The same errors are suppressed when generating javadoc.
Suppress the errors during site generation.
Change-Id: I83bd1c10e5de82f47c351e7edf2c9230be4b1f21
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Zip Slip [1] is an arbitrary file write generic vulnerability, that can
be achieved using a specially crafted zip (or bzip2, gzip, tar, xz, war)
archive, that holds path traversal filenames.
According to Maven's announcement [2] several plugins use plexus-archiver to
unpack dependencies to disk and have been identified as potential triggers
for exposing the vulnerability.
Of those, JGit uses the maven-dependency-plugin and the maven-javadoc-plugin.
Update them to the fixed versions reported in [2].
See the corresponding issues for the maven-dependency-plugin [3] and the
maven-javadoc-plugin [4] for details.
[1] https://snyk.io/research/zip-slip-vulnerability
[2] https://maven.apache.org/security-plexus-archiver.html
[3] https://issues.apache.org/jira/browse/MDEP-611
[4] https://issues.apache.org/jira/browse/MJAVADOC-520
Change-Id: Id3ab2d6161db240f2ab8f82298fa3ecd7a930a43
Signed-off-by: David Pursehouse <david.pursehouse@gmail.com>
Found instructions for configuring maven-compiler-plugin with ecj in
[1]. Verified that ecj run in this way raises build errors when executed
on commit d3ef5213.
Define profiles "ecj" for using Eclipse compiler and "javac" for using
javac including errorprone. By default ecj will be used.
use ecj:
$ mvn -Pecj clean install
use javac:
$ mvn -Pjavac clean install
TODO: find out how to run ecj with errorprone from Maven.
[1] https://stackoverflow.com/questions/33164976/using-eclipse-java-compiler-ecj-in-maven-builds
Change-Id: I716b603b57612b953e603387c82fd01eb1b5ca97
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
and plexus-compiler-javac-errorprone to 2.8.4.
Change-Id: I36487ce53e70b54d7a04292e666540224c107b43
Signed-off-by: David Pursehouse <david.pursehouse@gmail.com>
The upgrade was already done 3 weeks ago, this version number was
missing, however.
Change-Id: Ibc794ba8035c46ea2160925b344ded5714b7c987
Signed-off-by: Michael Keppler <Michael.Keppler@gmx.de>
Also update xz to 1.6 as this is the version commons-compress 1.15
wants. Since xz 1.6 is an optional dependency for commons-compress we
need to add a non-optional dependency to xz for
org.eclipse.jgit.pgm.test since one of the tests explicitly requires xz.
Related change adding commons-compress to Orbit:
https://git.eclipse.org/r/#/c/115366/
CQ: 15356
CQ: 15360
Change-Id: I0d61c71bc541cc30464a0fff93775b079dd3ba88
Signed-off-by: David Pursehouse <david.pursehouse@gmail.com>
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
com.jcraft.jsch requires com.jcraft.jzlib to provide optional zlib
packet compression support. Add this library so that jgit can handle
packet compression.
CQ: 15292
Bug: 529129
Change-Id: I0297bd0488753547a5f5d47dbf0db508a79dd265
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
This prepares builds on Java 9 [1].
The maven 2 tag "prerequisites" is not honored by maven 3
hence use maven-enforcer-plugin to enforce the minimum
maven version.
[1] https://issues.apache.org/jira/browse/MNG-6148
Change-Id: I57f5051a0641b1bd21f9f888f1a17d8f98e879e5
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
This profile isn't needed any longer since we require Java 8 as minimum
version.
Change-Id: I8a37eaf874473ff4004b9c074a810dddebde54c8
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
This version seems to be much stricter and reports a lot more errors
in the javadoc formatting.
Disable failOnError to prevent the build from failing due to these
newly reported problems. These should be fixed in a follow-up commit.
Change-Id: Ia403cbedf72cfe8bdaf09f30e42e3bf96084ae52
Signed-off-by: David Pursehouse <david.pursehouse@gmail.com>
- error_prone_core to 2.1.1
- maven-compiler-plugin to 3.6.2
- plexus-compiler-javac{-error-prone} to 2.8.2
Change-Id: I20d864c869f2d03f623ea054b6d08e7ee0eb262a
Signed-off-by: David Pursehouse <david.pursehouse@gmail.com>
SpotBugs [1] is the spiritual successor of FindBugs, carrying on from
the point where it left off with support of its community.
[1] http://spotbugs.readthedocs.io/
Change-Id: I127f2c54b04265b6565e780116617ffa8a4d7eaf
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Signed-off-by: David Pursehouse <david.pursehouse@gmail.com>
* Adapt to API removals in jetty 9.4+
* Manifests changed to restrict jetty to [9.4.5,10.0.0)
Bug: 514336
Bug: 516514
Change-Id: Ifcfd968084dfa6db0ae07cf541d33a6cdedc1ee2
Signed-off-by: Mat Booth <mat.booth@redhat.com>
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Maven version 3.3.1 is the minimum required version as reported
by running:
mvn versions:display-plugin-updates
Change-Id: I9514013dcffa6cb945496515c3eb4894c9043d7b
Signed-off-by: David Pursehouse <david.pursehouse@gmail.com>
- japicmp-maven-plugin to 0.8.1
- maven-surefire-plugin to 2.20
- maven-surefire-report-plugin to 2.20
- tycho-extras to 1.0.0
Change-Id: Iecc9a5aeb7811a8ecc8198c8836a4a739be3cc08
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
We detect API changes during the Maven build using japicmp. Update the
reference version to the latest minor version 4.7.0.201704051617-r.
Change-Id: Iab354fbf745cdfe44f71ce0bb64bb838b8bcd57d
Silence the many duplicate code warnings for this generated class.
Change-Id: I3ecb0f986c809dad962b821c5de7cf18865642d3
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
* stable-4.6:
Update Jetty to 9.3.17.v20170317
Revert "Update Jetty to 9.4.1.v20170120 in buck build"
Revert "Update Jetty to 9.4.1.v20170120"
Change-Id: I9193b568cce9c72da899a8f3eaaf833956438e13
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Update to the latest 9.3 version until we have a solution for bug 514336
we face with 9.4.x versions.
Change-Id: I6d8d476abe8677ce865a08099bb77330effc700a
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
We detect API changes during the Maven build using japicmp. Update the
reference version to the latest minor version 4.6.0.
Change-Id: I70f65f4a0680671612f21ee1afac7f7ef0152cbb
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
We updated the version we use for packaging the p2 repository in
efbecb97 but missed to update the version we compile against in the
Maven build.
Bug: 513354
Change-Id: I49afd89b43cfd8735568a86ef273723909d694a3
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
MappedLoginService is no longer available in Jetty 9.4 therefore base
TestLoginService on AbstractLoginService.
Apparently Jetty now uses slf4j hence adapt RecordingLogger accordingly
so we can log error messages containing slf4j style formatting anchors
"{}".
Change-Id: Ibb36aba8782882936849b6102001a88b699bb65c
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
(cherry picked from commit 5e8e2179b2)
MappedLoginService is no longer available in Jetty 9.4 therefore base
TestLoginService on AbstractLoginService.
Apparently Jetty now uses slf4j hence adapt RecordingLogger accordingly
so we can log error messages containing slf4j style formatting anchors
"{}".
Change-Id: Ibb36aba8782882936849b6102001a88b699bb65c
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
In one place version 3.0.4 is used, and in another place 3.0.3 is
used.
Define the version (3.0.4) in a property and use that in both places,
so it doesn't get inconsistent again next time the version is bumped.
Change-Id: If3a2489cec78c0c9ef76aa6b941fda51b098e04b
Signed-off-by: David Pursehouse <david.pursehouse@gmail.com>
Recently we frequently suffer from OutOfMemoryError when creating source
archives in the Maven build. maven-source-plugin 3.0.0 has a bug [1]
causing OOM which is fixed in 3.0.1.
[1] https://issues.apache.org/jira/browse/MSOURCES-94
Change-Id: Ie900bd546c42523c5a04e22bd3d3f510d2a81ca2
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Use Oxygen M3 Orbit repository which provides the bundles built using
the new orbit-recipe based build.
CQ: 11658
Change-Id: I7f3dcc966732b32830c75d5daa55383bd028d182
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Remove the JDK_HOME settings that were introduced to build against the
Java 1.7 libraries. Now that the minimum requirement is Java 1.8, this
is wrong and prevents use of Java 1.8 features.
Change-Id: I91a194c9449d7810ef02b038907dbbc708e600a5
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
* stable-4.5:
Turn off doclint also during Maven site generation
Prepare 4.5.1-SNAPSHOT builds
JGit v4.5.0.201609210915-r
Unconditionally close repository in unregisterAndCloseRepository
Change-Id: Ibfd11669cd74d2e62b014c18fd39b646b200c8c5
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
* stable-4.4:
Log if Repository.useCnt becomes negative
Time based eviction strategy for repository cache
Add method to read time unit from config
Align include.path max depth with native git
Config load should not fail on unsupported or nonexistent include path
Allow using JDK 7 bootclasspath when compiling JGit using Java 8
Extract work queue to allow reusing it
Change-Id: I6aeedb1cb8b0c3068af344a719c80a03ae68fc23
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
When compiling jgit using Java 8 set system property JDK_HOME to
JAVA_HOME path of JDK7 installation to compile against JDK 7 class
libraries. Otherwise jgit may hit runtime exceptions when running on
Java 7 (e.g. return type of ConcurrentHashMap.keySet() in JDK 8 class
library doesn't exist in JDK 7).
Example:
$ mvn clean install -DJDK_HOME=/.../jdk1.7.0_80.jdk/Contents/Home
Bug: 496262
Change-Id: Ib6abe5e544e0492e08b342e1a34b182caf25f94f
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>