search

matthewdowney / excel-clj

Write Excel docs & PDFs with Clojure data, from higher level abstractions (tree, table) or via a manual grid specification.
Eclipse Public License 1.0
149 stars 9 forks source link

Update dependencies and resolve JODConverter breaking changes #13

Closed keanedp closed 2 years ago

keanedp commented 2 years ago

Description

Update dependencies to mitigate known vulnerabilities. Migrated breaking JODConverter API changes between version 4.0.0-RELEASE and 4.1.0.

Detected Vulnerabilities

Vulnerabilities detected via Grype

NAME INSTALLED FIXED-IN VULNERABILITY SEVERITY
commons-compress 1.19 1.21 GHSA-7hfm-57qf-j43q High
commons-compress 1.19 1.21 GHSA-crv7-7245-f45f High
commons-compress 1.19 1.21 GHSA-mc84-pj99-q6hh High
commons-compress 1.19 1.21 GHSA-xqfj-vm6h-2x34 High
commons-compress 1.19 CVE-2021-35515 High
commons-compress 1.19 CVE-2021-35516 High
commons-compress 1.19 CVE-2021-35517 High
commons-compress 1.19 CVE-2021-36090 High
commons-io 2.5 2.7 GHSA-gwrp-pvrq-jmwv Medium
commons-io 2.5 CVE-2021-29425 Medium

Dependency Tree

commons-compress required by org.apache.poi/poi-ooxml 4.0.0

commons-io required by org.jodconverter/jodconverter-core 4.0.0-RELEASE

Changes

  1. Updated dependencies
  2. Migrated JODConverter from 4.0.0-RELEASE to latest. Followed migration steps for 4.1.0, replacing jodconverter-core dependency with jodconverter-local and replaced all library references to use jodconverter-local.
  3. Added test for PDF generation.

  4. Added lein test profile to include logging dependencies with the intention of removing log warnings from the console when running tests:

    • log4j-core which is used by org.apache.poi/poi-ooxml since 5.1.0.
    • slf4j-nop which is used by org.jodconverter/jodconverter-local.

Tests

Added excel-cli.file-test to handle pdf generation tests.

matthewdowney commented 2 years ago

Thanks for this — I won't be able to review thoroughly until next week, but it looks good and barring any issues I'll be happy to merge an release a new version.

matthewdowney commented 2 years ago

After watching the CI break, maybe a change to the github workflow that adds the Apache OpenOffice dependency, or a JVM flag to disable running the tests which require it.

keanedp commented 2 years ago

Thanks for the prompt response.

I've added a lein test selector for running tests that require LibreOffice/OpenOffice.

Office tests can be run with:

$ lein tests :office-integrations

All other tests will run under:

$ lein tests

Thanks

matthewdowney commented 2 years ago

Looks good — I'll give it a thorough look on Monday. Cheers!

matthewdowney commented 2 years ago

Ok - included in the newest release (2.1.0). Thanks!