[GitHub] [maven-indexer] akurtakov opened a new pull request #75: Remove guava dependency from indexer-core

akurtakov opened a new pull request #75:
URL: https://github.com/apache/maven-indexer/pull/75


   It suffers from multiple CVEs:
   * guava < 24.1.1 is vulnerable to CVE-2018-10237.
   * guava < 30.0 is vulnerable to CVE-2020-8908.
   
   Moving to guava 30.1 will require moving to Java 8 so it's actually
   simpler to just remove the dependency altogether.
   
   Signed-off-by: Alexander Kurtakov <[hidden email]>


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]

bmarwell commented on a change in pull request #75:
URL: https://github.com/apache/maven-indexer/pull/75#discussion_r563033687



##########
File path: indexer-core/src/main/java/org/apache/maven/index/ArtifactInfo.java
##########
@@ -431,7 +429,8 @@ public Gav calculateGav()
     public String toString()
     {
         final StringBuilder result = new StringBuilder( getUinfo() );
-        if ( !Strings.isNullOrEmpty( getPackaging() ) )
+        String packaging = getPackaging();
+        if (packaging != null && !getPackaging().isEmpty())

Review comment:
       Don't call the method here, it could yield null.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]

akurtakov commented on a change in pull request #75:
URL: https://github.com/apache/maven-indexer/pull/75#discussion_r563035684



##########
File path: indexer-core/src/main/java/org/apache/maven/index/ArtifactInfo.java
##########
@@ -431,7 +429,8 @@ public Gav calculateGav()
     public String toString()
     {
         final StringBuilder result = new StringBuilder( getUinfo() );
-        if ( !Strings.isNullOrEmpty( getPackaging() ) )
+        String packaging = getPackaging();
+        if (packaging != null && !getPackaging().isEmpty())

Review comment:
       Oops my mistake.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]

elharo commented on pull request #75:
URL: https://github.com/apache/maven-indexer/pull/75#issuecomment-778658538


   Running through jenkins at https://ci-builds.apache.org/job/Maven/job/maven-box/job/maven-indexer/job/guava/
   
   If it passes, I'll merge


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]

akurtakov commented on pull request #75:
URL: https://github.com/apache/maven-indexer/pull/75#issuecomment-783750640


   I don't understand the request. It points to failure to compile in indexer-reader tests but that module has test dependency on guava. My patches removes the usages only from indexer-core.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]

elharo commented on pull request #75:
URL: https://github.com/apache/maven-indexer/pull/75#issuecomment-783939547


   This PR failed in jenkins with the error messages pasted above.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]

akurtakov commented on pull request #75:
URL: https://github.com/apache/maven-indexer/pull/75#issuecomment-783947655


   I don't see any build at https://ci-builds.apache.org/job/Maven/job/maven-box/job/maven-indexer/job/guava/ . Can you please share the link to the full log so I can look at it?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]

elharo commented on pull request #75:
URL: https://github.com/apache/maven-indexer/pull/75#issuecomment-784169634


   The builds expire after some period of time. I'll have to run this through again.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]

elharo commented on pull request #75:
URL: https://github.com/apache/maven-indexer/pull/75#issuecomment-784208871


   Build still fails: https://ci-builds.apache.org/job/Maven/job/maven-box/job/maven-indexer/job/guava/19/


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]