Upgrade maven-core to 3.9.6

[jsvd]

Beware that 'mvn package' will create jar with the current maven version being used, so it is necessary to use maven 3.9.6 while running the packaging task.

I set the gem version to 3.9.6 since this gem has been versioned according to the version of maven it packages.

[jsvd]

Thank you @enebo, any chance we could get this released? Please remember the maven being used to run mvn package is the one that ends up in the gem, from my experiments, so you have to use 3.9.6.
The reason is to avoid having some guava related cves in our JRuby project.

[headius]

Sorry I forgot about releasing these updates in the flurry of activity over the past few months.

[headius]

Sorry I forgot about releasing these updates in the flurry of activity over the past few months.

That is to say that I will look into releases today! 😀

[headius]

ruby-maven-libs 3.9.6 has been pushed to rubygems.org!

[jsvd]

@headius Unfortunately it seems your local dir still had previous jars:

❯ gem unpack ruby-maven-libs-3.9.6.gem
Unpacked gem: '/private/tmp/ruby-maven-libs-3.9.6'

/tmp
❯ find ruby-maven-libs-3.9.6 -name "*maven-core*"
ruby-maven-libs-3.9.6/maven-home/lib/maven-core-3.8.7.jar
ruby-maven-libs-3.9.6/maven-home/lib/maven-core-3.9.6.jar

Maybe creating a 3.9.6.1 ? 😅

[headius]

Blast it all, I didn't realize there were unclean remnants or that they'd get included.

I see the correct jar is there, but I assume since the bad jar is there it still gets flagged for CVEs?

[headius]

I'm going to push a 3.9.6.1.pre1 and you can confirm it looks like it should.

[jsvd]

I see the correct jar is there, but I assume since the bad jar is there it still gets flagged for CVEs?

that is right 😞

I'm going to push a 3.9.6.1.pre1 and you can confirm it looks like it should.

ready when you are

[headius]

Pushed https://rubygems.org/gems/ruby-maven-libs/versions/3.9.6.1.pre1

[headius]

I also pushed a commit that updates the clean target to also clean out maven-home. 😡

[jsvd]

LGTM, I can confirm the files are not duplicated any more and that scanners are clean for that prereleased version. 👌

[headius]

Can you confirm for me that it still works properly? The mismatched Maven version and Gem version scare me a little bit.

[jsvd]

Given that the 3.9.6 version is still here:

/tmp/ruby-maven-libs-3.9.6.1.pre1
❯ grep VERSION lib/maven.rb 
  VERSION = '3.9.6'.freeze

It should be fine, but testing now, will report in a few min.

[headius]

Given that the 3.9.6 version is still here

Yeah I'm hopeful that's good enough, but I had to hack the build to not use that as the gem version so I just need confirmation.

[jsvd]

Worked correctly! I was able to use a Logstash version with jruby 9.4.7.0 w/ ruby-maven-libs 3.9.6.1.pre1 and install a Logstash plugin that downloads and installs jars at install time 👌 LGTM

[jsvd]

Also:

❯ grype  -q ruby-maven-libs-3.8.9
NAME   INSTALLED     FIXED-IN        TYPE          VULNERABILITY        SEVERITY 
guava  25.1-android  32.0.0-android  java-archive  GHSA-7g45-4rm6-3mm3  Medium    
guava  25.1-android  32.0.0-android  java-archive  GHSA-5mg8-w23w-74h3  Low

❯ grype  -q ruby-maven-libs-3.9.6
NAME   INSTALLED     FIXED-IN        TYPE          VULNERABILITY        SEVERITY 
guava  25.1-android  32.0.0-android  java-archive  GHSA-7g45-4rm6-3mm3  Medium    
guava  25.1-android  32.0.0-android  java-archive  GHSA-5mg8-w23w-74h3  Low

❯ grype  -q ruby-maven-libs-3.9.6.1.pre1
No vulnerabilities found

[headius]

Thanks for the confirmation @jsvd! I've pushed 3.9.6.1 to rg.org.