Uploaded image for project: 'mod-inventory'
  1. mod-inventory
  2. MODINV-441

Remove commons-io dependency

    XMLWordPrintable

    Details

    • Template:
    • Sprint:
      Folijet Sprint 122
    • Story Points:
      0
    • Development Team:
      Folijet
    • Release:
      R3 2021

      Description

      mod-inventory uses only these two methods from commons-io ( https://github.com/folio-org/mod-inventory/search?q=commons.io ):

      • FileUtils.readFileToByteArray
      • IOUtils.toInputStream

      They are not needed.

      Tasks:

      Replace FileUtils.readFileToByteArray by Files.readString provided by Java 11 in TestUtil.readFileFromPath:

      new String(FileUtils.readFileToByteArray(new File(path)));
      

      by

      Files.readString(Path.of(path)); 

      In ModsParser.java replace

      Document doc = builder.parse(IOUtils.toInputStream(xml, "UTF-8"));
      

      by

      Document doc = builder.parse(new InputSource(new StringReader(xml)));
      

      Remove (explicit) commons-io dependency from pom.xml.

      Reasons

      Removing the commons-io dependency reduces the attack surface of the module and makes the life of the FOLIO security group easier, see MODINV-440 about a detailed security analysis of mod-inventory that could have been avoided.

      Removing the commons-io dependency avoids downgrading to the old version 2.4.

      The standard method Files.readString that Java 11 ships with should be used if possible. The custom made TestUtil.readFileFromPath provides exactly the same functionality without any advantage and without any javadoc and should be replaced so that developers don't need to investigate whether TestUtil.readFileFromPath or Files.readString(Path.of(path)) should be used.

      DocumentBuilder's parse method supports both reading from InputStream and from Reader. For reading from a String using StringReader is the appropriate way that avoids to create an InputStream.

        TestRail: Results

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                Aivar Iusupov Aivar Iusupov
                Reporter:
                julianladisch Julian Ladisch
                Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    TestRail: Runs

                      TestRail: Cases