Skip to content

bumped versions and fixed command-line interface #103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
wirew0rm merged 3 commits into from
Jun 24, 2021
Merged

bumped versions and fixed command-line interface #103

wirew0rm merged 3 commits into from
Jun 24, 2021

Conversation

@RalphSteinhagen
Copy link
Member

@RalphSteinhagen RalphSteinhagen commented Jun 23, 2021

  • Bumped sundry library versions:

    • fastjson from 1.2.75 to 1.2.76
    • jackson-databind from 2.12.2 to 2.12.3
    • oshi-core from 5.7.0 to 5.7.4
    • disruptor from 3.4.2 to 3.4.4
    • jacoco-maven-plugin from 0.8.6 to 0.8.7
    • version.micrometer from 1.6.5 to 1.6.6

  • fixed and added command-line parameter example

@RalphSteinhagen RalphSteinhagen requested a review from wirew0rm June 23, 2021 07:02
@restyled-io restyled-io bot mentioned this pull request Jun 23, 2021
Closed
sonatype-lift[bot]
sonatype-lift bot reviewed Jun 24, 2021
View reviewed changes
server-rest/pom.xml
<version>${version.jetty}</version>
</dependency>
<!-- bump jetty version due to CVE issue -->
<dependency>
Copy link

@sonatype-lift sonatype-lift bot Jun 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severe OSS Vulnerability:  

pkg:maven/org.eclipse.jetty/jetty-http@9.4.40.v20210413

0 Critical, 1 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:maven/org.eclipse.jetty/jetty-server@9.4.40.v20210413

SEVERE Vulnerabilities (1)

    [CVE-2021-28169] For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for r...

    For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

    CVSS Score: 5.3

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

(at-me in a reply with help or ignore)

sonatype-lift[bot]
sonatype-lift bot reviewed Jun 24, 2021
View reviewed changes
server-rest/pom.xml
<artifactId>jetty-server</artifactId>
<version>${version.jetty}</version>
</dependency>
<dependency>
Copy link

@sonatype-lift sonatype-lift bot Jun 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severe OSS Vulnerability:  

pkg:maven/org.eclipse.jetty/jetty-http@9.4.40.v20210413

0 Critical, 1 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:maven/org.eclipse.jetty/jetty-webapp@9.4.40.v20210413

SEVERE Vulnerabilities (1)

    [CVE-2021-28169] For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for r...

    For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

    CVSS Score: 5.3

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

(at-me in a reply with help or ignore)

sonatype-lift[bot]
sonatype-lift bot reviewed Jun 24, 2021
View reviewed changes
server-rest/pom.xml
<version>${version.jetty}</version>
</dependency>
<!-- bump jetty version due to CVE issue -->
<dependency>
Copy link

@sonatype-lift sonatype-lift bot Jun 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severe OSS Vulnerability:  

pkg:maven/org.eclipse.jetty/jetty-server@9.4.40.v20210413

0 Critical, 1 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a direct dependency

SEVERE Vulnerabilities (1)

    [CVE-2021-28169] For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for r...

    For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

    CVSS Score: 5.3

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

(at-me in a reply with help or ignore)

sonatype-lift[bot]
sonatype-lift bot reviewed Jun 24, 2021
View reviewed changes
server-rest/pom.xml
<artifactId>jetty-server</artifactId>
<version>${version.jetty}</version>
</dependency>
<dependency>
Copy link

@sonatype-lift sonatype-lift bot Jun 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severe OSS Vulnerability:  

pkg:maven/org.eclipse.jetty/jetty-server@9.4.40.v20210413

0 Critical, 1 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:maven/org.eclipse.jetty/jetty-webapp@9.4.40.v20210413

SEVERE Vulnerabilities (1)

    [CVE-2021-28169] For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for r...

    For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

    CVSS Score: 5.3

    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

(at-me in a reply with help or ignore)

dependabot bot and others added 3 commits June 24, 2021 13:02
@dependabot @RalphSteinhagen
Bumped sundry library versions
c424862 
* fastjson from 1.2.75 to 1.2.76
* jackson-databind from 2.12.2 to 2.12.3
* oshi-core from 5.7.0 to 5.7.5
* disruptor from 3.4.2 to 3.4.4
* jacoco-maven-plugin from 0.8.6 to 0.8.7
* version.micrometer from 1.6.5 to 1.6.6
* version.jetty from 9.4.40.v20210413 to 9.4.42.v20210604
@RalphSteinhagen
added command-line parameter example
0668244
@RalphSteinhagen
added cleaner shut-down procedure for REST server
d8f7b11 
N.B. Javalin instances are better not being re-used since previous routes cannot be cleared programmatically (<-> effectively final)
@RalphSteinhagen RalphSteinhagen temporarily deployed to configure coverage June 24, 2021 11:03 Inactive
@codecov
Copy link

codecov bot commented Jun 24, 2021
edited
Loading

Codecov Report

Merging #103 (d8f7b11) into main (d1a0cc7) will increase coverage by 0.39%.
The diff coverage is 83.54%.

Impacted file tree graph

@@             Coverage Diff              @@
##               main     #103      +/-   ##
============================================
+ Coverage     72.49%   72.89%   +0.39%     
- Complexity     2481     2633     +152     
============================================
  Files            87       89       +2     
  Lines         10820    11020     +200     
  Branches       1652     1719      +67     
============================================
+ Hits           7844     8033     +189     
+ Misses         2037     2023      -14     
- Partials        939      964      +25
Impacted Files Coverage Δ
...a/io/opencmw/server/rest/RestCommonThreadPool.java 0.00% <0.00%> (ø)
.../opencmw/server/rest/user/RestUserHandlerImpl.java 31.42% <40.00%> (-0.96%) ⬇️
...io/opencmw/client/cmwlight/CmwLightDataSource.java 68.25% <62.50%> (-0.18%) ⬇️
.../opencmw/serialiser/spi/ClassFieldDescription.java 53.46% <63.63%> (-4.92%) ⬇️
...main/java/io/opencmw/client/OpenCmwDataSource.java 76.39% <66.66%> (+2.16%) ⬆️
...va/io/opencmw/server/rest/MajordomoRestPlugin.java 70.23% <69.44%> (+0.50%) ⬆️
...c/main/java/io/opencmw/server/rest/RestServer.java 65.89% <73.68%> (+4.04%) ⬆️
...in/java/io/opencmw/client/DataSourcePublisher.java 85.27% <75.00%> (-0.06%) ⬇️
...rc/main/java/io/opencmw/server/BasicMdpWorker.java 74.60% <77.77%> (-6.03%) ⬇️
...ava/io/opencmw/server/rest/RestServerSettings.java 80.00% <80.00%> (ø)
... and 14 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 701ec35...d8f7b11. Read the comment docs.

wirew0rm
wirew0rm approved these changes Jun 24, 2021
View reviewed changes
Copy link
Member

@wirew0rm wirew0rm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Diff looks good, tested command line parameters and Java Properties as well as the MajordomoRestPlugin with the samples and extenal projects and everything seems to be working fine 👍

@wirew0rm wirew0rm merged commit cd342d4 into main Jun 24, 2021
@wirew0rm wirew0rm deleted the bumpVersionsAndFixes branch June 24, 2021 12:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wirew0rm wirew0rm wirew0rm approved these changes

+1 more reviewer

@sonatype-lift sonatype-lift[bot] sonatype-lift[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@RalphSteinhagen @wirew0rm