Zip Slip [1] is an arbitrary file write generic vulnerability, that can
be achieved using a specially crafted zip (or bzip2, gzip, tar, xz, war)
archive, that holds path traversal filenames.
According to Maven's announcement [2] several plugins use plexus-archiver to
unpack dependencies to disk and have been identified as potential triggers
for exposing the vulnerability.
Of those, JGit uses the maven-dependency-plugin and the maven-javadoc-plugin.
Update them to the fixed versions reported in [2].
See the corresponding issues for the maven-dependency-plugin [3] and the
maven-javadoc-plugin [4] for details.
[1] https://snyk.io/research/zip-slip-vulnerability
[2] https://maven.apache.org/security-plexus-archiver.html
[3] https://issues.apache.org/jira/browse/MDEP-611
[4] https://issues.apache.org/jira/browse/MJAVADOC-520
Change-Id: Id3ab2d6161db240f2ab8f82298fa3ecd7a930a43
Signed-off-by: David Pursehouse <david.pursehouse@gmail.com>
Found instructions for configuring maven-compiler-plugin with ecj in
[1]. Verified that ecj run in this way raises build errors when executed
on commit d3ef5213.
Define profiles "ecj" for using Eclipse compiler and "javac" for using
javac including errorprone. By default ecj will be used.
use ecj:
$ mvn -Pecj clean install
use javac:
$ mvn -Pjavac clean install
TODO: find out how to run ecj with errorprone from Maven.
[1] https://stackoverflow.com/questions/33164976/using-eclipse-java-compiler-ecj-in-maven-builds
Change-Id: I716b603b57612b953e603387c82fd01eb1b5ca97
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
and plexus-compiler-javac-errorprone to 2.8.4.
Change-Id: I36487ce53e70b54d7a04292e666540224c107b43
Signed-off-by: David Pursehouse <david.pursehouse@gmail.com>
The upgrade was already done 3 weeks ago, this version number was
missing, however.
Change-Id: Ibc794ba8035c46ea2160925b344ded5714b7c987
Signed-off-by: Michael Keppler <Michael.Keppler@gmx.de>
Also update xz to 1.6 as this is the version commons-compress 1.15
wants. Since xz 1.6 is an optional dependency for commons-compress we
need to add a non-optional dependency to xz for
org.eclipse.jgit.pgm.test since one of the tests explicitly requires xz.
Related change adding commons-compress to Orbit:
https://git.eclipse.org/r/#/c/115366/
CQ: 15356
CQ: 15360
Change-Id: I0d61c71bc541cc30464a0fff93775b079dd3ba88
Signed-off-by: David Pursehouse <david.pursehouse@gmail.com>
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
com.jcraft.jsch requires com.jcraft.jzlib to provide optional zlib
packet compression support. Add this library so that jgit can handle
packet compression.
CQ: 15292
Bug: 529129
Change-Id: I0297bd0488753547a5f5d47dbf0db508a79dd265
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
This prepares builds on Java 9 [1].
The maven 2 tag "prerequisites" is not honored by maven 3
hence use maven-enforcer-plugin to enforce the minimum
maven version.
[1] https://issues.apache.org/jira/browse/MNG-6148
Change-Id: I57f5051a0641b1bd21f9f888f1a17d8f98e879e5
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
This profile isn't needed any longer since we require Java 8 as minimum
version.
Change-Id: I8a37eaf874473ff4004b9c074a810dddebde54c8
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
This version seems to be much stricter and reports a lot more errors
in the javadoc formatting.
Disable failOnError to prevent the build from failing due to these
newly reported problems. These should be fixed in a follow-up commit.
Change-Id: Ia403cbedf72cfe8bdaf09f30e42e3bf96084ae52
Signed-off-by: David Pursehouse <david.pursehouse@gmail.com>
- error_prone_core to 2.1.1
- maven-compiler-plugin to 3.6.2
- plexus-compiler-javac{-error-prone} to 2.8.2
Change-Id: I20d864c869f2d03f623ea054b6d08e7ee0eb262a
Signed-off-by: David Pursehouse <david.pursehouse@gmail.com>
SpotBugs [1] is the spiritual successor of FindBugs, carrying on from
the point where it left off with support of its community.
[1] http://spotbugs.readthedocs.io/
Change-Id: I127f2c54b04265b6565e780116617ffa8a4d7eaf
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Signed-off-by: David Pursehouse <david.pursehouse@gmail.com>
* Adapt to API removals in jetty 9.4+
* Manifests changed to restrict jetty to [9.4.5,10.0.0)
Bug: 514336
Bug: 516514
Change-Id: Ifcfd968084dfa6db0ae07cf541d33a6cdedc1ee2
Signed-off-by: Mat Booth <mat.booth@redhat.com>
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Maven version 3.3.1 is the minimum required version as reported
by running:
mvn versions:display-plugin-updates
Change-Id: I9514013dcffa6cb945496515c3eb4894c9043d7b
Signed-off-by: David Pursehouse <david.pursehouse@gmail.com>
- japicmp-maven-plugin to 0.8.1
- maven-surefire-plugin to 2.20
- maven-surefire-report-plugin to 2.20
- tycho-extras to 1.0.0
Change-Id: Iecc9a5aeb7811a8ecc8198c8836a4a739be3cc08
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
We detect API changes during the Maven build using japicmp. Update the
reference version to the latest minor version 4.7.0.201704051617-r.
Change-Id: Iab354fbf745cdfe44f71ce0bb64bb838b8bcd57d
Silence the many duplicate code warnings for this generated class.
Change-Id: I3ecb0f986c809dad962b821c5de7cf18865642d3
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
* stable-4.6:
Update Jetty to 9.3.17.v20170317
Revert "Update Jetty to 9.4.1.v20170120 in buck build"
Revert "Update Jetty to 9.4.1.v20170120"
Change-Id: I9193b568cce9c72da899a8f3eaaf833956438e13
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Update to the latest 9.3 version until we have a solution for bug 514336
we face with 9.4.x versions.
Change-Id: I6d8d476abe8677ce865a08099bb77330effc700a
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
We detect API changes during the Maven build using japicmp. Update the
reference version to the latest minor version 4.6.0.
Change-Id: I70f65f4a0680671612f21ee1afac7f7ef0152cbb
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
We updated the version we use for packaging the p2 repository in
efbecb97 but missed to update the version we compile against in the
Maven build.
Bug: 513354
Change-Id: I49afd89b43cfd8735568a86ef273723909d694a3
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
MappedLoginService is no longer available in Jetty 9.4 therefore base
TestLoginService on AbstractLoginService.
Apparently Jetty now uses slf4j hence adapt RecordingLogger accordingly
so we can log error messages containing slf4j style formatting anchors
"{}".
Change-Id: Ibb36aba8782882936849b6102001a88b699bb65c
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
(cherry picked from commit 5e8e2179b2)
MappedLoginService is no longer available in Jetty 9.4 therefore base
TestLoginService on AbstractLoginService.
Apparently Jetty now uses slf4j hence adapt RecordingLogger accordingly
so we can log error messages containing slf4j style formatting anchors
"{}".
Change-Id: Ibb36aba8782882936849b6102001a88b699bb65c
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
In one place version 3.0.4 is used, and in another place 3.0.3 is
used.
Define the version (3.0.4) in a property and use that in both places,
so it doesn't get inconsistent again next time the version is bumped.
Change-Id: If3a2489cec78c0c9ef76aa6b941fda51b098e04b
Signed-off-by: David Pursehouse <david.pursehouse@gmail.com>
Recently we frequently suffer from OutOfMemoryError when creating source
archives in the Maven build. maven-source-plugin 3.0.0 has a bug [1]
causing OOM which is fixed in 3.0.1.
[1] https://issues.apache.org/jira/browse/MSOURCES-94
Change-Id: Ie900bd546c42523c5a04e22bd3d3f510d2a81ca2
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Use Oxygen M3 Orbit repository which provides the bundles built using
the new orbit-recipe based build.
CQ: 11658
Change-Id: I7f3dcc966732b32830c75d5daa55383bd028d182
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Remove the JDK_HOME settings that were introduced to build against the
Java 1.7 libraries. Now that the minimum requirement is Java 1.8, this
is wrong and prevents use of Java 1.8 features.
Change-Id: I91a194c9449d7810ef02b038907dbbc708e600a5
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
* stable-4.5:
Turn off doclint also during Maven site generation
Prepare 4.5.1-SNAPSHOT builds
JGit v4.5.0.201609210915-r
Unconditionally close repository in unregisterAndCloseRepository
Change-Id: Ibfd11669cd74d2e62b014c18fd39b646b200c8c5
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
* stable-4.4:
Log if Repository.useCnt becomes negative
Time based eviction strategy for repository cache
Add method to read time unit from config
Align include.path max depth with native git
Config load should not fail on unsupported or nonexistent include path
Allow using JDK 7 bootclasspath when compiling JGit using Java 8
Extract work queue to allow reusing it
Change-Id: I6aeedb1cb8b0c3068af344a719c80a03ae68fc23
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
When compiling jgit using Java 8 set system property JDK_HOME to
JAVA_HOME path of JDK7 installation to compile against JDK 7 class
libraries. Otherwise jgit may hit runtime exceptions when running on
Java 7 (e.g. return type of ConcurrentHashMap.keySet() in JDK 8 class
library doesn't exist in JDK 7).
Example:
$ mvn clean install -DJDK_HOME=/.../jdk1.7.0_80.jdk/Contents/Home
Bug: 496262
Change-Id: Ib6abe5e544e0492e08b342e1a34b182caf25f94f
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
also use the Neon target platform as the default target platform.
Neon Eclipse platform requires BREE 8 so we have to use Java 8 at least
for the JGit packaging build (for the compiler settings we still stick
to source and target 1.7 since we want to still support Java 7)
otherwise unpacking platform pack200 archives will fail since they are
built using Java 8 and hence cannot be unpacked using Java 7's
unpack200.
Update org.junit from 4.11 to 4.11 and org.apache.ant from from 1.9.2 to
1.9.6 since the older versions are not available in Neon orbit version
Ignore a couple of tests in ResourceUtilTest which now fail [1] since
bug 476585 was fixed in Neon M6.
CQ: 10694
CQ: 11308
Change-Id: I1a99a3ac2148693e21c57df5aeb848035b52b97b
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Creates a source directory under org.eclipse.jgit.http.test
for the new support class.
Signed-off-by: Michael Edgar <adgar@google.com>
Change-Id: Ie49492c2bbe5c1db96ceb0dc06fa7cb9f927431a
Implement LfsProtocolServlet handling the "Git LFS v1 Batch API"
protocol [1]. Add a simple file system based LFS content store and the
debug-lfs-store command to simplify testing.
Introduce a LargeFileRepository interface to enable additional storage
implementation while reusing the same protocol implementation.
At the client side we have to configure the lfs.url, specify that
we use the batch API and we don't use authentication:
[lfs]
url = http://host:port/lfs
batch = true
[lfs "http://host:port/lfs"]
access = none
the git-lfs client appends the "objects/batch" to the lfs.url.
Hard code an Authorization header in the FileLfsRepository.getAction
because then git-lfs client will skip asking for credentials. It will
just forward the Authorization header from the response to the
download/upload request.
The FileLfsServlet supports file content storage for "Large File
Storage" (LFS) server as defined by the Github LFS API [2].
- upload and download of large files is probably network bound hence use
an asynchronous servlet for good scalability
- simple object storage in file system with 2 level fan-out
- use LockFile to protect writing large objects against multiple
concurrent uploads of the same object
- to prevent corrupt uploads the uploaded file is rejected if its hash
doesn't match id given in URL
The debug-lfs-store command is used to run the LfsProtocolServlet and,
optionally, the FileLfsServlet which makes it easier to setup a
local test server.
[1]
https://github.com/github/git-lfs/blob/master/docs/api/http-v1-batch.md
[2] https://github.com/github/git-lfs/tree/master/docs/api
Bug: 472961
Change-Id: I7378da5575159d2195138d799704880c5c82d5f3
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Signed-off-by: Sasa Zivkov <sasa.zivkov@sap.com>
We will use gson to implement the LFS REST API.
CQ: 9966
Change-Id: I7feb6b2b8f7b736888370aad94e4c436ae6014bb
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
The Large File Storage extension specified by GitHub [1] uses SHA-256 to
compute the ID of large files stored by the extension. Hence implement a
SHA-256 abstraction similar to the SHA-1 abstraction used by JGit.
[1] https://git-lfs.github.com/
Bug: 470333
Change-Id: I3a95954543c8570d73929e55f4a884b55dbf1b7a
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Since we use the reporting plugins only in the parent pom.xml there's no
point in using the new pluginManagement tag in the reporting section
which was introduced to fix
https://issues.apache.org/jira/browse/MSITE-443
Change-Id: I750ca3765e95afb06609a362fb3354afc3b66b90
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Clirr doesn't support Java 8 hence use japicmp instead.
See https://github.com/siom79/japicmp
Change-Id: If4b30a6d6aa849b4d6b3b0c900558c609822840c
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
- update org.apache.httpcomponents.httpcore to 4.3.3
- update org.apache.httpcomponents.httpclient to 4.3.6, 4.3.5 and later
are reported to fix vulnerability CVE-2014-3577
CQ: 9220
CQ: 9221
Bug: 470523
Change-Id: I024448c941e81f7c1dc1cc2394329df90e9b3048
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Update target platform to Orbit M20150818205559 for Mars in order to
update com.jcraft.jsch to 0.1.53. Also update pom.xml to use Mars target
platform profile by default.
CQ: 10045
Bug: 463580
Change-Id: I1bf151fbee7b00c7bd38cf1236c9bad50e3c64bd
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
- update org.apache.httpcomponents.httpcore to 4.3.3
- update org.apache.httpcomponents.httpclient to 4.3.6, 4.3.5 and later
are reported to fix vulnerability CVE-2014-3577
CQ: 9220
CQ: 9221
Bug: 470523
Change-Id: I39b80b250c6c1daede6a23e9f177fb2988ac37bb
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Add the following additional reports:
- cross-reference report
- API changes report using clirr
- findbugs report
- surefire-report
Run
$ mvn test install site:site site:stage
to generate and stage the site
Also see
https://wiki.eclipse.org/EGit/Contributor_Guide#JGit_3
Change-Id: Ibb6a2e13e128d7728b3c632cc16bf79716dc75f5
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
- Update list of committers
- Update scm information
- Expose jgit hudson for Maven site
- Name our project's organization
- Scm URL should point to a web-enabled view on the repository
- Extract tycho-extras version used during signing to a property
Change-Id: If32bed323ec283b5e83d28ffe8775220f7c4cecd
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
CBI recently fixed a couple of resource leaks which probably caused
jar signing failures on Hudson (bug 464947). JGit builds were also
affected. Hence use version 1.1.2-SNAPSHOT until a new release is
available.
Bug:464947
Change-Id: I7fb4a65f888194f7209c866cd58551891c89fb7a
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
As we moved minimum Java version to 7 we don't need a separate bundle
and feature for JGit features depending on Java 7 anymore.
Change-Id: Ib5da61b0886ddbdea65298f1e8c6d65c9879ced1
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
A special options handler is added to properly handle the short -u alias
of the option.
The "normal" mode is not supported by this patch, because this mode of
listing untracked files is not
supported by the org.eclipse.jgit.lib.IndexDiff class. This mode is not
necessary for my use case. It can be added later if anyone really needs
it.
The StatusTest is updated to cover all possible combinations of the
--porcelain and --untracked-files options.
Bug: 459319
Change-Id: I305ac95739cfed0c16735e0987844e57fa27e236
Signed-off-by: Kaloyan Raev <kaloyan.r@zend.com>
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
The latest versions of the javadoc and source plugins in particular
avoid some pathological slowness I'd been seeing on Linux with Java
7 or later.
Change-Id: I9fddd7e6ef513debec5f014ed2efc4fea6917d1f
* stable-3.7:
Add log4j and slf4j-log4j bridge to jgit feature
Use slf4j to log instead of printing to System.err
Use Target Platform Definition DSL to generate target platforms
Change-Id: Ic8779868150c910fa55fd20348e35723e6add0f1