akurtakov opened a new pull request #75: URL: https://github.com/apache/maven-indexer/pull/75 It suffers from multiple CVEs: * guava < 24.1.1 is vulnerable to CVE-2018-10237. * guava < 30.0 is vulnerable to CVE-2020-8908. Moving to guava 30.1 will require moving to Java 8 so it's actually simpler to just remove the dependency altogether. Signed-off-by: Alexander Kurtakov <[hidden email]> ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [hidden email] |
bmarwell commented on a change in pull request #75: URL: https://github.com/apache/maven-indexer/pull/75#discussion_r563033687 ########## File path: indexer-core/src/main/java/org/apache/maven/index/ArtifactInfo.java ########## @@ -431,7 +429,8 @@ public Gav calculateGav() public String toString() { final StringBuilder result = new StringBuilder( getUinfo() ); - if ( !Strings.isNullOrEmpty( getPackaging() ) ) + String packaging = getPackaging(); + if (packaging != null && !getPackaging().isEmpty()) Review comment: Don't call the method here, it could yield null. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [hidden email] |
In reply to this post by GitBox
akurtakov commented on a change in pull request #75: URL: https://github.com/apache/maven-indexer/pull/75#discussion_r563035684 ########## File path: indexer-core/src/main/java/org/apache/maven/index/ArtifactInfo.java ########## @@ -431,7 +429,8 @@ public Gav calculateGav() public String toString() { final StringBuilder result = new StringBuilder( getUinfo() ); - if ( !Strings.isNullOrEmpty( getPackaging() ) ) + String packaging = getPackaging(); + if (packaging != null && !getPackaging().isEmpty()) Review comment: Oops my mistake. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [hidden email] |
In reply to this post by GitBox
elharo commented on pull request #75: URL: https://github.com/apache/maven-indexer/pull/75#issuecomment-778658538 Running through jenkins at https://ci-builds.apache.org/job/Maven/job/maven-box/job/maven-indexer/job/guava/ If it passes, I'll merge ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [hidden email] |
In reply to this post by GitBox
akurtakov commented on pull request #75: URL: https://github.com/apache/maven-indexer/pull/75#issuecomment-783750640 I don't understand the request. It points to failure to compile in indexer-reader tests but that module has test dependency on guava. My patches removes the usages only from indexer-core. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [hidden email] |
In reply to this post by GitBox
elharo commented on pull request #75: URL: https://github.com/apache/maven-indexer/pull/75#issuecomment-783939547 This PR failed in jenkins with the error messages pasted above. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [hidden email] |
In reply to this post by GitBox
akurtakov commented on pull request #75: URL: https://github.com/apache/maven-indexer/pull/75#issuecomment-783947655 I don't see any build at https://ci-builds.apache.org/job/Maven/job/maven-box/job/maven-indexer/job/guava/ . Can you please share the link to the full log so I can look at it? ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [hidden email] |
In reply to this post by GitBox
elharo commented on pull request #75: URL: https://github.com/apache/maven-indexer/pull/75#issuecomment-784169634 The builds expire after some period of time. I'll have to run this through again. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [hidden email] |
In reply to this post by GitBox
elharo commented on pull request #75: URL: https://github.com/apache/maven-indexer/pull/75#issuecomment-784208871 Build still fails: https://ci-builds.apache.org/job/Maven/job/maven-box/job/maven-indexer/job/guava/19/ ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [hidden email] |
Free forum by Nabble | Edit this page |