Consolidated dependency updates #2725
Conversation
|
The upgrade to Jetty 11 Maven plugin will likely break development environments due to the migration of javax to jakarta. DT still relies on Jetty 10. We should likely have a dedicated story specific to the upgrade of Jetty and migration from javax to jakarta. This will impact both DT and Java Alpine. |
@stevespringett I can remove the jetty upgrade for now and make a comment inline. |
|
The Jekyll update needs to be tested by building the docs: https://github.com/DependencyTrack/dependency-track/blob/master/DEVELOPING.md#documentation We'll also need to make sure GitHub pages continues to work.
For Alpine there's stevespringett/Alpine#402 already. @melba-lopez Please make sure you sign-off your commits. If you click on "Details" of the DCO check it will show you what to do. |
Will attempt testing it now
(Done) |
I don't know how to test the github pages. Can you point me in the right direction?
Just tested on local machine and it appears to be working. Also, should we update this command in the docs? https://github.com/DependencyTrack/dependency-track/blob/master/DEVELOPING.md#documentation
|
Only way I know is actually deploying it. I think you can do it in your fork such that it's available under https://melba-lopez.github.io/dependency-track. Here's how it's currently set up for us:
I also found this dedicated website for dependency versions in GitHub pages: https://pages.github.com/versions/ it says it's using Jekyll 3.9.3, but I am not 100% if that means depending on Jekyll 4.x will break things. |
|
@melba-lopez For the sake of moving this forward, maybe we can just drop the Jekyll update for now, and investigate on this separately? |
|
Sounds good to me. @nscuro -- been out sick (myself/family) so have not had time to do much in this space. I got back last week. Not sure if this still is applicable given the 4.8 release that happened afterwards. I can always add extra packages if you'd like or just use this PR as a test only. |
|
Just stumbled over this again: #1970 (comment) There is a problem with |
|
@nscuro once the checks pass, this should be good to go! |
Signed-off-by: Florian Heubeck <heubeck@mediamarktsaturn.com> Signed-off-by: Melba Lopez <Melba.Lopez@ibm.com>
Additionally: * Only fetch existing tests when reimport is actually enabled * Add proper tests that verify the entirety of the integration instead of only individual parts * Add test case for manual testing against a local DefectDojo instance Fixes DependencyTrack#2707 Signed-off-by: nscuro <nscuro@protonmail.com> Signed-off-by: Melba Lopez <Melba.Lopez@ibm.com>
Signed-off-by: Jakub Rak <rakjak2@gmail.com> Signed-off-by: Melba Lopez <Melba.Lopez@ibm.com>
### Description Consolidated dependency updates | Package | Type | Update | Change | |---|---|---|---| |org.glassfish.jaxb:jaxb-runtime (source) | compile | patch | 2.3.6 -> 2.3.8 | |com.microsoft.sqlserver:mssql-jdbc | compile | major | 11.2.3.jre17 -> 12.2.0.jre11 | |mysql:mysql-connector-java | compile | patch | 8.0.29 -> 8.0.33 | |org.postgresql:postgresql (source) | compile | minor | 42.5.1 -> 42.6.0 | |org.eclipse.jetty:jetty-maven-plugin (source) | build | major | 10.0.15 -> 11.0.15 | ### Addressed Issue ### Additional Details ### Checklist - [x ] This PR fixes a defect, and I have provided tests to verify that the fix is effective Signed-off-by: Melba Lopez <Melba.Lopez@ibm.com>
|eclipse-temurin | stage | patch | 17.0.6_10-jre-focal -> 17.0.7_7-jre-focal | DependencyTrack#77 | Signed-off-by: Melba Lopez <Melba.Lopez@ibm.com>
|jekyll | | major | '~> 3.8' -> '~> 4.0' | Signed-off-by: Melba Lopez <Melba.Lopez@ibm.com>
Signed-off-by: Melba Lopez <Melba.Lopez@ibm.com>
melba-lopez
force-pushed
the
ml-bump-deps
branch
from
9bf7f14 to
ff26901
Compare
![sonatype-lift[bot]](https://avatars.githubusercontent.com/in/9843?s=60&v=4){kind=small}
| if (orderBy == null) { | ||
| query.setOrdering("timestamp desc, component.name, component.version"); | ||
| } | ||
| final PaginatedResult result = execute(query, project.getId()); | ||
| if (filter != null) { | ||
| query.setFilter(projectFilter + " && (policyCondition.policy.name.toLowerCase().matches(:filter) || component.name.toLowerCase().matches(:filter))"); |
There was a problem hiding this comment.
SQL_INJECTION_JDO: This use of javax/jdo/Query.setFilter(Ljava/lang/String;)V can be vulnerable to SQL/JDOQL injection (with JDO)
ℹ️ Expand to see all @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Description
Consolidated dependency updates
mysql:mysql-connector-java '8.0.29 -> 8.0.33 'jekyll '3.8 -> 4.0 'org.eclipse.jetty:jetty-maven-plugin (source) '10.0.15 -> 11.0.15 'Addressed Issue
Additional Details
Upgrades not compatible at this time:
Postponed:
Checklist