POI vulnerabilities

[SteveSchafer-Innovent]

POI 3.9 contains a number of vulnerabilities:

CVE-2017-12626
CVE-2017-5644
CVE-2016-5000
CVE-2014-9527
CVE-2014-3574
CVE-2014-3529

that I know about. POI 4.1.1 does not have these vulnerabilities and is available on orbit but the interfaces are somewhat incompatible. I'm presently working on this for a client in 4.8 and can apply these to 4.9 after I finish.

This is a bugzilla about vulnerabilities in multiple plugins including axis, derby, batik and poi: https://bugs.eclipse.org/bugs/show_bug.cgi?id=522431. I think it might be more manageable to break them out into individual issues.

[wimjongman]

Ooh! That is great. I was looking at upgrading this the other day and also noticed that the API was changed. Thanks for taking this on.

[SteveSchafer-Innovent]

I was able to get this to work for my client in 4.8 but I didn't use Maven. I just let eclipse auto-build the classes and copied them into the birt runtime jar and it worked, but in 4.9 I need to use Maven.

I have zero experience with using maven for building things that require eclipse plugins. I can see that the 3.9 poi jars are getting put into a variety of lib and plugins folders all of which are inside target folders, so maven is putting them there but I don't know how it knows to do that. I need to switch 3.9 to 4.1.1 and add 3 other plugins from orbit. I've found a couple of files by search for /poi.*3.9/ but modifying them hasn't done anything except cause errors. Maybe it's using a target platform but I can't figure out how.

Can anyone give me any guidance?

[wimjongman]

You can just update the .target file. It is located in the org.eclipse.build.target bundle in the build folder.

https://github.com/eclipse/birt/tree/master/build/org.eclipse.birt.target

Let me know if you need help.

[SteveSchafer-Innovent]

I see a file named org.eclipse.birt.target.target and it contains these lines:

		<unit id="org.apache.poi" version="0.0.0"/>
		<unit id="org.apache.poi.ooxml" version="0.0.0"/>
		<unit id="org.apache.poi.ooxml.schemas" version="0.0.0"/>

How does it know those are currently 3.9 and how can I change to 4.1.1?

Update: I see the <repository> tag and it's pointing to an orbit repo that only has poi 3.9. The latest repo has both 3.9 and 4.1.1. I'll experiment with it.

[SteveSchafer-Innovent]

This was the error I was getting:

[INFO] Scanning for projects...
[ERROR] Internal error: java.lang.IllegalArgumentException: invalid range "[4.1.1": invalid format: NoSuchElementException -> [Help 1]
org.apache.maven.InternalErrorException: Internal error: java.lang.IllegalArgumentException: invalid range "[4.1.1": invalid format

but it turns out I accidentally deleted the leading quote, so it was a syntax error.

Following is what I changed, in case anyone has any comments. Some of these might be unnecessary.

build/org.eclipse.birt.target/org.eclipse.birt.target.target:
Added a new location pointing to the latest orbit repo, with version specified instead of 0.0.0. Removed the 3 poi units from the original location. Added new units for org.apache.commons.collections4 4.4.1, org.apache.commons.compress 1.19.0, org.apache.xmlbeans 3.1.0, and removed org.apache.xmlbeans from the old location.

	<location includeAllPlatforms="false" includeConfigurePhase="true" includeMode="planner" includeSource="true" type="InstallableUnit">
		<repository location="https://download.eclipse.org/tools/orbit/downloads/drops/I20210306035740/repository/"/>
		<unit id="org.apache.poi" version="4.1.1.v20200604-1524"/>
		<unit id="org.apache.poi.ooxml" version="4.1.1.v20200820-1148"/>
		<unit id="org.apache.poi.ooxml.schemas" version="4.1.1.v20200922-2105"/>
		<unit id="org.apache.commons.collections4" version="4.4.0.v20200420-1700"/>
		<unit id="org.apache.commons.compress" version="1.19.0.v20200106-2343"/>
		<unit id="org.apache.xmlbeans" version="3.1.0.v20200922-1359"/>
	</location>

build/org.eclipse.birt.build/externalRepo.properties:
the comment says "If the bundle under ReportEngine/lib has changed version in this release, it should be removed from this property file, otherwise, it should be added into this file" so I removed the three poi lines.

releng/maps/orbit_bundles.map:
Changed the poi plugin to 4.1.1 and pasted the URL from orbit. Added new lines for poi.ooxml and poi.ooxml.schemas. Also added org.apache.commons.collections4 4.4.0, org.apache.commons.compres 1.19.0, and org.apache.xmlbeans 3.1.0 which are now needed by poi 4.1.1.

4 MANIFEST.MF files:
Changed "[3.9.0,4.0.0)" to "[4.1.1,5.0.0)" for all poi required bundles.

[wimjongman]

Ok, that looks fine. Please create a PR to see if it builds correctly.

[SteveSchafer-Innovent]

PR successful, so closing