mirror of https://github.com/apache/archiva.git
Dependency changes and vulnerability check
This commit is contained in:
parent
7c4835ba14
commit
f40d750c00
|
@ -73,4 +73,23 @@
|
|||
<cpe>cpe:/a:jquery_file_upload_project:jquery_file_upload</cpe>
|
||||
</suppress>
|
||||
|
||||
<suppress>
|
||||
<notes><![CDATA[
|
||||
file name: jdom2-2.0.6.jar
|
||||
This is a dependency of rometools/rome (RSS library), they addressed the issue (see https://github.com/rometools/rome/issues/469)
|
||||
]]></notes>
|
||||
<packageUrl regex="true">^pkg:maven/org\.jdom/jdom2@.*$</packageUrl>
|
||||
<cpe>cpe:/a:jdom:jdom</cpe>
|
||||
<vulnerabilityName>CVE-2021-33813</vulnerabilityName>
|
||||
</suppress>
|
||||
|
||||
<suppress>
|
||||
<notes><![CDATA[
|
||||
file name: native-protocol-1.5.0.jar
|
||||
This is a vulnerability of cassandra server. We will ignore it for the client driver.
|
||||
]]></notes>
|
||||
<packageUrl regex="true">^pkg:maven/com\.datastax\.oss/native\-protocol@.*$</packageUrl>
|
||||
<cpe>cpe:/a:apache:cassandra</cpe>
|
||||
<vulnerabilityName>CVE-2020-13946</vulnerabilityName>
|
||||
</suppress>
|
||||
</suppressions>
|
||||
|
|
|
@ -31,7 +31,7 @@
|
|||
|
||||
<properties>
|
||||
<site.staging.base>${project.parent.parent.basedir}</site.staging.base>
|
||||
<cassandraVersion>4.0.0</cassandraVersion>
|
||||
<cassandraVersion>3.11.10</cassandraVersion>
|
||||
<datastax.driver.version>4.13.0</datastax.driver.version>
|
||||
</properties>
|
||||
|
||||
|
@ -103,85 +103,6 @@
|
|||
<artifactId>modelmapper</artifactId>
|
||||
</dependency>
|
||||
|
||||
<!--
|
||||
<dependency>
|
||||
<groupId>org.yaml</groupId>
|
||||
<artifactId>snakeyaml</artifactId>
|
||||
<version>1.27</version>
|
||||
</dependency>
|
||||
-->
|
||||
<dependency>
|
||||
<groupId>org.apache.cassandra</groupId>
|
||||
<artifactId>cassandra-all</artifactId>
|
||||
<version>${cassandraVersion}</version>
|
||||
<scope>test</scope>
|
||||
<exclusions>
|
||||
<exclusion>
|
||||
<groupId>log4j</groupId>
|
||||
<artifactId>log4j</artifactId>
|
||||
</exclusion>
|
||||
<exclusion>
|
||||
<groupId>org.slf4j</groupId>
|
||||
<artifactId>slf4j-log4j12</artifactId>
|
||||
</exclusion>
|
||||
<exclusion>
|
||||
<groupId>org.slf4j</groupId>
|
||||
<artifactId>jcl-over-slf4j</artifactId>
|
||||
</exclusion>
|
||||
<exclusion>
|
||||
<groupId>ch.qos.logback</groupId>
|
||||
<artifactId>logback-core</artifactId>
|
||||
</exclusion>
|
||||
<exclusion>
|
||||
<groupId>org.mortbay.jetty</groupId>
|
||||
<artifactId>jetty</artifactId>
|
||||
</exclusion>
|
||||
<exclusion>
|
||||
<groupId>javax.servlet</groupId>
|
||||
<artifactId>servlet-api</artifactId>
|
||||
</exclusion>
|
||||
<exclusion>
|
||||
<groupId>org.slf4j</groupId>
|
||||
<artifactId>log4j-over-slf4j</artifactId>
|
||||
</exclusion>
|
||||
<exclusion>
|
||||
<groupId>ch.qos.logback</groupId>
|
||||
<artifactId>logback-classic</artifactId>
|
||||
</exclusion>
|
||||
<exclusion>
|
||||
<groupId>org.jboss.logging</groupId>
|
||||
<artifactId>jboss-logging</artifactId>
|
||||
</exclusion>
|
||||
<exclusion>
|
||||
<groupId>javax.inject</groupId>
|
||||
<artifactId>javax.inject</artifactId>
|
||||
</exclusion>
|
||||
<exclusion>
|
||||
<groupId>javax.validation</groupId>
|
||||
<artifactId>validation-api</artifactId>
|
||||
</exclusion>
|
||||
<exclusion>
|
||||
<groupId>com.fasterxml.jackson.core</groupId>
|
||||
<artifactId>jackson-core</artifactId>
|
||||
</exclusion>
|
||||
<!-- Brings hibernate-validator dependency with ancient version, which is vulnerable. Not necessary for archiva. -->
|
||||
<exclusion>
|
||||
<groupId>com.addthis.metrics</groupId>
|
||||
<artifactId>reporter-config3</artifactId>
|
||||
</exclusion>
|
||||
<exclusion>
|
||||
<groupId>net.openhft</groupId>
|
||||
<artifactId>chronicle-wire</artifactId>
|
||||
</exclusion>
|
||||
</exclusions>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>net.openhft</groupId>
|
||||
<artifactId>chronicle-wire</artifactId>
|
||||
<version>2.21.89</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
|
||||
<dependency>
|
||||
<groupId>com.datastax.oss</groupId>
|
||||
<artifactId>java-driver-core</artifactId>
|
||||
|
@ -198,93 +119,6 @@
|
|||
<version>${datastax.driver.version}</version>
|
||||
</dependency>
|
||||
|
||||
<!--
|
||||
<dependency>
|
||||
<groupId>org.hectorclient</groupId>
|
||||
<artifactId>hector-core</artifactId>
|
||||
<version>1.1-4</version>
|
||||
<exclusions>
|
||||
<exclusion>
|
||||
<groupId>javax.servlet</groupId>
|
||||
<artifactId>servlet-api</artifactId>
|
||||
</exclusion>
|
||||
<exclusion>
|
||||
<groupId>com.ecyrd.speed4j</groupId>
|
||||
<artifactId>speed4j</artifactId>
|
||||
</exclusion>
|
||||
<exclusion>
|
||||
<groupId>com.yammer.metrics</groupId>
|
||||
<artifactId>metrics-core</artifactId>
|
||||
</exclusion>
|
||||
<exclusion>
|
||||
<groupId>org.slf4j</groupId>
|
||||
<artifactId>log4j-over-slf4j</artifactId>
|
||||
</exclusion>
|
||||
</exclusions>
|
||||
</dependency>
|
||||
-->
|
||||
<!--
|
||||
<dependency>
|
||||
<groupId>org.apache.cassandra</groupId>
|
||||
<artifactId>cassandra-thrift</artifactId>
|
||||
<version>${cassandraVersion}</version>
|
||||
<exclusions>
|
||||
<exclusion>
|
||||
<groupId>javax.servlet</groupId>
|
||||
<artifactId>servlet-api</artifactId>
|
||||
</exclusion>
|
||||
<exclusion>
|
||||
<groupId>org.apache.ant</groupId>
|
||||
<artifactId>ant</artifactId>
|
||||
</exclusion>
|
||||
</exclusions>
|
||||
</dependency>
|
||||
-->
|
||||
<!-- Transient dependencies of cassandra that are selected to use a higher version -->
|
||||
<!--
|
||||
<dependency>
|
||||
<groupId>org.apache.thrift</groupId>
|
||||
<artifactId>libthrift</artifactId>
|
||||
<version>0.13.0</version>
|
||||
<exclusions>
|
||||
<exclusion>
|
||||
<groupId>javax.annotation</groupId>
|
||||
<artifactId>javax.annotation-api</artifactId>
|
||||
</exclusion>
|
||||
</exclusions>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.mindrot</groupId>
|
||||
<artifactId>jbcrypt</artifactId>
|
||||
<version>0.4</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.apache.tika</groupId>
|
||||
<artifactId>tika-core</artifactId>
|
||||
<version>1.26</version>
|
||||
</dependency>
|
||||
-->
|
||||
<!-- Transitive dependency. Declared here to increase the version. -->
|
||||
<!--
|
||||
<dependency>
|
||||
<groupId>io.netty</groupId>
|
||||
<artifactId>netty-all</artifactId>
|
||||
<version>${netty.version}</version>
|
||||
</dependency>
|
||||
-->
|
||||
<!--
|
||||
<dependency>
|
||||
<groupId>com.fasterxml.jackson.core</groupId>
|
||||
<artifactId>jackson-core</artifactId>
|
||||
</dependency>
|
||||
-->
|
||||
<!-- Is a dependency of cassandra -> hibernate-validator and replaced by new version -->
|
||||
<!--
|
||||
<dependency>
|
||||
<groupId>org.jboss.logging</groupId>
|
||||
<artifactId>jboss-logging</artifactId>
|
||||
</dependency>
|
||||
-->
|
||||
|
||||
<!-- TEST Scope -->
|
||||
<dependency>
|
||||
|
@ -352,6 +186,7 @@
|
|||
<filtering>true</filtering>
|
||||
</testResource>
|
||||
</testResources>
|
||||
|
||||
<plugins>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
|
@ -432,7 +267,7 @@ num_tokens: 1
|
|||
<dependency>
|
||||
<groupId>org.apache.cassandra</groupId>
|
||||
<artifactId>cassandra-all</artifactId>
|
||||
<version>3.11.10</version>
|
||||
<version>${cassandraVersion}</version>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
</plugin>
|
||||
|
@ -479,7 +314,6 @@ num_tokens: 1
|
|||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-surefire-plugin</artifactId>
|
||||
<executions>
|
||||
|
||||
</executions>
|
||||
<configuration>
|
||||
<skip>true</skip>
|
||||
|
@ -492,6 +326,7 @@ num_tokens: 1
|
|||
<configuration>
|
||||
<excludes>
|
||||
<exclude>src/cassandra/**</exclude>
|
||||
<exclude>src/test/resources/cassandra-test.yaml</exclude>
|
||||
</excludes>
|
||||
</configuration>
|
||||
</plugin>
|
||||
|
|
|
@ -131,6 +131,7 @@ public class OakRepositoryFactory
|
|||
int cacheSizeInMB = 20;
|
||||
int cacheExpiryInSecs = 300;
|
||||
int threadPoolSize = 5;
|
||||
long queueTimeOutMs = 60000;
|
||||
|
||||
private StatisticsProvider statisticsProvider;
|
||||
|
||||
|
@ -281,7 +282,7 @@ public class OakRepositoryFactory
|
|||
log.info("Hybrid indexing feature disabled");
|
||||
return;
|
||||
}
|
||||
documentQueue = new DocumentQueue( queueSize, tracker, getExecutorService(), statisticsProvider);
|
||||
documentQueue = new DocumentQueue( queueSize, queueTimeOutMs, tracker, getExecutorService(), statisticsProvider);
|
||||
LocalIndexObserver localIndexObserver = new LocalIndexObserver(documentQueue, statisticsProvider);
|
||||
|
||||
int observerQueueSize = 1000;
|
||||
|
|
|
@ -81,6 +81,10 @@
|
|||
<groupId>org.apache.lucene</groupId>
|
||||
<artifactId>lucene-suggest</artifactId>
|
||||
</exclusion>
|
||||
<exclusion>
|
||||
<groupId>org.apache.tika</groupId>
|
||||
<artifactId>tika-core</artifactId>
|
||||
</exclusion>
|
||||
</exclusions>
|
||||
</dependency>
|
||||
<!-- We reapply the original transitive dependencies -->
|
||||
|
@ -113,6 +117,11 @@
|
|||
<groupId>org.apache.jackrabbit</groupId>
|
||||
<artifactId>oak-search</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.apache.tika</groupId>
|
||||
<artifactId>tika-core</artifactId>
|
||||
<version>1.27</version>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
|
||||
|
||||
|
|
6
pom.xml
6
pom.xml
|
@ -64,8 +64,8 @@
|
|||
|
||||
|
||||
<!-- dependencies of maven modules -->
|
||||
<jsoup.version>1.12.1</jsoup.version>
|
||||
<rome.version>1.13.1</rome.version>
|
||||
<jsoup.version>1.14.2</jsoup.version>
|
||||
<rome.version>1.16.0</rome.version>
|
||||
<cronutils.version>9.1.3</cronutils.version>
|
||||
|
||||
<lucene.version>4.10.4</lucene.version>
|
||||
|
@ -74,7 +74,7 @@
|
|||
<javax.jcr.version>2.0</javax.jcr.version>
|
||||
<!-- If you change the JCR OAK version, you may have to update the pom.xml in the module oak-jcr-lucene
|
||||
to adapt to dependency changes -->
|
||||
<jcr-oak.version>1.30.0</jcr-oak.version>
|
||||
<jcr-oak.version>1.40.0</jcr-oak.version>
|
||||
<netty.version>4.1.50.Final</netty.version>
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue