Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade dom4j from 1.6.1 to 2.1.3 #9939

Merged
merged 2 commits into from Dec 17, 2021
Merged

Upgrade dom4j from 1.6.1 to 2.1.3 #9939

merged 2 commits into from Dec 17, 2021

Conversation

chadlwilson
Copy link
Member

@chadlwilson chadlwilson commented Dec 16, 2021
edited

Despite not being flagged on OWASP Dependency Check reports, DOM4J 1.6.1 may be subject to https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000632 - it's not 100% clear that this only affects DOM4J 2.x and folks such as Hibernate upgraded it as a result: https://hibernate.atlassian.net/browse/HHH-12964

Additionally, 1.6.1 is very EOL and un-patched.

Should be OK on the basis that

To make this work

  • Fixed compile time generics changes in test utility
  • Fixed incorrect use of Dom4j in FeedEntriesRepresenter which now fails QName validation. Test validated before and after upgrade to produce identical XML.
  • Improved the jaxen dependency modelling. This is needed for JDOM2, not DOM4j; and seemingly only within some config-api validation for the server.

@chadlwilson
Ensure FeedEntriesRepresenter also tests example with Manual approval
42740f4
@chadlwilson
Upgrade dom4j from 1.6.1 to 2.1.3
f32c808 
- Fixed compile time generics in test utility
- Fixed incorrect use of Dom4j in FeedEntriesRepresenter which now fails validation

Despite not being flagged on OWASP Dependency Check reports, DOM4J 1.6.1 may be subject to https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000632 - it's not clear that this only affects DOM4J 2.x and folks such as Hibernate upgraded it as a result: https://hibernate.atlassian.net/browse/HHH-12964

Additionally, `1.6.1` is very EOL and un-patched.
* It seems fully compatible at runtime
* Old Hibernate depends on it, but was upgraded in hibernate/hibernate-orm#2533 with no other code changes
* Release notes dont mention any serious breaking changes other than compile time generics https://github.com/dom4j/dom4j/releases/tag/version-2.0.0
@chadlwilson chadlwilson added dependencies security Pull requests that address a security vulnerability java Pull requests that update Java code labels Dec 16, 2021
@chadlwilson chadlwilson added this to the Release 21.4.0 milestone Dec 16, 2021
@chadlwilson chadlwilson marked this pull request as ready for review December 17, 2021 00:57
@chadlwilson chadlwilson merged commit 30e22f4 into gocd:master Dec 17, 2021
@chadlwilson chadlwilson deleted the upgrade-dom4j branch December 17, 2021 00:57
@chadlwilson chadlwilson mentioned this pull request Jan 19, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies java Pull requests that update Java code security Pull requests that address a security vulnerability
Projects
None yet
Milestone
Release 21.4.0
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@chadlwilson