Bump xstream from 1.4.17 to 1.4.18 #1917
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
Bumps [xstream](https://github.com/x-stream/xstream) from 1.4.17 to 1.4.18. - [Release notes](https://github.com/x-stream/xstream/releases) - [Commits](https://github.com/x-stream/xstream/commits) --- updated-dependencies: - dependency-name: com.thoughtworks.xstream:xstream dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
Priority 1: Must
With version 1.4.18 of XStream, unspecified types are no longer supported by default in XStream (as described in their release notes here: https://x-stream.github.io/changes.html#1.4.18). To keep XStream as the default serializer, at least Axon's types should be included by default. Users should also be able to disable this default if required. #1917
- Update code style of touched files - Fix warnings - Fix typos #1917
Remove unused eq() invocation #1917
|
Kudos, SonarCloud Quality Gate passed! |
|
Hi all, Just as a heads up. Xstream changed the security mechanism in 1.4.18 due to a CVE and it is causing regression in projects using Axon and Spring. x-stream/xstream#264 Might be interesting to check out these discussions as well. |
|
Hi @sanderino666 , thanks for the heads-up. We are aware of the discussions around XStream's security changes. Axon doesn't do much in terms of XStream configuration (basically leaving it to defaults). Basically, the default has changed from "allow all unless specified" to "reject all unless specified". That means the configuration should also be modified. We're currently discussing how we can make the impact of this change minimal. Not upgrading is not an option, since security should be everyone's no1 priority. Serializers are components at the edge of an application, and simply need to be secure. So we prefer to go along with the "keep it closed by default", but that would indeed mean a breaking change for existing users... |
|
Hi @abuijze,
Completely agree! I can easily reproduce the issue so if you need me to test on a snapshot, let me know, |
…tworks.xstream-xstream-1.4.18
Adjust the XStreamSerializer to no longer set a default XStream instance Also deprecate the defaultSerializer method, stating the security warning shared by XStream. #1917
Add a xstream version property and use it for the messaging package. Also update the autoconfiguration package to have an optional XStream dependency #1917
Remove the default XStreamSerializer from the JPA and JDBC storage engine implementations. The tests should be adjusted to use a secure XStreamSerializer. The Javadoc should be adjusted accordingly. #1917
Remove the default XStreamSerializer from the QuartzDeadlineManager and QuartzEventScheduler #1917
Remove the default XStreamSerializer from the JpaSagaStore and JdbcSagaStore implementations. Adjusts the tests to use a secured version of XStream on an XStreamSerializer. Update the JavaDoc accordingly. #1917
Set a secured XStreamSerializer through the TestSerializer #1917
Set a secured XStreamSerializer through the TestSerializer #1917
Set an XStream instance for the XStreamSerializer. Using the XStreamSerializer default configuration to secure axon components is sufficient. #1917
Add more default aliases to the AbstractXStreamSerializer, for queries, results and deadlines. #1917
Remove the default XStreamSerializer from the AxonServerEventScheduler and AxonServerEventStore. Also ensure a working XStreamSerializer is provided through the TestSerializer for every test class utilizing serialization. #1917
Update the used XStreamSerializer to ascertain that it uses a dedicated XStream instance. #1917
Introduce an XStreamAutoConfiguration, that checks for the ComponentScan annotated beans to deduce what the base packages and classes are to add to the security context of an XStream instance. Use this XStream instance when constructing the XStreamSerializer, if it has been configured to be used. #1917
To isolate the logic and to simplify testing, move the ComponentScan searching logic from the XStreamAutoConfiguration to a XStreamSecurityTypeUtility. #1917
smcvb
requested review from
smcvb,
m1l4n54v1c,
lfgcampos,
saratry and
abuijze
and removed request for
smcvb
Add test case that validates spring boot application properties are also taken into account. #1917
Add builders tests to please coverage #1917
…n/axon-4.5.x/com.thoughtworks.xstream-xstream-1.4.18 # Conflicts: # modelling/src/main/java/org/axonframework/modelling/saga/repository/jpa/JpaSagaStore.java
There was a problem hiding this comment.
There are a couple of other tests where we could use a TestSerializer as well but I saw all of that as a nit.
Little thing to not forget, as we talked, is to have a dedicated section on our release notes about the 'braking changes' we are forced to make because of it.
config/src/test/java/org/axonframework/config/DefaultConfigurerTest.java
Outdated
Show resolved
Hide resolved
legacy/src/test/java/org/axonframework/commandhandling/model/AggregateScopeDescriptorTest.java
Outdated
Show resolved
Hide resolved
legacy/src/test/java/org/axonframework/eventhandling/saga/SagaScopeDescriptorTest.java
Outdated
Show resolved
Hide resolved
…rTest.java Co-authored-by: Lucas Campos <lfgcampos@gmail.com>
Introduce TestSerializer to be used for legacy tests. #1917
…thoughtworks.xstream-xstream-1.4.18' into dependabot/maven/axon-4.5.x/com.thoughtworks.xstream-xstream-1.4.18
To not give a breaking change to users, we return the XStreamSerializer. Whenever the default is used though, we throw a warning stating the users should set the security context consciously. #1917
Allow all types on the defaultSerializer, by allowing all implementation of Object. Log a warning for the user that this isn't secure at all! #1917
|
SonarCloud Quality Gate failed. |
|
Sonar complains about unreached new loglines. As we're not in the habit of validating log lines, we will ignore the coverage level warning. Furthermore, @abuijze and I verbally reviewed this pull request. Hence, approval from his end is added to this resolution. |
smcvb
added
Status: Resolved
dependabot
bot
deleted the
dependabot/maven/axon-4.5.x/com.thoughtworks.xstream-xstream-1.4.18
branch
Bumps xstream from 1.4.17 to 1.4.18.
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)