Cantaloup 5.0.6 #641

glenrobson · 2024-01-24T12:42:23Z

Todo:

Update CHANGES.md
Update CREDITS.md
S3 tests using https://github.com/gaul/s3proxy
Maybe azure tests (would need to sign up for an account)
Run pre-release checks
Go through release procedure

See: https://archive.apache.org/dist/tika/2.0.0-BETA/CHANGES-2.0.0-BETA.txt

glenrobson · 2024-01-24T13:09:30Z

Created a basic CREDITS.md but should credit the other people who have contributed.

glenrobson · 2024-01-24T13:10:59Z

S3 tests:

"For the S3 tests, I use minio or s3proxy (https://github.com/gaul/s3proxy) running locally. The S3 tests work in CI using minio. My S3 keys in test.properties look like:

s3.service = minio
s3.endpoint = http://localhost:9000/
s3.region = us-east-2
s3.access_key_id = minioadmin
s3.secret_key = minioadmin
s3.bucket = cantaloupe-test"

Looks like the s3 tests are part of the CI anyway so no need to test this seperatly.

glenrobson · 2024-01-24T15:04:32Z

Running: mvn verify -DskipTests=true

One or more dependencies were identified with known vulnerabilities in Cantaloupe:

caffeine-3.1.6.jar (pkg:maven/com.github.ben-manes.caffeine/caffeine@3.1.6, cpe:2.3:a:cache_project:cache:3.1.6:*:*:*:*:*:*:*) : CVE-2020-36448
protobuf-java-4.0.0-rc-2.jar (pkg:maven/com.google.protobuf/protobuf-java@4.0.0-rc-2, cpe:2.3:a:google:protobuf-java:4.0.0.2:*:*:*:*:*:*:*, cpe:2.3:a:protobuf:protobuf:4.0.0.2:*:*:*:*:*:*:*) : CVE-2021-22569, CVE-2022-3171, CVE-2022-3509
commons-logging-1.1.1.jar (pkg:maven/commons-logging/commons-logging@1.1.1, cpe:2.3:a:apache:commons_net:1.1.1:*:*:*:*:*:*:*) : CVE-2021-37533
commons-io-2.13.0.jar (pkg:maven/commons-io/commons-io@2.13.0, cpe:2.3:a:apache:commons_io:2.13.0:*:*:*:*:*:*:*, cpe:2.3:a:apache:commons_net:2.13.0:*:*:*:*:*:*:*) : CVE-2021-37533
netty-transport-4.1.96.Final.jar (pkg:maven/io.netty/netty-transport@4.1.96.Final, cpe:2.3:a:netty:netty:4.1.96:*:*:*:*:*:*:*) : CVE-2023-44487
commons-csv-1.10.0.jar (pkg:maven/org.apache.commons/commons-csv@1.10.0, cpe:2.3:a:apache:commons_net:1.10.0:*:*:*:*:*:*:*) : CVE-2021-37533
commons-codec-1.16.0.jar (pkg:maven/commons-codec/commons-codec@1.16.0, cpe:2.3:a:apache:commons_net:1.16.0:*:*:*:*:*:*:*) : CVE-2021-37533
commons-compress-1.24.0.jar (pkg:maven/org.apache.commons/commons-compress@1.24.0, cpe:2.3:a:apache:commons_compress:1.24.0:*:*:*:*:*:*:*, cpe:2.3:a:apache:commons_net:1.24.0:*:*:*:*:*:*:*) : CVE-2021-37533
commons-cli-1.5.0.jar (pkg:maven/commons-cli/commons-cli@1.5.0, cpe:2.3:a:apache:commons_net:1.5.0:*:*:*:*:*:*:*) : CVE-2021-37533
jsonld-java-0.13.4.jar (pkg:maven/com.github.jsonld-java/jsonld-java@0.13.4, cpe:2.3:a:json-java_project:json-java:0.13.4:*:*:*:*:*:*:*) : CVE-2022-45688, CVE-2023-5072
jakarta.json-2.0.1.jar (pkg:maven/org.glassfish/jakarta.json@2.0.1, cpe:2.3:a:json-java_project:json-java:2.0.1:*:*:*:*:*:*:*) : CVE-2022-45688, CVE-2023-5072
jackson-databind-2.15.2.jar (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.2, cpe:2.3:a:fasterxml:jackson-databind:2.15.2:*:*:*:*:*:*:*) : CVE-2023-35116
snakeyaml-2.0.jar (pkg:maven/org.yaml/snakeyaml@2.0, cpe:2.3:a:snakeyaml_project:snakeyaml:2.0:*:*:*:*:*:*:*, cpe:2.3:a:yaml_project:yaml:2.0:*:*:*:*:*:*:*) : CVE-2021-4235, CVE-2022-3064
guava-19.0.jar (pkg:maven/com.google.guava/guava@19.0, cpe:2.3:a:google:guava:19.0:*:*:*:*:*:*:*) : CVE-2018-10237, CVE-2020-8908, CVE-2023-2976
plexus-interpolation-1.26.jar (pkg:maven/org.codehaus.plexus/plexus-interpolation@1.26, cpe:2.3:a:codehaus-plexus_project:codehaus-plexus:1.26:*:*:*:*:*:*:*) : CVE-2022-4244, CVE-2022-4245
plexus-archiver-4.7.1.jar (pkg:maven/org.codehaus.plexus/plexus-archiver@4.7.1, cpe:2.3:a:codehaus-plexus:plexus-archiver:4.7.1:*:*:*:*:*:*:*, cpe:2.3:a:codehaus-plexus_project:codehaus-plexus:4.7.1:*:*:*:*:*:*:*) : CVE-2023-37460
netty-transport-native-epoll-4.1.53.Final-linux-x86_64.jar (pkg:maven/io.netty/netty-transport-native-epoll@4.1.53.Final, cpe:2.3:a:netty:netty:4.1.53:*:*:*:*:*:*:*) : CVE-2021-21290, CVE-2021-21295, CVE-2021-21409, CVE-2021-37136, CVE-2021-37137, CVE-2021-43797, CVE-2022-24823, CVE-2022-41881, CVE-2023-34462, CVE-2023-44487
jquery.min.js (pkg:javascript/jquery@1.11.1) : CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, CVE-2020-11023, jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates
bootstrap.min.js (pkg:javascript/bootstrap@3.3.5) : Bootstrap before 4.0.0 is end-of-life and no longer maintained., CVE-2016-10735, CVE-2018-14041, CVE-2018-14042, CVE-2018-20676, CVE-2018-20677, CVE-2019-8331
jruby-stdlib-9.4.3.0.jar: bcprov-jdk18on-1.71.jar (cpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.71.0:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.71.0:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.71.0:*:*:*:*:*:*:*) : CVE-2023-33202
velocity-engine-core-2.3.jar/META-INF/maven/commons-io/commons-io/pom.xml (pkg:maven/commons-io/commons-io@2.8.0, cpe:2.3:a:apache:commons_io:2.8.0:*:*:*:*:*:*:*, cpe:2.3:a:apache:commons_net:2.8.0:*:*:*:*:*:*:*) : CVE-2021-37533

glenrobson · 2024-01-24T16:18:17Z

Updating the dependency-check-maven plugin which runs the verify code to latest (5.2.4 -> 9.0.9) results in the following issues:

bootstrap.min.js (pkg:javascript/bootstrap@3.3.5) : CVE-2016-10735, CVE-2018-14041, CVE-2018-14042, CVE-2018-20676, CVE-2018-20677, CVE-2019-8331, Bootstrap before 4.0.0 is end-of-life and no longer maintained.
guava-19.0.jar (pkg:maven/com.google.guava/guava@19.0, cpe:2.3:a:google:guava:19.0:*:*:*:*:*:*:*) : CVE-2023-2976, CVE-2018-10237, CVE-2020-8908
jackson-databind-2.15.2.jar (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.2, cpe:2.3:a:fasterxml:jackson-databind:2.15.2:*:*:*:*:*:*:*, cpe:2.3:a:fasterxml:jackson-modules-java8:2.15.2:*:*:*:*:*:*:*) : CVE-2023-35116
jquery.min.js (pkg:javascript/jquery@1.11.1) : CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, CVE-2020-11023, jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates
jruby-stdlib-9.4.3.0.jar: bcprov-jdk18on-1.71.jar (cpe:2.3:a:bouncycastle:bouncy-castle-crypto-package:1.71:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:1.71:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.71:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.71:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.71:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:1.71:*:*:*:*:*:*:*) : CVE-2023-33202
netty-transport-4.1.96.Final.jar (pkg:maven/io.netty/netty-transport@4.1.96.Final, cpe:2.3:a:netty:netty:4.1.96:*:*:*:*:*:*:*) : CVE-2023-44487
netty-transport-native-epoll-4.1.53.Final-linux-x86_64.jar (pkg:maven/io.netty/netty-transport-native-epoll@4.1.53.Final, cpe:2.3:a:netty:netty:4.1.53:*:*:*:*:*:*:*) : CVE-2021-37136, CVE-2021-37137, CVE-2022-41881, CVE-2023-44487, CVE-2021-43797, CVE-2023-34462, CVE-2021-21295, CVE-2021-21409, CVE-2021-21290, CVE-2022-24823
plexus-archiver-4.7.1.jar (pkg:maven/org.codehaus.plexus/plexus-archiver@4.7.1, cpe:2.3:a:codehaus-plexus:plexus-archiver:4.7.1:*:*:*:*:*:*:*, cpe:2.3:a:codehaus-plexus_project:codehaus-plexus:4.7.1:*:*:*:*:*:*:*) : CVE-2023-37460
plexus-interpolation-1.26.jar (pkg:maven/org.codehaus.plexus/plexus-interpolation@1.26, cpe:2.3:a:codehaus-plexus_project:codehaus-plexus:1.26:*:*:*:*:*:*:*) : CVE-2022-4244, CVE-2022-4245
protobuf-java-4.0.0-rc-2.jar (pkg:maven/com.google.protobuf/protobuf-java@4.0.0-rc-2, cpe:2.3:a:google:protobuf-java:4.0.0:rc-2:*:*:*:*:*:*, cpe:2.3:a:protobuf:protobuf:4.0.0:rc-2:*:*:*:*:*:*) : CVE-2022-3171, CVE-2022-3509, CVE-2021-22569

Resolutions:

A couple of javascript libraries used in the admin interface that are no longer supported (bootstrap.min.js and jquery.min.js).
guava noted in: Frightening amount of security issues in latest v4.x and v5.x #634 (comment) for auto html testing.
jackson-databind-2.15.2.jar - rejected by Jackson databind community: https://nvd.nist.gov/vuln/detail/CVE-2023-35116
jruby-stdlib-9.4.3.0.jar - still an issue in latest version of bcprov-jdk18on https://nvd.nist.gov/vuln/detail/CVE-2023-33202
netty-transport-4.1.96.Final.jar - Updated AWS sdk (2.15.28 -> 2.23.8) and lettice (6.2.6.RELEASE -> 6.2.7.RELEASE)
Plexus - noted in Frightening amount of security issues in latest v4.x and v5.x #634 (comment) part of the mvn build process only.
protobuf-java-4.0.0-rc-2.jar latest version and all issues seem to be pre version 4 which we are using.

Down to:

bootstrap.min.js (pkg:javascript/bootstrap@3.3.5) : CVE-2016-10735, CVE-2018-14041, CVE-2018-14042, CVE-2018-20676, CVE-2018-20677, CVE-2019-8331, Bootstrap before 4.0.0 is end-of-life and no longer maintained.
guava-19.0.jar (pkg:maven/com.google.guava/guava@19.0, cpe:2.3:a:google:guava:19.0:*:*:*:*:*:*:*) : CVE-2023-2976, CVE-2018-10237, CVE-2020-8908
jackson-databind-2.15.2.jar (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.2, cpe:2.3:a:fasterxml:jackson-databind:2.15.2:*:*:*:*:*:*:*, cpe:2.3:a:fasterxml:jackson-modules-java8:2.15.2:*:*:*:*:*:*:*) : CVE-2023-35116
jquery.min.js (pkg:javascript/jquery@1.11.1) : CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, CVE-2020-11023, jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates
jruby-stdlib-9.4.3.0.jar: bcprov-jdk18on-1.71.jar (cpe:2.3:a:bouncycastle:bouncy-castle-crypto-package:1.71:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:1.71:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:bouncy_castle_for_java:1.71:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:1.71:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.71:*:*:*:*:*:*:*, cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:1.71:*:*:*:*:*:*:*) : CVE-2023-33202
plexus-archiver-4.7.1.jar (pkg:maven/org.codehaus.plexus/plexus-archiver@4.7.1, cpe:2.3:a:codehaus-plexus:plexus-archiver:4.7.1:*:*:*:*:*:*:*, cpe:2.3:a:codehaus-plexus_project:codehaus-plexus:4.7.1:*:*:*:*:*:*:*) : CVE-2023-37460
plexus-interpolation-1.26.jar (pkg:maven/org.codehaus.plexus/plexus-interpolation@1.26, cpe:2.3:a:codehaus-plexus_project:codehaus-plexus:1.26:*:*:*:*:*:*:*) : CVE-2022-4244, CVE-2022-4245
protobuf-java-4.0.0-rc-2.jar (pkg:maven/com.google.protobuf/protobuf-java@4.0.0-rc-2, cpe:2.3:a:google:protobuf-java:4.0.0:rc-2:*:*:*:*:*:*, cpe:2.3:a:protobuf:protobuf:4.0.0:rc-2:*:*:*:*:*:*) : CVE-2022-3171, CVE-2022-3509, CVE-2021-22569

glenrobson · 2024-01-24T16:39:25Z

Running Spotbugs some small things but nothing I think that needs fixing.

glenrobson · 2024-01-24T19:06:07Z

It looks like s3 version 2.21.4 is the first one to use netty-transport 4.1.100.Final which is the one with the fix.

glenrobson · 2024-01-24T21:54:25Z

OK on to the release procedure.

glenrobson added 30 commits August 9, 2023 14:18

Updating libraries

18a76cc

Preparing for PDFBox v3 update

1f98ccc

Updating tika to v2.8.0

f89fa00

See: https://archive.apache.org/dist/tika/2.0.0-BETA/CHANGES-2.0.0-BETA.txt

Rolling back to 1.3.2 which is latest release

487dd59

Rolling back seleniumhq

a660719

Syncing versions of slf4j and logback

f2c65f7

Updating maven version as 3.8.5 no longer exists at the URL

ee991b2

Trying upgrading windows version

f438f83

Moving choco package

a5b3e5d

Moving creating prepared statement to after blob population

85a993a

Fixing a missing blob exception

8ab3d43

Rolling back HikariCP to last version to support Java 8

6ce84ca

Adding a baseURI to make the rdf:about have a value

c8440ff

Adding an rdf:about value if not present

e5340cd

Updating to latest Jena version

1833104

Checking for empty rdf:about and using base URI

0e6aa05

Unpinning htmlunit version form selenium

9fdabba

Handling different exception but same outcome

a03e63c

Adding RDF namespace

962dbff

Adding RDF namespace to test

cb8997c

Updating Jackson

d96c36b

Updating jetty

72aaecc

Moving to CGI.escape for Ruby 3

3b6b762

Trying the debian version of grok

49947d5

Fixing typo

385c243

Updating Ubuntu to version with grok

63c6d6a

Moving to ubuntu lunar so we can get Grok via apt-get

9556c9a

Updating grok install

0527dff

Adding changes to v 5.0.6

283d85e

Adding basic CREDITS.md

9149ee9

glenrobson added 2 commits January 24, 2024 14:43

Updating logback version

31c4aaa

Updating libraries for security

985b9ae

Updating mvn verify plugin

1874a81

Updating libraries identified by mvn verify

cdb1ce9

glenrobson added 6 commits January 24, 2024 16:39

Updating spot bugs

f884094

Rolling back s3 version

0e9ad45

Adding wait before testing if purged

026b69b

Speeding up test

bf2ee95

Adding a pause after purge

ae6f431

Trying a newer version of AWS

f95a1a3

glenrobson merged commit 38a136f into cantaloupe-project:release/5.0 Jan 24, 2024
6 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cantaloup 5.0.6 #641

Cantaloup 5.0.6 #641

glenrobson commented Jan 24, 2024 •

edited

Loading

glenrobson commented Jan 24, 2024

glenrobson commented Jan 24, 2024 •

edited

Loading

glenrobson commented Jan 24, 2024

glenrobson commented Jan 24, 2024

glenrobson commented Jan 24, 2024

glenrobson commented Jan 24, 2024

glenrobson commented Jan 24, 2024

Cantaloup 5.0.6 #641

Cantaloup 5.0.6 #641

Conversation

glenrobson commented Jan 24, 2024 • edited Loading

glenrobson commented Jan 24, 2024

glenrobson commented Jan 24, 2024 • edited Loading

glenrobson commented Jan 24, 2024

glenrobson commented Jan 24, 2024

glenrobson commented Jan 24, 2024

glenrobson commented Jan 24, 2024

glenrobson commented Jan 24, 2024

glenrobson commented Jan 24, 2024 •

edited

Loading

glenrobson commented Jan 24, 2024 •

edited

Loading