[MODDICORE-228] mod-pubsub-client 2.4.0 fixing build failure (maven.indexdata.com, CVE-2021-26291) - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Story
Status: Closed (View Workflow)
Priority: P3
Resolution: Done
Affects Version/s: None
Fix Version/s: 3.3.0
Labels:

Template:
Sprint:
Folijet Sprint 129
Story Points:
0
Development Team:
Folijet
Release:
Lotus R1 2022
Epic Link:
Batch Importer (Bib/Acq)

Description

Overview:

Maven rejects to fetch org.z3950.zing:cql-java artifact from http://maven.indexdata.com/ .

Reason: Missing SSL/TLS (https) allows a machine-in-the-middle (MITM) attack during build time.

This critical security vulnerability in Maven is tracked as https://nvd.nist.gov/vuln/detail/CVE-2021-26291

Steps to Reproduce:

Use a Maven >= 3.8.1
mvn compile

Expected Results:

Compiles

Actual Results:

Maven fails with this error message:

Error:  Failed to execute goal on project data-import-processing-core:
Could not resolve dependencies for project org.folio:data-import-processing-core:jar:3.3.0-SNAPSHOT:
Failed to collect dependencies at org.folio:mod-pubsub-client:jar:2.0.0
-> org.folio:domain-models-runtime:jar:32.1.0
-> org.folio:cql2pgjson:jar:32.1.0
-> org.folio:dbschema:jar:32.1.0
-> org.folio.okapi:okapi-common:jar:4.5.0
-> org.z3950.zing:cql-java:jar:1.13:
Failed to read artifact descriptor for org.z3950.zing:cql-java:jar:1.13:
Could not transfer artifact org.z3950.zing:cql-java:pom:1.13 from/to maven-default-http-blocker (http://0.0.0.0/):
Blocked mirror for repositories: [indexdata (http://maven.indexdata.com/, default, releases+snapshots)] -> [Help 1]

Fix

Updating mod-pubsub-client from 2.0.0 to 2.4.0.

Explanations

Since version 3.8.1 maven require all artifacts URLs to be secured by https. Unsecure URLs with http are blocked as shown above: https://maven.apache.org/docs/3.8.1/release-notes.html

RMB >= 32.2.2 has been fixed to use https://maven.indexdata.com/ instead of http://maven.indexdata.com/ (~~RMB-823~~)

mod-pubsub 2.4.0 has updated its RMB dependency from 32.1.0 to 33.0.2 (~~MODPUBSUB-193~~).

Therefore data-import-processing-core should update its mod-pubsub dependency from 2.0.0 to >= 2.4.0.

TestRail: Results

Attachments

Issue Links

blocks

MODDICORE-227 GitHub Actions verifying -SNAPSHOT dependants

Closed

defines

UXPROD-3262 NFR: Data Import R1 2022 Lotus Technical, NFR, & Misc work

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Julian Ladisch

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 07/Dec/21 9:53 AM

Updated:: 22/Dec/21 4:27 PM

Resolved:: 09/Dec/21 5:25 PM

mod-pubsub-client 2.4.0 fixing build failure (maven.indexdata.com, CVE-2021-26291)