   org.jboss.resteasy:resteasy-multipart-provider ...
[INFO]                                              3.15.3.Final -> 6.2.1.Final
[INFO]   org.jsoup:jsoup ..................................... 1.14.3 -> 1.15.3
[INFO]   org.keycloak:keycloak-admin-client .................. 18.0.1 -> 20.0.1
[INFO]   org.keycloak:keycloak-common ........................ 18.0.1 -> 20.0.1
[INFO]   org.keycloak:keycloak-core .......................... 18.0.1 -> 20.0.1
[INFO]   org.keycloak:keycloak-server-spi .................... 18.0.1 -> 20.0.1
[INFO]   org.keycloak:keycloak-server-spi-private ............ 18.0.1 -> 20.0.1
[INFO]   org.keycloak:keycloak-servlet-filter-adapter ........ 18.0.1 -> 20.0.1
[INFO]   org.mockito:mockito-inline ............................ 4.5.1 -> 4.9.0
[INFO]   org.mockito:mockito-junit-jupiter ..................... 4.5.1 -> 4.9.0
[INFO]   org.postgresql:postgresql ........................... 42.4.1 -> 42.5.1
[INFO]   org.slf4j:slf4j-api .................................. 1.7.36 -> 2.0.5
[INFO]   org.testcontainers:junit-jupiter .................... 1.17.5 -> 1.17.6
[INFO]   org.testcontainers:postgresql ....................... 1.17.5 -> 1.17.6
[INFO] 
[INFO] artifact org.apache.maven.wagon:wagon-ssh: checking for updates from symeda
[INFO] artifact org.apache.maven.wagon:wagon-ssh: checking for updates from public
[INFO] artifact org.apache.maven.wagon:wagon-ssh: checking for updates from payara-patched-externals
[INFO] The following dependencies in pluginManagement of plugins have newer versions:
[INFO]   io.swagger.core.v3:swagger-jaxrs2 .................... 2.1.13 -> 2.2.7
[INFO] 

# Payara modules -> to be managed by payara update

[INFO]   com.fasterxml.jackson.core:jackson-annotations ...... 2.12.4 -> 2.14.1
[INFO]   com.fasterxml.jackson.core:jackson-core ............. 2.12.4 -> 2.14.1
[INFO]   com.fasterxml.jackson.core:jackson-databind ......... 2.12.4 -> 2.14.1
[INFO]   com.fasterxml.jackson.dataformat:jackson-dataformat-yaml ...
[INFO]                                                         2.12.4 -> 2.14.1
[INFO]   com.fasterxml.jackson.jaxrs:jackson-jaxrs-base ...... 2.12.4 -> 2.14.1
[INFO]   com.sun.activation:jakarta.activation ................. 1.2.1 -> 2.0.1
[INFO]   com.sun.istack:istack-commons-runtime ................ 3.0.10 -> 4.1.1
[INFO]   com.sun.mail:javax.mail ..................... 1.6.2 -> 1.6.2.payara-p1
[INFO]   fish.payara.api:payara-api ..................... 5.2021.10 -> 6.2022.1
[INFO]   fish.payara.security.connectors:security-connector-oidc-client ...
[INFO]                                                      2.2.0 -> 3.0.alpha6
[INFO]   jakarta.activation:jakarta.activation-api ...
[INFO]                                                1.2.1 -> 2.1.1.jbossorg-1
[INFO]   jakarta.annotation:jakarta.annotation-api ............. 1.3.5 -> 2.1.1
[INFO]   jakarta.validation:jakarta.validation-api ............. 2.0.2 -> 3.0.2
[INFO]   jakarta.xml.bind:jakarta.xml.bind-api ................. 2.3.2 -> 4.0.0
[INFO]   org.glassfish:javax.el ............................ 3.0.0 -> 3.0.1-b12
[INFO]   org.glassfish.jersey.containers:jersey-container-servlet ...
[INFO]                                                            2.34 -> 3.1.0
[INFO]   org.glassfish.jersey.media:jersey-media-json-jackson ... 2.34 -> 3.1.0
[INFO]   org.javassist:javassistjavassist ....................... 3.26.0-GA -> 3.29.2-GA
[INFO]   org.jboss.logging:jboss-logging ........... 3.4.2.Final -> 3.5.0.Final
[INFO]   org.yaml:snakeyaml ...................................... 1.28 -> 1.33

# Vaadin On Hold (8.14.3 is last Apache-2.0 intended licenced release)
# Some unused dependencies are listed in vaadin-bom
[INFO]   com.vaadin:vaadin-cdi ......................... 3.0.1 -> 15.0.0.alpha1
[INFO]   com.vaadin:vaadin-client ............................ 8.14.3 -> 8.18.0
[INFO]   com.vaadin:vaadin-client-compiled ................... 8.14.3 -> 8.18.0
[INFO]   com.vaadin:vaadin-client-compiler ................... 8.14.3 -> 8.18.0
[INFO]   com.vaadin:vaadin-compatibility-server .............. 8.14.3 -> 8.18.0
[INFO]   com.vaadin:vaadin-push .............................. 8.14.3 -> 8.18.0
[INFO]   com.vaadin:vaadin-server ............................ 8.14.3 -> 8.18.0
[INFO]   com.vaadin:vaadin-shared ............................ 8.14.3 -> 8.18.0
[INFO]   com.vaadin:vaadin-spring ...................... 3.2.1 -> 24.0.0.alpha9
[INFO]   com.vaadin:vaadin-testbench-core ............... 5.2.0 -> 9.0.0.alpha4

# bean-test On Hold
[INFO]   org.apache.deltaspike.cdictrl:deltaspike-cdictrl-weld ...
[INFO]                                                           1.2.1 -> 1.9.6
[INFO]   org.apache.deltaspike.core:deltaspike-core-impl ....... 1.2.1 -> 1.9.6
[INFO]   org.jboss.weld.se:weld-se ................ 2.1.2.Final -> 3.0.0.Alpha1
  1. Increase identical dependencies also for android-app

Out of scope are dependencies provided by payara (glassfish/modules).

Plugin Update analysis ```bash mvn versions:display-plugin-updates [INFO] The following plugin updates are available: [INFO] com.vaadin:vaadin-maven-plugin ............ 8.14.3 -> 24.0.0.alpha6 [INFO] io.openapitools.swagger:swagger-maven-plugin ....... 2.1.2 -> 2.1.6 [INFO] [WARNING] The following plugins do not have their version specified: [WARNING] maven-clean-plugin ........................ (from super-pom) 2.2 [WARNING] maven-dependency-plugin ................... (from super-pom) 2.8 [WARNING] maven-install-plugin ...................... (from super-pom) 2.2 [INFO] [WARNING] Project does not define minimum Maven version, default is: 2.0 [INFO] Plugins require minimum Maven version of: 3.3.9 [INFO] Note: the super-pom from Maven 3.6.3 defines some of the plugin [INFO] versions and may be influencing the plugins required minimum Maven [INFO] version. [INFO] [ERROR] Project does not define required minimum version of Maven. [ERROR] Update the pom.xml to contain maven-enforcer-plugin to [ERROR] force the Maven version which is needed to build this project. [ERROR] See https://maven.apache.org/enforcer/enforcer-rules/requireMavenVersion.html [ERROR] Using the minimum version of Maven: 3.3.9 [INFO] [INFO] Require Maven 2.0.1 to use the following plugin updates: [INFO] maven-war-plugin ................................... 3.2.3 -> 2.0.2 [INFO] [INFO] Require Maven 2.0.2 to use the following plugin updates: [INFO] maven-javadoc-plugin ................................. 3.2.0 -> 2.2 [INFO] maven-site-plugin ............................. 3.9.1 -> 2.0-beta-7 [INFO] [INFO] Require Maven 2.0.3 to use the following plugin updates: [INFO] maven-dependency-plugin ................ 2.8 -> 2.2-SONATYPE-810529 [INFO] maven-surefire-report-plugin ................ 2.22.2 -> 2.4.3-JBOSS [INFO] [INFO] Require Maven 2.0.4 to use the following plugin updates: [INFO] maven-ejb-plugin ..................................... 3.0.1 -> 2.1 [INFO] maven-project-info-reports-plugin .................. 3.1.1 -> 2.0.1 [INFO] org.codehaus.mojo:properties-maven-plugin .... 1.0.0 -> 1.0-alpha-1 [INFO] [INFO] Require Maven 2.0.6 to use the following plugin updates: [INFO] maven-changelog-plugin ................................. 2.3 -> 2.2 [INFO] maven-changes-plugin ................................ 2.12.1 -> 2.4 [INFO] maven-clean-plugin ................................... 3.2.0 -> 2.5 [INFO] maven-deploy-plugin ................................ 2.8.2 -> 2.8.1 [INFO] maven-ear-plugin ..................................... 3.0.1 -> 2.9 [INFO] maven-ejb-plugin ..................................... 3.0.1 -> 2.3 [INFO] maven-install-plugin ............................... 3.1.0 -> 2.5.1 [INFO] maven-jar-plugin ..................................... 3.1.1 -> 2.4 [INFO] maven-javadoc-plugin ................................. 3.2.0 -> 2.3 [INFO] maven-project-info-reports-plugin .................. 3.1.1 -> 2.1.2 [INFO] maven-resources-plugin ............................... 3.1.0 -> 2.6 [INFO] maven-site-plugin .................................. 3.9.1 -> 2.0.1 [INFO] maven-source-plugin ................................ 3.1.0 -> 2.1.2 [INFO] maven-surefire-plugin ............................. 2.22.0 -> 2.4.3 [INFO] maven-surefire-report-plugin ...................... 2.22.2 -> 2.7.1 [INFO] maven-war-plugin ..................................... 3.2.3 -> 2.4 [INFO] org.codehaus.mojo:properties-maven-plugin .... 1.0.0 -> 1.0-alpha-2 [INFO] [INFO] Require Maven 2.0.8 to use the following plugin updates: [INFO] maven-javadoc-plugin ................................. 3.2.0 -> 2.4 [INFO] [INFO] Require Maven 2.0.9 to use the following plugin updates: [INFO] maven-compiler-plugin ................................ 3.8.1 -> 3.1 [INFO] maven-dependency-plugin ....................................... 2.8 [INFO] maven-failsafe-plugin .............................. 2.19.1 -> 2.17 [INFO] maven-javadoc-plugin ............................... 3.2.0 -> 2.8.1 [INFO] maven-source-plugin ................................ 3.1.0 -> 2.2.1 [INFO] maven-surefire-plugin .............................. 2.22.0 -> 2.17 [INFO] maven-surefire-report-plugin ....................... 2.22.2 -> 2.17 [INFO] [INFO] Require Maven 2.1.0 to use the following plugin updates: [INFO] maven-project-info-reports-plugin .................... 3.1.1 -> 2.2 [INFO] maven-site-plugin .................................. 3.9.1 -> 2.1.1 [INFO] org.jacoco:jacoco-maven-plugin ........ 0.8.5 -> 0.6.3.201306030806 [INFO] [INFO] Require Maven 2.2.0 to use the following plugin updates: [INFO] maven-project-info-reports-plugin .................... 3.1.1 -> 2.6 [INFO] maven-site-plugin .................................... 3.9.1 -> 3.0 [INFO] [INFO] Require Maven 2.2.1 to use the following plugin updates: [INFO] external.atlassian.jgitflow:jgitflow-maven-plugin ........ 1.0-m5.1 [INFO] maven-changelog-plugin ........................................ 2.3 [INFO] maven-changes-plugin ............................... 2.12.1 -> 2.11 [INFO] maven-clean-plugin ................................. 3.2.0 -> 2.6.1 [INFO] maven-compiler-plugin ................................ 3.8.1 -> 3.3 [INFO] maven-dependency-plugin ............................... 2.8 -> 2.10 [INFO] maven-deploy-plugin ......................................... 2.8.2 [INFO] maven-ear-plugin .................................. 3.0.1 -> 2.10.1 [INFO] maven-ejb-plugin ................................... 3.0.1 -> 2.5.1 [INFO] maven-failsafe-plugin .............................. 2.19.1 -> 2.20 [INFO] maven-install-plugin ............................... 3.1.0 -> 2.5.2 [INFO] maven-jar-plugin ..................................... 3.1.1 -> 2.6 [INFO] maven-javadoc-plugin .............................. 3.2.0 -> 2.10.3 [INFO] maven-project-info-reports-plugin .................. 3.1.1 -> 2.8.1 [INFO] maven-resources-plugin ............................... 3.1.0 -> 2.7 [INFO] maven-site-plugin .................................... 3.9.1 -> 3.4 [INFO] maven-source-plugin .................................. 3.1.0 -> 2.4 [INFO] maven-surefire-plugin .............................. 2.22.0 -> 2.20 [INFO] maven-surefire-report-plugin ....................... 2.22.2 -> 2.20 [INFO] maven-war-plugin ..................................... 3.2.3 -> 2.6 [INFO] org.codehaus.mojo:versions-maven-plugin .............. 2.8.1 -> 2.2 [INFO] org.jacoco:jacoco-maven-plugin ........ 0.8.5 -> 0.7.6.201602180812 [INFO] [INFO] Require Maven 3.0 to use the following plugin updates: [INFO] maven-clean-plugin ................................. 3.2.0 -> 3.1.0 [INFO] maven-dependency-plugin .............................. 2.8 -> 3.1.1 [INFO] maven-ear-plugin ............................................ 3.0.1 [INFO] maven-ejb-plugin ............................................ 3.0.1 [INFO] maven-failsafe-plugin ............................ 2.19.1 -> 2.22.0 [INFO] maven-jar-plugin ................................... 3.1.1 -> 3.1.0 [INFO] maven-javadoc-plugin ............................... 3.2.0 -> 3.0.1 [INFO] maven-project-info-reports-plugin .................. 3.1.1 -> 3.0.0 [INFO] maven-resources-plugin ...................................... 3.1.0 [INFO] maven-site-plugin .................................. 3.9.1 -> 3.7.1 [INFO] maven-surefire-plugin ...................................... 2.22.0 [INFO] maven-surefire-report-plugin ..................... 2.22.2 -> 2.22.0 [INFO] maven-war-plugin ................................... 3.2.3 -> 3.2.2 [INFO] org.codehaus.mojo:properties-maven-plugin ................... 1.0.0 [INFO] org.codehaus.mojo:versions-maven-plugin .............. 2.8.1 -> 2.7 [INFO] org.jacoco:jacoco-maven-plugin ..................... 0.8.5 -> 0.8.8 [INFO] [INFO] Require Maven 3.0.4 to use the following plugin updates: [INFO] maven-changes-plugin ....................................... 2.12.1 [INFO] maven-compiler-plugin ...................... 3.8.1 -> 3.7.0-jboss-1 [INFO] maven-source-plugin ................................ 3.1.0 -> 3.0.1 [INFO] [INFO] Require Maven 3.0.5 to use the following plugin updates: [INFO] maven-compiler-plugin ...................... 3.8.1 -> 3.8.1-jboss-2 [INFO] maven-dependency-plugin .............................. 2.8 -> 3.1.2 [INFO] maven-deploy-plugin ............................. 2.8.2 -> 3.0.0-M2 [INFO] maven-ear-plugin ................................... 3.0.1 -> 3.1.0 [INFO] maven-failsafe-plugin .......................... 2.19.1 -> 3.0.0-M5 [INFO] maven-install-plugin ............................ 3.1.0 -> 3.0.0-M1 [INFO] maven-jar-plugin ................................... 3.1.1 -> 3.2.0 [INFO] maven-javadoc-plugin ............................... 3.2.0 -> 3.3.2 [INFO] maven-project-info-reports-plugin .................. 3.1.1 -> 3.2.2 [INFO] maven-site-plugin ................................. 3.9.1 -> 3.11.0 [INFO] maven-source-plugin ................................ 3.1.0 -> 3.2.1 [INFO] maven-surefire-plugin .......................... 2.22.0 -> 3.0.0-M5 [INFO] maven-surefire-report-plugin ................... 2.22.2 -> 3.0.0-M5 [INFO] maven-war-plugin ................................... 3.2.3 -> 3.3.1 [INFO] org.codehaus.mojo:properties-maven-plugin .......... 1.0.0 -> 1.1.0 [INFO] org.codehaus.mojo:versions-maven-plugin ........... 2.8.1 -> 2.10.0 [INFO] [INFO] Require Maven 3.1.0 to use the following plugin updates: [INFO] maven-jar-plugin ................................... 3.1.1 -> 3.2.2 [INFO] maven-resources-plugin ............................. 3.1.0 -> 3.2.0 [INFO] maven-war-plugin ................................... 3.2.3 -> 3.3.2 [INFO] org.owasp:dependency-check-maven ................... 6.5.3 -> 7.4.1 [INFO] [INFO] Require Maven 3.1.1 to use the following plugin updates: [INFO] maven-dependency-plugin .............................. 2.8 -> 3.3.0 [INFO] maven-ear-plugin ................................... 3.0.1 -> 3.2.0 [INFO] maven-ejb-plugin ................................... 3.0.1 -> 3.1.0 [INFO] [INFO] Require Maven 3.2.5 to use the following plugin updates: [INFO] maven-clean-plugin .......................................... 3.2.0 [INFO] maven-compiler-plugin ............................. 3.8.1 -> 3.10.1 [INFO] maven-dependency-plugin .............................. 2.8 -> 3.4.0 [INFO] maven-deploy-plugin ................................ 2.8.2 -> 3.0.0 [INFO] maven-ear-plugin ................................... 3.0.1 -> 3.3.0 [INFO] maven-ejb-plugin ................................... 3.0.1 -> 3.2.1 [INFO] maven-failsafe-plugin .......................... 2.19.1 -> 3.0.0-M7 [INFO] maven-install-plugin ........................................ 3.1.0 [INFO] maven-jar-plugin ................................... 3.1.1 -> 3.3.0 [INFO] maven-javadoc-plugin ............................... 3.2.0 -> 3.4.1 [INFO] maven-project-info-reports-plugin .................. 3.1.1 -> 3.4.1 [INFO] maven-resources-plugin ............................. 3.1.0 -> 3.3.0 [INFO] maven-site-plugin ............................... 3.9.1 -> 4.0.0-M4 [INFO] maven-surefire-plugin .......................... 2.22.0 -> 3.0.0-M7 [INFO] maven-surefire-report-plugin ................... 2.22.2 -> 3.0.0-M7 [INFO] org.codehaus.mojo:versions-maven-plugin ........... 2.8.1 -> 2.14.2 ```

Android Dependencies: https://github.com/hzi-braunschweig/SORMAS-Project/issues/11032#issuecomment-1514861092

Additional Information

Checked version dependencies in CI pipeline:

JonasCir commented 1 year ago

I tried to update the swagger libraries as well as the swagger-maven-plugin but I was running in all sorts of problems including the generated openapi documentation being nearly empty. https://github.com/kbuntrock/openapi-maven-plugin seems to be the only alternative which is currently maintained.

StefanKock commented 1 year ago

I'm done with the server side stack and Maven plugins (all changes on PR #11257 to be continued). Someone needs to pick this ticket up for the android and gradle part.

StefanKock commented 1 year ago

I updated the PR to the current state of development and updated versions that were outdated after 2022-12-27.

StefanKock commented 1 year ago

I added another dependency update that was overlooked: org.geotools:gt-shapefile ............................... 26.2 -> 28.0 org.geotools:gt-shapefile ............................... 26.2 -> 28.2

MartinWahnschaffe commented 1 year ago

@StefanKock Let's include spring expression update 5.3.23 -> 5.3.27 https://spring.io/security/cve-2023-20863

StefanKock commented 1 year ago

@StefanKock Let's include spring expression update 5.3.23 -> 5.3.27 https://spring.io/security/cve-2023-20863

I'll do this. The last change was with #11441: 4.3.30.RELEASE -> 5.3.25. That's why spring-context did not show up for update on 2023-03-17.

MartinWahnschaffe commented 1 year ago

Android Updates:

Gradle 7.0.2 --> 8.0

app build.gradle: com.google.gms:google-services:4.3.10 --> 4.3.15 com.google.firebase:firebase-crashlytics-gradle:2.9.0 --> 2.9.5 com.google.firebase:perf-plugin:1.4.1 --> 1.4.2 org.jacoco:org.jacoco.core:0.8.5 --> 0.8.9 org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:2.8 --> 3.3

sormas-app build.gradle: implementation platform('com.google.firebase:firebase-bom:29.0.0') --> 31.5.0 implementation 'androidx.appcompat:appcompat:1.3.1' --> 1.6.1 implementation 'com.google.android.material:material:1.5.0-alpha05' --> 1.8.0 implementation 'com.squareup.retrofit2:retrofit:2.4.0' --> 2.9.0 implementation 'com.squareup.retrofit2:converter-gson:2.4.0' --> 2.9.0 implementation 'com.j256.ormlite:ormlite-core:5.1' --> 6.1 implementation 'com.google.guava:guava:31.0.1-android' --> 31.1.1-android implementation 'com.opencsv:opencsv:5.5.2' --> 5.7.1 implementation 'org.jsoup:jsoup:1.14.3' --> 1.15.4 implementation 'io.reactivex:rxandroid:1.0.1' --> 1.2.1 implementation 'io.reactivex:rxjava:1.0.14' --> 1.3.8 implementation 'com.fasterxml.jackson.core:jackson-core:2.12.4' --> 2.14.2 implementation 'com.fasterxml.jackson.core:jackson-annotations:2.12.4' --> 2.14.2 implementation 'androidx.lifecycle:lifecycle-extensions:2.2.0' --> 2.6.1 implementation 'androidx.paging:paging-runtime:3.0.1' --> 3.1.1 implementation 'androidx.work:work-runtime-ktx:2.7.1' --> 2.8.1 implementation 'io.crowdcode.sormas.lbds:lbds-android-messaging:1.4.6' --> 1.4.8 implementation 'org.slf4j:slf4j-api:1.7.36' --> 2.0.7 testImplementation 'org.robolectric:robolectric:4.2.1' --> 4.10 testImplementation 'org.mockito:mockito-core:4.3.1' --> 5.3.0 androidTestImplementation 'androidx.annotation:annotation:1.2.0' --> 1.5.0 androidTestImplementation 'androidx.test:runner:1.4.0' --> 1.5.2 androidTestImplementation 'androidx.test:rules:1.4.0' --> 1.5.2 androidTestImplementation 'androidx.test.espresso:espresso-core:3.4.0' --> 3.5.1

Note on the update process:

  1. To update the gradle version, use the gradle migration feature of Android Studio!
  2. To update dependencies, use the gradle dependencyUpdates task of the gradle versions plugin. Double check using the project structure dialog > Suggestions dialog of Android Studio.
MartinWahnschaffe commented 1 year ago

With the update to gradle 8, Java SDK 17 is needed on build systems.

MartinWahnschaffe commented 1 year ago

OpenJDK 17.0.2 is available on our Jenkins now.

MartinWahnschaffe commented 1 year ago

I have updated the used JDK versions of Jenkins for all jobs that build the android-app to JDK 17: sormas-Build, sormas-app, sormas-Release. To avoid future problems, also sormas-Reports.

StefanKock commented 1 year ago

Build jobs fail due to Maven not be new enough:

[INFO] >>> maven-javadoc-plugin:3.4.1:aggregate > compile @ sormas-base >>> [INFO]
[INFO] >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [INFO] Forking sormas-base 1.84.0-SNAPSHOT [INFO] >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [INFO] [INFO] --- maven-enforcer-plugin:3.1.0:enforce (enforce-versions) @ sormas-base --- [ERROR] Rule 0: org.apache.maven.plugins.enforcer.RequireMavenVersion failed with message: Detected Maven Version: 3.3.9 is not in the allowed range 3.6.3.

StefanKock commented 1 year ago

I changed the Maven version in Jenkins from 3.3.9 to 3.9.2, builds are started again.

StefanKock commented 1 year ago

Four next problems uncovered:

  1. sormas-Build job, module sormas-api: Date Formatting with JDK 17 seemed to change (test succeeds with JDK 11, but not with JDK 17).
    
    de.symeda.sormas.api.utils.DateHelperTest.testParseDateTimeWithExceptionForDeFormat

Unable to parse date [21.04.2021 1:30 nachm.]

java.text.ParseException: Unable to parse date [21.04.2021 1:30 nachm.] at de.symeda.sormas.api.utils.DateHelper.parseDateWithException(DateHelper.java:242) at de.symeda.sormas.api.utils.DateHelper.parseDateTimeWithException(DateHelper.java:197) at de.symeda.sormas.api.utils.DateHelperTest.testParseDateTimeWithExceptionForDeFormat(DateHelperTest.java:340) ...

2. sormas-Build job, module sormas-ui: bean-test seems to have compatibility problems with JDK 17

Suppressed: java.lang.NullPointerException: Cannot invoke "javax.enterprise.inject.spi.BeanManager.fireEvent(Object, java.lang.annotation.Annotation[])" because the return value of "info.novatec.beantest.api.BeanProviderHelper.getBeanManager()" is null at info.novatec.beantest.api.BeanProviderHelper.fireShutdownEvent(BeanProviderHelper.java:104) ...

3. sormas-Build job, sonarqube scanner complains that code is not compatible with Java 7.
-> Guessing that changing to property `maven.compiler.release` with #6699 causes a fallback. Trying to fix this by increasing the `sonar-maven-plugin` version from 3.6.0.1398 to 3.9.1.2184 on Jenkins (SONAR_MAVEN_GOAL).

[INFO] Sensor JavaSensor [java] [INFO] Configured Java source version (sonar.java.source): 7 ... [ERROR] Unable to parse source file : 'sormas-rest/src/main/java/de/symeda/sormas/rest/resources/ImmunizationResource.java'

 Solved: 

[INFO] Sensor JavaSensor [java] [INFO] Configured Java source version (sonar.java.source): 11

4. sormas-Reports job fails with a dependency not found.
-> Fixed by not updating Maven from 3.3.9 to 3.6.3 instead of 3.8.6 or 3.9.2

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-site-plugin:3.12.1:site (default-site) on project sormas-base: Error generating maven-project-info-reports-plugin:3.4.1:dependency-convergence report: Could not build dependency tree: Could not collect dependencies: de.symeda.sormas:sormas-widgetset:jar:1.84.0-SNAPSHOT: Failed to collect dependencies at com.vaadin:vaadin-compatibility-client:jar:8.14.3 -> com.vaadin:vaadin-client:jar:8.14.3 -> com.vaadin:vaadin-server:jar:8.14.3 -> com.vaadin:vaadin-push:jar:8.14.3 -> com.vaadin.external.atmosphere:atmosphere-runtime:jar:2.4.30.vaadin4 -> org.atmosphere.jboss.as:jboss-as-websockets:jar:0.5 -> org.jboss.as:jboss-as-server:jar:7.1.1.Final -> org.jboss.as:jboss-as-controller:jar:7.1.1.Final -> org.jboss.as:jboss-as-controller-client:jar:7.1.1.Final -> org.jboss.as:jboss-as-protocol:jar:7.1.1.Final -> org.jboss.logging:jboss-logging:jar:3.4.2.Final -> org.apache.logging.log4j:log4j-api:jar:2.11.2 -> org.apache.logging.log4j:log4j-api-java9:zip:2.11.2: Failed to read artifact descriptor for org.apache.logging.log4j:log4j-api-java9:zip:2.11.2: The following artifacts could not be resolved: org.apache.logging.log4j:log4j-api-java9:pom:2.11.2 (absent): Could not transfer artifact org.apache.logging.log4j:log4j-api-java9:pom:2.11.2 from/to maven-default-http-blocker (http://0.0.0.0/): Blocked mirror for repositories: [oss.sonatype.org (http://oss.sonatype.org/content/repositories/releases, default, releases+snapshots), oss.sonatype.org-snapshot (http://oss.sonatype.org/content/repositories/snapshots, default, releases+snapshots), codehaus (http://repository.codehaus.org/, default, releases+snapshots), codehaus-snapshots (http://snapshots.repository.codehaus.org/, default, releases+snapshots), jboss-public-repository-group (http://repository.jboss.org/nexus/content/groups/public/, default, releases+snapshots)] -> [Help 1]

MartinWahnschaffe commented 1 year ago

Problem 2 is adressed by https://github.com/hzi-braunschweig/SORMAS-Project/issues/11618

Afterwards we should also increase the JDK version of the GitHub CI to 17.

StefanKock commented 1 year ago

When trying to release 1.84.0, we ran into the problem that the promotion in sormas-Build still used a too old Maven version.

[sormas-Build] $ mvn -f sormas-base/pom.xml -DNextDevVersion=1.85.0-SNAPSHOT -DdevelopmentVersion=1.85.0-SNAPSHOT jgitflow:release-start -Pwith-app -Dmaven.test.skip=true -e -X
Apache Maven 3.3.9 (bb52d8502b132ec0a5a3f4c09453c07478323dc5; 2015-11-10T17:41:47+01:00)
Maven home: /usr/local/maven/apache-maven-3.3.9
Java version: 17.0.2, vendor: Oracle Corporation
Java home: /usr/lib/jvm/jdk-17.0.2

In the build steps was Maven-Version (Standard) selected, which seems to fall back to running the installed mvn on the host system (and not the installation managed by Jenkins). I now chose Maven-Version Maven (coming from the Jenkins tools config).