search

bytedeco / javacpp

The missing bridge between Java and native C++
Other
4.46k stars 581 forks source link

The current 1.5.10-SNAPSHOT builds are broken and point to missing artifacts #711

Closed jasonculverhouse closed 11 months ago

jasonculverhouse commented 11 months ago

Is it possible to get a new snapshot build or a point release for 1.5.9 that includes a freshly built opencv? Currently opencv has a statically linked libwebp which has a current CVE

https://github.com/advisories/GHSA-j7hp-h8jx-5ppr

the current 1.5.10-SNAPSHOT seems to be broken and missing dome artifacts.

saudet commented 11 months ago

How are they broken?

jasonculverhouse commented 11 months ago

so some of the artifacts are missing. -> https://oss.sonatype.org/content/repositories/snapshots/org/bytedeco/javacpp/1.5.10-SNAPSHOT/

image

I think that if you look at the timestamps the build and the release of the fix for the CVE the build happened before.

The build profile of opencv uses libwebp.a so no matter what we just need. new build from a base that is patched for the cve https://nvd.nist.gov/vuln/detail/CVE-2023-5129 or https://nvd.nist.gov/vuln/detail/CVE-2023-4863 which was distributed hours after you last build.

https://github.com/bytedeco/javacpp-presets/actions/runs/6274819259/job/17061951688#step:2:1242

jasonculverhouse commented 11 months ago

here is the smallest gradle project that illustrates the issue with the 1.5.10-SNAPSHOT 

./gradlew build
> Task :compileJava FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':compileJava'.
> Could not resolve all files for configuration ':compileClasspath'.
   > Could not find javacpp-1.5.10-SNAPSHOT-macosx-x86_64.jar (org.bytedeco:javacpp:1.5.10-SNAPSHOT:20230924.002530-115).
     Searched in the following locations:
         https://oss.sonatype.org/content/repositories/snapshots/org/bytedeco/javacpp/1.5.10-SNAPSHOT/javacpp-1.5.10-20230924.002530-115-macosx-x86_64.jar

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.

* Get more help at https://help.gradle.org

Deprecated Gradle features were used in this build, making it incompatible with Gradle 8.0.

You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.

See https://docs.gradle.org/7.6.1/userguide/command_line_interface.html#sec:command_line_warnings

BUILD FAILED in 732ms
1 actionable task: 1 executed

HelloWorldJavaCV.tar.gz

saudet commented 11 months ago

I've restarted the last build of JavaCPP, please try again.

saudet commented 11 months ago

Duplicate of https://github.com/bytedeco/javacv/issues/2087