eclipse-embed-cdt / eclipse-plugins

The Eclipse Embedded CDT plug-ins for Arm & RISC-V C/C++ developers (formerly known as the GNU MCU Eclipse plug-ins). Includes the archive of previous plug-ins versions, as Releases.
http://eclipse-embed-cdt.github.io/
Eclipse Public License 2.0
558 stars 130 forks source link

Testcases for plugins #517

Open lapnd opened 2 years ago

lapnd commented 2 years ago

Hi, Currently, the plugins use some lib that out of date and has direct direct vulnerabilities such as https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.9.9.3 I would like to update this library, for example. The building is successful with latest lib (ex https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.13.2.2) but I'm not sure if this change will affect to plugin.

Do we have a set of test cases to run to verify the plugin for such kind of change?

Thank you!

ilg-ul commented 2 years ago

... jackson-databind/2.13.2.2

Hi @lapnd, thank you for notifying such vulnerabilities.

@jonahgraham, what is the current procedure to update the dependencies, hopefully without having to get approval from the legal team? Can we go up to this latest version? In the latest Orbit I see only 2.12.1.

Do we have a set of test cases to run to verify the plugin for such kind of change?

Unfortunately not, we have to test the plug-ins manually.

jonahgraham commented 2 years ago

... jackson-databind/2.13.2.2

Hi @lapnd, thank you for notifying such vulnerabilities.

@jonahgraham, what is the current procedure to update the dependencies, hopefully without having to get approval from the legal team? Can we go up to this latest version? In the latest Orbit I see only 2.12.1.

Getting a new version into Orbit should be easy enough - I can help do that, or even better we can make the updates so that we can consume content directly from Maven central. The latter has benefits long term, but more effort now.

However there is still the issue of https://github.com/eclipse-embed-cdt/eclipse-plugins/blob/master/plugins/org.eclipse.embedcdt.core/lib/jackson-databind-2.9.9.3.jar being in this repo, so some refactoring is needed to make sure we are pulling this from external bundle and remove this jar from embedcdt. We could update the embedded jar, but that would be less ideal.

@lapnd I can help guide you through this process / review the changes. Have you already started work in this area?