Apache OpenJPA
Go to file
Jonathan Leitschuh 920c19da45
vuln-fix: Temporary File Information Disclosure
This fixes temporary file information disclosure vulnerability due to the use
of the vulnerable `File.createTempFile()` method. The vulnerability is fixed by
using the `Files.createTempFile()` method which sets the correct posix permissions.

Weakness: CWE-377: Insecure Temporary File
Severity: Medium
CVSSS: 5.5
Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.SecureTempFileCreation)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/18


Co-authored-by: Moderne <team@moderne.io>
2022-11-18 22:42:52 +00:00
.github/workflows use 'install' goal 2020-07-17 23:02:34 +02:00
openjpa [maven-release-plugin] prepare for next development iteration 2022-03-16 09:25:57 +01:00
openjpa-all [maven-release-plugin] prepare for next development iteration 2022-03-16 09:25:57 +01:00
openjpa-examples [maven-release-plugin] prepare for next development iteration 2022-03-16 09:25:57 +01:00
openjpa-features [maven-release-plugin] prepare for next development iteration 2022-03-16 09:25:57 +01:00
openjpa-integration [maven-release-plugin] prepare for next development iteration 2022-03-16 09:25:57 +01:00
openjpa-jdbc [maven-release-plugin] prepare for next development iteration 2022-03-16 09:25:57 +01:00
openjpa-jest [maven-release-plugin] prepare for next development iteration 2022-03-16 09:25:57 +01:00
openjpa-junit5 [maven-release-plugin] prepare for next development iteration 2022-03-16 09:25:57 +01:00
openjpa-kernel vuln-fix: Temporary File Information Disclosure 2022-11-18 22:42:52 +00:00
openjpa-kubernetes Bump kubernetes-client from 5.9.0 to 6.2.0 (#105) 2022-11-03 11:46:07 +01:00
openjpa-lib [maven-release-plugin] prepare for next development iteration 2022-03-16 09:25:57 +01:00
openjpa-persistence [maven-release-plugin] prepare for next development iteration 2022-03-16 09:25:57 +01:00
openjpa-persistence-jdbc vuln-fix: Temporary File Information Disclosure 2022-11-18 22:42:52 +00:00
openjpa-persistence-locking [maven-release-plugin] prepare for next development iteration 2022-03-16 09:25:57 +01:00
openjpa-project [maven-release-plugin] prepare for next development iteration 2022-03-16 09:25:57 +01:00
openjpa-slice [maven-release-plugin] prepare for next development iteration 2022-03-16 09:25:57 +01:00
openjpa-tools [maven-release-plugin] prepare for next development iteration 2022-03-16 09:25:57 +01:00
openjpa-xmlstore [maven-release-plugin] prepare for next development iteration 2022-03-16 09:25:57 +01:00
scripts OPENJPA-2747 upgrade to jpa-2.2 api 2019-03-27 12:29:57 +01:00
src fix OpenJPA and PostgreSQL docker setup 2021-04-01 16:50:49 +02:00
.gitignore [OPENJPA-2883] 'supportsAutoAssign' is turned OFF when 'useTriggersForAutoAssign' is ON (#84) 2021-10-23 00:19:22 +07:00
LICENSE [OPENJPA-2881] orm* schemas are available offline (#89) 2021-12-15 19:23:10 +07:00
NOTICE update various copyrights 2020-12-01 11:45:43 +01:00
README.adoc add documentation about how to run with Podman 2021-06-16 15:26:47 +02:00
patchoj.py [OPENJPA-2751] trailing white-spaces were removed 2018-10-02 12:32:32 +00:00
pom.xml Bump kubernetes-client from 5.9.0 to 6.2.0 (#105) 2022-11-03 11:46:07 +01:00

README.adoc

= Apache OpenJPA - README

== Preface
Thank you for downloading this release of Apache OpenJPA.

Apache OpenJPA is an implementation of the Java Persistence API specification.


== License
The content of this repository is licensed under Apache License 2.0
http://www.apache.org/licenses/LICENSE-2.0

== Further Information

The following files can be found in the openjpa-project subdirectory:

* openjpa-project/BUILDING.txt
* openjpa-project/CHANGES.txt
* openjpa-project/RELEASE-NOTES.html

For documentation and project information, please visit our project site:
    http://openjpa.apache.org/


== Compiling

The best way to compile Apache OpenJPA yourself is to run the build against the default derby database.

 $> mvn clean install -Dsurefire.excludes.locking=**/*

== Testing against different Databases

The Apache OpenJPA project also contains a setup for testing against multiple databases.
The easiest way is to use Docker.
We assume that Docker is installed to be used by your current user.
The respective database image has to be started manually before starting the build.
The reason for not starting it as part of the build itself is to be able to look at the database content after the build did run.

[TIP]
====
*Hint for running with Podman*

Some distributions switched from native Docker to Podman.
If you get an error like `missing DOCKER_HOST` then you might try running the following command:

  export DOCKER_HOST="unix:/run/user/$(id -u)/podman/podman.sock"
  podman system service -t 3600 &
  mvn ...
====

To start e.g. a PostgreSQL Docker image you can simply invoke the following command.
Note the -N Maven option which stands for 'non-recursive'.
This is used because the docker container is configured only at the root project but not at his children.

 mvn -N -Ptest-mysql-docker docker:start

After that, you can execute your tests with the respective Maven profile

 mvn clean install -Ptest-mysql-docker

Once the Docker image for the database is not needed any longer one can stop and remove it:

 mvn -N -Ptest-mysql-docker docker:stop
 mvn -N -Ptest-mysql-docker docker:remove


The following Maven profiles do exist so far:

* test-mysql-docker
* test-mariadb-docker
* test-postgresql-docker
* test-mssql-docker
* test-oracle-docker