Upgrade org.apache.commons.fileupload to latest version (1.4.0) #41
Comments
mknauer
added
enhancement
|
Reading the 1.4 release notes I don't see any reason or incompatibility that would require to keep the older 1.3.3 version that was mentioned in the original bug report. Instead I would suggest to start upgrading to 1.4. Additionally I believe there is no further IP check required for the library dependency upgrade in RAP Runtime. First, there is an already approved CQ 21543 available for another project in the files, second (and more important) according to the project handbook, ClearlyDefined is a trusted source of license information. By using the Eclipse Dash License Tool I get the following positive result for $ echo "maven/mavencentral/commons-fileupload/commons-fileupload/1.4" | java -jar org.eclipse.dash.licenses-0.0.1-20220803.055044-505.jar -
[main] INFO Querying Eclipse Foundation for license data for 1 items.
[main] INFO Found 0 items.
[main] INFO Querying ClearlyDefined for license data for 1 items.
[main] INFO Found 1 items.
[main] INFO Vetted license information was found for all content. No further investigation is required.Unfortunately none of the clean versions are available for consumption from Eclipse Orbit, i.e. we need to find a good way to integrate this library in the RAP build process. |
The tests in CommonsFileUpload_Test were testing the API behaviour of the upstream Apache `commons-fileupload` library only, and are not specific to its usage in RAP. With the upcoming dependency upgrade in #41 these tests started to fail because bugs such as FILEUPLOAD-258 [1] are fixed. Removing the test class. [1] https://issues.apache.org/jira/browse/FILEUPLOAD-258
This change also includes Apache `commons-io` in version 2.11.0. Update lower version boundaries of Apache `commons-fileupload` and `commons-io` to the version of the updated bundles in order to ensure that the correct versions are selected at runtime. The new bundles are consumed from Eclipse Platform which retrieves them from Maven Central. As part of this process, the bundle symbolic name of the bundles changed: - `org.apache.commons.fileupload` to `org.apache.commons.commons-fileupload` - `org.apache.commons.io` to `org.apache.commons.commons-io` Update features, demo launch configurations, and demo product definitions to the new name. This fixes #41.
|
The fix includes...
Please note that the bundle symbolic name has changed because the new bundles are now consumed from Eclipse Platform which itself started to consume them directly from Maven Central. |
|
Hi, I run into a Maven dependency resolution issue related to the version bump of It refers to version 1.4.0, but the actual version of the Maven treats versions 1.4 and 1.4.0 differently and fails to resolve the correct artefact from Maven central. The workaround is to declare a direct dependency to I'm not sure how the NB: I should mention that I'm experiencing this problem in a Gradle build and haven't tested it with a Maven build. However, since the version in the pom does not correspond to the artefact version in Maven central, other Maven builds might run into this issue as well. |
Migration of Bugzilla bug 542478
The original bug reporter reported on 2018-12-06 10:49:46 EST ...
A detailed analysis (2018-12-11 06:29:59 EST) of the security issue in the mentioned library revealed that ...
While the above ("RAP fileupload implementation is not affected by this vulnerability") is still true, we believe that an upgrade of
org.apache.commons.fileuploadis required in order to avoid false positives in security checks.The text was updated successfully, but these errors were encountered: