From 87d8bcdf7ffcb5dbee1a2e89355bd339a202d45d Mon Sep 17 00:00:00 2001 From: labkey-matthewb Date: Wed, 9 Oct 2024 22:46:06 -0700 Subject: [PATCH 1/6] vfs2 dependency (#901) --- gradle.properties | 1 + 1 file changed, 1 insertion(+) diff --git a/gradle.properties b/gradle.properties index 17775eb5de..36507edd17 100644 --- a/gradle.properties +++ b/gradle.properties @@ -136,6 +136,7 @@ commonsMath3Version=3.6.1 commonsPoolVersion=1.6 commonsTextVersion=1.12.0 commonsValidatorVersion=1.9.0 +commonsVfs2Version=2.7.0 datadogVersion=1.39.1 From 06c79b5b8aa164e6182f041b1bac3c883b90e01d Mon Sep 17 00:00:00 2001 From: Will Mooreston <97046018+labkey-willm@users.noreply.github.com> Date: Fri, 11 Oct 2024 13:36:22 -0700 Subject: [PATCH 2/6] 24.7 CVE fixes for lucene, glassfish, batik/fop (#904) * suppress lucene for CVE-2024-45772, fixed in develop * suppress glassfish false positives * bump apache batik and fop for CVE-2024-28168 --- dependencyCheckSuppression.xml | 123 +++++++++++++++++++++++++++++++++ gradle.properties | 4 +- 2 files changed, 125 insertions(+), 2 deletions(-) diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml index 1bcc0d5a8b..67b14dd54a 100644 --- a/dependencyCheckSuppression.xml +++ b/dependencyCheckSuppression.xml @@ -246,5 +246,128 @@ CVE-2005-1260 + + + + ^pkg:maven/org\.apache\.lucene/lucene-analysis-common@.*$ + CVE-2024-45772 + + + + + ^pkg:maven/org\.apache\.lucene/lucene-backward-codecs@.*$ + CVE-2024-45772 + + + + + ^pkg:maven/org\.apache\.lucene/lucene-core@.*$ + CVE-2024-45772 + + + + + ^pkg:maven/org\.apache\.lucene/lucene-queries@.*$ + CVE-2024-45772 + + + + + ^pkg:maven/org\.apache\.lucene/lucene-queryparser@.*$ + CVE-2024-45772 + + + + + ^pkg:maven/org\.apache\.lucene/lucene-sandbox@.*$ + CVE-2024-45772 + + + + + + + ^pkg:maven/org\.glassfish\.jaxb/jaxb-core@.*$ + CVE-2024-9329 + + + + + ^pkg:maven/org\.glassfish\.jaxb/jaxb-core@.*$ + CVE-2024-9329 + + + + + ^pkg:maven/org\.glassfish\.jaxb/jaxb-core@.*$ + CVE-2024-9329 + + + + + ^pkg:maven/org\.glassfish\.jaxb/jaxb-runtime@.*$ + CVE-2024-9329 + + + + + ^pkg:maven/org\.glassfish\.jaxb/jaxb-runtime@.*$ + CVE-2024-9329 + + + + + ^pkg:maven/org\.glassfish\.hk2/osgi-resource-locator@.*$ + CVE-2024-9329 + + + + + ^pkg:maven/org\.glassfish\.jaxb/txw2@.*$ + CVE-2024-9329 + + + + + ^pkg:maven/org\.glassfish\.jaxb/txw2@.*$ + CVE-2024-9329 + + + diff --git a/gradle.properties b/gradle.properties index a9c5cb54f2..3b6b9786a6 100644 --- a/gradle.properties +++ b/gradle.properties @@ -111,7 +111,7 @@ apacheTomcatVersion=10.1.30 asmVersion=9.7 # Apache Batik -- Batik version needs to be compatible with Apache FOP, but we need to pull in batik-codec separately -batikVersion=1.17 +batikVersion=1.18 # sync with Tika version (or later) bouncycastlePgpVersion=1.78 @@ -152,7 +152,7 @@ eigenbaseXomVersion=1.3.7 flyingsaucerVersion=R8 # Apache FOP -- linked to Apache Batik version above -fopVersion=2.9 +fopVersion=2.10 # Force latest for consistency googleAutoValueAnnotationsVersion=1.10.4 From e24cea8c3d95ad14bcc38ad5e1fe4cfde665b247 Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Fri, 11 Oct 2024 21:06:58 -0700 Subject: [PATCH 3/6] Adopt gradle plugins v4.2.0 (#905) --- gradle.properties | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/gradle.properties b/gradle.properties index 36507edd17..c086b2c560 100644 --- a/gradle.properties +++ b/gradle.properties @@ -57,10 +57,10 @@ osxProteomicsBinariesVersion=1.0 windowsProteomicsBinariesVersion=1.0 # The current version numbers for the gradle plugins. -artifactoryPluginVersion=4.31.9 +artifactoryPluginVersion=5.2.5 gradleNodePluginVersion=3.5.1 -gradlePluginsVersion=4.1.0 -owaspDependencyCheckPluginVersion=10.0.3 +gradlePluginsVersion=4.2.0 +owaspDependencyCheckPluginVersion=10.0.4 versioningPluginVersion=1.1.2 # Versions of node and npm to use during the build. If set, these versions From e2dc58836dc301907e2cdba5fe8332bb4affd4a3 Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Sat, 12 Oct 2024 10:47:09 -0700 Subject: [PATCH 4/6] Simplify EmbeddedExtractor (#906) --- .../labkey/embedded/EmbeddedExtractor.java | 139 ++++-------------- 1 file changed, 27 insertions(+), 112 deletions(-) diff --git a/server/embedded/src/org/labkey/embedded/EmbeddedExtractor.java b/server/embedded/src/org/labkey/embedded/EmbeddedExtractor.java index ce7bbd5ffe..670329cce0 100644 --- a/server/embedded/src/org/labkey/embedded/EmbeddedExtractor.java +++ b/server/embedded/src/org/labkey/embedded/EmbeddedExtractor.java @@ -4,18 +4,15 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.labkey.bootstrap.ConfigException; -import org.springframework.util.StreamUtils; import java.io.BufferedOutputStream; import java.io.File; import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; -import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.util.Arrays; import java.util.HashSet; -import java.util.Objects; import java.util.Properties; import java.util.Set; import java.util.jar.JarFile; @@ -78,45 +75,24 @@ private File verifyJar() private boolean shouldExtract(File webAppLocation) { - File existingVersionFile = new File(webAppLocation, "WEB-INF/classes/VERSION"); File existingDistributionFile = new File(webAppLocation, "WEB-INF/classes/distribution.properties"); LabKeyDistributionInfo incomingDistribution = getDistributionInfo(); // Fresh installation or upgrading from a pre-distribution.properties distribution - if (!existingVersionFile.exists() || !existingDistributionFile.exists()) + if (!existingDistributionFile.exists()) { LOG.info("Extracting new LabKey distribution - %s".formatted(incomingDistribution)); return true; } - String existingVersion; - String existingBuildUrl; - String existingDistributionName; + LabKeyDistributionInfo existingDistribution; + try { try (InputStream is = Files.newInputStream(existingDistributionFile.toPath())) { - LabKeyDistributionInfo info = getFromProperties(is); - existingVersion = info.version; - existingBuildUrl = info.buildUrl; - existingDistributionName = info.distributionName; - } - - // TODO: Stop reading VERSION file - if (existingVersion.isEmpty()) - { - String versionFileContents = Files.readString(existingVersionFile.toPath()).trim(); - String[] splitVersion = versionFileContents.trim().split("\\n"); - existingVersion = splitVersion[0]; - if (splitVersion.length > 1) - { - existingBuildUrl = splitVersion[1]; - } - else - { - existingBuildUrl = null; - } + existingDistribution = getFromProperties(is); } } catch (IOException e) @@ -124,14 +100,12 @@ private boolean shouldExtract(File webAppLocation) throw new RuntimeException(e); } - LabKeyDistributionInfo existingDistribution = new LabKeyDistributionInfo(existingVersion, existingBuildUrl, existingDistributionName); - if (!existingDistribution.equals(incomingDistribution)) { LOG.info("Updating LabKey (%s -> %s)".formatted(existingDistribution, incomingDistribution)); return true; } - else if (incomingDistribution.buildUrl == null) + else if (incomingDistribution.buildUrl() == null) { LOG.info("Extracting custom-build LabKey distribution (%s)".formatted(existingDistribution)); return true; @@ -149,9 +123,7 @@ else if (incomingDistribution.buildUrl == null) */ private LabKeyDistributionInfo getDistributionInfo() { - String version = ""; - String buildUrl = null; - String distributionName = ""; + LabKeyDistributionInfo info = null; try { @@ -173,47 +145,15 @@ private LabKeyDistributionInfo getDistributionInfo() while (zipEntry != null) { distributionDirs.add(zipEntry.getName().split("/", 2)[0]); - // TODO: Remove this branch once newest gradle plugins version is adopted - if (!zipEntry.isDirectory() && zipEntry.getName().equals(LABKEYWEBAPP + "/WEB-INF/classes/VERSION")) - { - // Don't overwrite values from distribution.properties - if (version.isEmpty()) - { - String versionFileContents = StreamUtils.copyToString(zipIn, StandardCharsets.UTF_8).trim(); - - String[] splitVersion = versionFileContents.trim().split("\\n"); - version = splitVersion[0]; - if (splitVersion.length > 1) - { - buildUrl = splitVersion[1]; - } - else - { - buildUrl = null; - } - } - } - else if (!zipEntry.isDirectory() && zipEntry.getName().equals(LABKEYWEBAPP + "/WEB-INF/classes/distribution.properties")) + if (!zipEntry.isDirectory() && zipEntry.getName().equals(LABKEYWEBAPP + "/WEB-INF/classes/distribution.properties")) { - LabKeyDistributionInfo info = getFromProperties(zipIn); - distributionName = info.distributionName; - if (!info.version.isEmpty()) - version = info.version; - if (info.buildUrl != null) - buildUrl = info.buildUrl; + info = getFromProperties(zipIn); } zipIn.closeEntry(); zipEntry = zipIn.getNextEntry(); } } - if (version.isEmpty()) - { - throw new ConfigException("Unable to determine version of distribution."); - } - if (distributionName.isEmpty()) - { - throw new ConfigException("Unable to determine name of distribution."); - } + if (!distributionDirs.equals(EXPECTED_DIST_DIRS)) { StringBuilder msg = new StringBuilder("Corrupted distribution; contents are not as expected."); @@ -236,7 +176,11 @@ else if (!zipEntry.isDirectory() && zipEntry.getName().equals(LABKEYWEBAPP + "/W throw new IllegalStateException(msg.toString()); } - return new LabKeyDistributionInfo(version, buildUrl, distributionName); + + if (null == info) + throw new IllegalStateException("distribution.properties file was not found!"); + + return info; } } @@ -258,7 +202,10 @@ private LabKeyDistributionInfo getFromProperties(InputStream in) throws IOExcept String version = props.getProperty("version", "").trim(); String buildUrl = props.containsKey("buildUrl") ? props.getProperty("buildUrl").trim() : null; - return new LabKeyDistributionInfo(version, buildUrl, distributionName); + var info = new LabKeyDistributionInfo(version, buildUrl, distributionName); + LOG.info("LabKeyDistributionInfo: " + info); + + return info; } public void extractDistribution(File webAppLocation) @@ -416,50 +363,18 @@ private void deleteOldDistribution(File webAppLocation) } } -class LabKeyDistributionInfo +/** + * Build properties from 'distribution.properties' file + * + * @param version the LabKey version (e.g. 24.3-SNAPSHOT) + * @param buildUrl optional TeamCity BUILD_URL, if distribution was produced by TeamCity + * @param distributionName value of the 'name' property + */ +record LabKeyDistributionInfo(String version, String buildUrl, String distributionName) { - final String version; - final String buildUrl; - final String distributionName; - - /** - * Build properties from 'distribution.properties' file - * @param version the LabKey version (e.g. 24.3-SNAPSHOT) - * @param buildUrl TeamCity BUILD_URL, if distribution was produced by TeamCity - * @param distributionName value of the 'name' property - */ - public LabKeyDistributionInfo(String version, String buildUrl, String distributionName) - { - this.version = version; - this.buildUrl = buildUrl; - this.distributionName = distributionName; - } - - @Override - public boolean equals(Object o) - { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - - LabKeyDistributionInfo that = (LabKeyDistributionInfo) o; - - if (!version.equals(that.version)) return false; - if (!Objects.equals(buildUrl, that.buildUrl)) return false; - return distributionName.equals(that.distributionName); - } - - @Override - public int hashCode() - { - int result = version.hashCode(); - result = 31 * result + (buildUrl != null ? buildUrl.hashCode() : 0); - result = 31 * result + distributionName.hashCode(); - return result; - } - @Override public String toString() { - return distributionName + ":" + version; + return distributionName + ":" + version + (buildUrl != null ? ":" + buildUrl : ""); } } \ No newline at end of file From d5859f70224668226c3525a181024a1ef6d55b42 Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Mon, 14 Oct 2024 14:36:05 -0700 Subject: [PATCH 5/6] Adjust build.gradle for new Artifactory Plugin version (#907) --- build.gradle | 1 - 1 file changed, 1 deletion(-) diff --git a/build.gradle b/build.gradle index c6227051ec..4c8a6313a5 100644 --- a/build.gradle +++ b/build.gradle @@ -386,7 +386,6 @@ if (BuildUtils.shouldPublish(project) || BuildUtils.shouldPublishDistribution(pr username = artifactory_user password = artifactory_password } - maven = true } defaults { From 3060975b6ff552a5f908184283ab2b7e08145ecd Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Tue, 15 Oct 2024 11:04:16 -0700 Subject: [PATCH 6/6] Upgrade HttpClient and HttpCore to latest version (#908) --- gradle.properties | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gradle.properties b/gradle.properties index c086b2c560..a1ca0c1c89 100644 --- a/gradle.properties +++ b/gradle.properties @@ -180,8 +180,8 @@ hamcrestVersion=2.2 # Note: if changing this, we might need to match with the picard version in the SequenceAnalysis module build.gradle htsjdkVersion=4.0.0 -httpclient5Version=5.3.1 -httpcore5Version=5.2.5 +httpclient5Version=5.4 +httpcore5Version=5.3 # Not used directly, but these are widely used transitive dependencies httpclientVersion=4.5.14