Closed eclipse-modisco-bot closed 3 hours ago
eclipse-modisco-bot
commented
3 hours ago By Ed Willink on Jul 07, 2024 06:53
Checking eclipse-SDK-4.32-win32-x86_64.zip, org.apache.commons.jxpath_1.3.0 is now part of the platform so it is undesirable for MoDisco to redistribute. Lose it.
Checking further, a variety of org.apache.commons.jxpath has been part of the platform since at least 4.10. Why was it ever part of MoDisco?
eclipse-modisco-bot
commented
3 hours ago By Ed Willink on Jul 07, 2024 10:49
Pushed to master. Build ready for 1.5.5M1 once Jenkins gets some TLC.
eclipse-modisco-bot
commented
3 hours ago By Ed Willink on Jul 08, 2024 09:28
Contributed to SimRel for 2024-09 M1.
eclipse-modisco-bot
commented
3 hours ago By Serge Rider on Sep 15, 2024 06:59
May it cause this problem with legacy dependencies: https://bugs.eclipse.org/bugs/show_bug.cgi?id=583563 ?
| --- | --- | | Bugzilla Link | 583467 | | Status | RESOLVED FIXED | | Importance | P3 normal | | Reported | Jul 07, 2024 06:46 EDT | | Modified | Sep 15, 2024 06:59 EDT | | Reporter | Ed Willink |
Description
https://github.com/eclipse-simrel/simrel.build/issues/438 discusses the need to use org.apache.commons.jxpath from the new Orbit and identifies MoDisco as having a problematic dependency.
https://git.eclipse.org/r/c/modisco/org.eclipse.modisco/+/207294 provides a Gerrit fix that reverts an earlier Gerrit fix so that there is no change.
The current nightly build avoids using platform I-builds (without an explanatory Bugzilla).
Searching the workspace for commons.jxpath reveals two usages
/org.eclipse.modisco.infra.query.jxpath/META-INF/MANIFEST.MF has\ Require-Bundle: ... org.apache.commons.jxpath;bundle-version="1.2.0"
/org.eclipse.modisco.infrastructure.feature/feature.xml has\ <plugin id="org.apache.commons.jxpath" ...
The feature reference means that we are redistributing org.apache.commons.jxpath_1.3.0.v200911051830.jar
There is no mention in any *.target file so we should be redistributing from the firtst Orbit which is the new one. Presumably a Tycho 4.0.4 bug. Try specifying the unit explicitly. 'Success' we noe redistribute org.apache.commons.jxpath_1.3.0 whose classes were built in 2008 rather than 2015.
The code uses org.apache.commons.jxpath.JXPathContext which has an upto 1.3 CVE https://vuldb.com/?id.210187 vulnerability but no known exploit. https://nvd.nist.gov/vuln/detail/CVE-2022-41852 suggests that no vulnerability exists after all.
It is unclear whether JXPathContext was improved or even which Orbit has the best JXPathContext. But since the new Orbit endeavours to use direct from Maven, we should assume that the new Orbit will be better. So just specify org.apache.commons.jxpath as an explicitly required unit.
Since there is no actual change in the redistribution we do not need a new release, but as a courtesy to SimRel it is no doubt helpful to avoid a SimRel diagnostic. 2024-09 (1.5.5) declared.