Uploaded image for project: 'mod-inventory'
  1. mod-inventory
  2. MODINV-430

Update dependencies to replace http by https in http://maven.indexdata.com/

    XMLWordPrintable

    Details

    • Template:
      Standard Bug Write-Up Format
    • Development Team:
      Folijet
    • Release:
      R3 2021

      Description

      Starting with maven 3.8.1, http-based maven repositories are unsupported.

      This is a problem for projects using http://maven.indexdata.com . They should use https://maven.indexdata.com (which is accessible from 2021-04-07).

      https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291

      This maven MitM attack has been well known since 2019:
      https://github.com/github/securitylab/issues/21 "Java (Maven): Use of insecure protocol to download/upload artifacts"

      The mod-inventory build in the rancher pipeline fails for this reason.

      This is caused by org.z3950.zing:cql-java dependency with http repository declaration:

      git checkout folijet-rancher
      mvn dependency:tree -Dincludes=org.z3950.zing -Dverbose
      [INFO] org.folio:mod-inventory:jar:16.4.0-SNAPSHOT
      [INFO] \- org.folio:mod-source-record-storage-client:jar:5.0.0:compile
      [INFO]    \- org.folio:domain-models-runtime:jar:32.1.0:compile
      [INFO]       \- org.folio:cql2pgjson:jar:32.1.0:compile
      [INFO]          +- org.folio:dbschema:jar:32.1.0:compile
      [INFO]          |  \- org.folio.okapi:okapi-common:jar:4.5.0:compile
      [INFO]          |     \- (org.z3950.zing:cql-java:jar:1.13:compile - omitted for duplicate)
      [INFO]          \- org.z3950.zing:cql-java:jar:1.13:compile
      

      domain-models-runtime should release a v32 version with fixed maven.indexdata.com repository declaration.
      mod-source-record-storage-client should release a version with the fixed domain-models-runtime v32 version.
      mod-inventory should update to that fixed mod-source-record-storage-client version.

        TestRail: Results

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                afedasiuk Aliaksandr Fedasiuk
                Reporter:
                julianladisch Julian Ladisch
                Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    TestRail: Runs

                      TestRail: Cases