Skip to content

Commit

Permalink
Simplify symlink creation, update dependencies (#569)
Browse files Browse the repository at this point in the history 
* Use fastjson 1.2.79, not 1.2.73

* Use okhttp-urlconnection 4.9.3, not 4.8.0

* Use commons-io 2.11.0, not 2.7

* Use commons-lang3 3.12.0, not 3.11

* Use commons-codec 1.15, not 1.14

* Use support-log-formatter 1.1, not 1.0

* Use version-number 1.9, not 1.7

* Use ant 1.10.12, not 1.10.11

* Use owasp-java-html-sanitizer 20211018.2, not 20200713.1

* Use spotbugs-annotations 4.5.3, not 4.1.1

* Use jsoup 1.14.3, not 1.14.2

* Use kotlin-stdlib-common 1.6.10, not 1.3.72

* Use mockito-core 4.3.1, not 3.4.6

* Use junit 4.13.2, not 4.13.1

* Use mockwebserver 4.9.3, not 4.8.0

* Use parent pom 1.70, not 1.54

* Use spotbugs 4.5.3.0, not 4.2.0

* Use surefire 3.0.0-M5, not 2.18.1

* Exclude okhttp and annotation-api from fastjson

Prevent upper bounds dependency error messages

* Exclude several spotbugs warnings

* Allow catch of NPE in getMetaData()

* Exclude command injection vulnerability

Creating a symbolic link is low risk

* Replace ProcessBuilder with Java 8 file calls

* Exclude path traversal spotbugs warnings

Path traversal is a key part of this utility

* Update dependencies

Co-authored-by: Daniel Beck <daniel-beck@users.noreply.github.com>
  • Loading branch information
@MarkEWaite @daniel-beck
MarkEWaite and daniel-beck authored Aug 10, 2022
1 parent 85cf683 commit 45399cd
Show file tree
Hide file tree
Showing 4 changed files with 68 additions and 38 deletions.
46 changes: 28 additions & 18 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
<parent>
<groupId>org.jenkins-ci</groupId>
<artifactId>jenkins</artifactId>
<version>1.54</version>
<version>1.70</version>
</parent>

<artifactId>update-center2</artifactId>
Expand Down Expand Up @@ -116,15 +116,15 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.18.1</version>
<version>3.0.0-M5</version>
<configuration>
<redirectTestOutputToFile>true</redirectTestOutputToFile>
</configuration>
</plugin>
<plugin>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
<version>4.2.0</version>
<version>4.5.3.0</version>
<configuration><excludeFilterFile>${project.basedir}/spotbugs-excludes.xml</excludeFilterFile></configuration>
</plugin>
</plugins>
Expand All @@ -139,7 +139,17 @@
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.73</version>
<version>1.2.79</version>
<exclusions>
<exclusion>
<groupId>com.squareup.okhttp3</groupId>
<artifactId>okhttp</artifactId>
</exclusion>
<exclusion>
<groupId>javax.annotation</groupId>
<artifactId>javax.annotation-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.dom4j</groupId>
Expand All @@ -149,7 +159,7 @@
<dependency>
<groupId>com.squareup.okhttp3</groupId>
<artifactId>okhttp-urlconnection</artifactId>
<version>4.8.0</version>
<version>4.10.0</version>
</dependency>
<dependency>
<groupId>jaxen</groupId>
Expand All @@ -164,17 +174,17 @@
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.7</version>
<version>2.11.0</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.11</version>
<version>3.12.0</version>
</dependency>
<dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>1.14</version>
<version>1.15</version>
</dependency>
<dependency>
<groupId>args4j</groupId>
Expand All @@ -184,12 +194,12 @@
<dependency>
<groupId>io.jenkins.lib</groupId>
<artifactId>support-log-formatter</artifactId>
<version>1.0</version>
<version>1.1</version>
</dependency>
<dependency>
<groupId>org.jenkins-ci</groupId>
<artifactId>version-number</artifactId>
<version>1.7</version>
<version>1.10</version>
</dependency>
<dependency>
<groupId>bouncycastle</groupId>
Expand All @@ -199,31 +209,31 @@
<dependency>
<groupId>org.apache.ant</groupId>
<artifactId>ant</artifactId>
<version>1.10.11</version>
<version>1.10.12</version>
</dependency>
<dependency>
<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
<artifactId>owasp-java-html-sanitizer</artifactId>
<version>20200713.1</version>
<version>20220608.1</version>
</dependency>
<dependency>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-annotations</artifactId>
<version>4.1.1</version>
<version>4.7.1</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId>
<version>1.14.2</version>
<version>1.15.2</version>
</dependency>


<!-- for requireUpperBoundDeps -->
<dependency>
<groupId>org.jetbrains.kotlin</groupId>
<artifactId>kotlin-stdlib-common</artifactId>
<version>1.3.72</version>
<version>1.7.10</version>
</dependency>
<dependency>
<groupId>com.google.code.findbugs</groupId>
Expand All @@ -241,19 +251,19 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>3.4.6</version>
<version>4.6.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.13.1</version>
<version>4.13.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.squareup.okhttp3</groupId>
<artifactId>mockwebserver</artifactId>
<version>4.8.0</version>
<version>4.10.0</version>
<scope>test</scope>
</dependency>
</dependencies>
Expand Down
26 changes: 25 additions & 1 deletion spotbugs-excludes.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,28 @@
<!-- All @JsonField fields are considered unwritten -->
<Bug pattern="URF_UNREAD_PUBLIC_OR_PROTECTED_FIELD" />
</Match>
</FindBugsFilter>
<Match>
<!-- CRLF injection risk from logging is not relevant here -->
<Bug pattern="CRLF_INJECTION_LOGS" />
</Match>
<Match>
<!-- Internal representation exposure is not a risk in this utility -->
<Bug pattern="EI_EXPOSE_REP" />
</Match>
<Match>
<!-- Internal representation exposure is not a risk in this utility -->
<Bug pattern="EI_EXPOSE_REP2" />
</Match>
<Match>
<!-- Internal representation exposure is not a risk in this utility -->
<Bug pattern="MS_EXPOSE_REP" />
</Match>
<Match>
<!-- SHA1 digest is required for checksums -->
<Bug pattern="WEAK_MESSAGE_DIGEST_SHA1" />
</Match>
<Match>
<!-- Reading user specified files is part of the role of this utility -->
<Bug pattern="PATH_TRAVERSAL_IN" />
</Match>
</FindBugsFilter>
3 changes: 3 additions & 0 deletions src/main/java/io/jenkins/update_center/ArtifactoryRepositoryImpl.java
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package io.jenkins.update_center;

import com.alibaba.fastjson.JSON;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import io.jenkins.update_center.util.Environment;
import io.jenkins.update_center.util.HttpHelper;
import okhttp3.Credentials;
Expand Down Expand Up @@ -173,6 +174,8 @@ private String hexToBase64(String hex) throws IOException {
}

@Override
@SuppressFBWarnings(value="DCN_NULLPOINTER_EXCEPTION",
justification="Catching NPE is safer than trying to guard all cases")
public ArtifactMetadata getMetadata(MavenArtifact artifact) throws IOException {
ensureInitialized();
ArtifactMetadata ret = new ArtifactMetadata();
Expand Down
31 changes: 12 additions & 19 deletions src/main/java/io/jenkins/update_center/DirectoryTreeBuilder.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@
import javax.annotation.CheckForNull;
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Comparator;
Expand Down Expand Up @@ -121,18 +124,14 @@ private void createLatestSymlink(Plugin hpi) throws IOException {
throw new IOException("Failed to delete " + latest);
}

ProcessBuilder pb = new ProcessBuilder();
if (System.getProperty("os.name").toLowerCase(Locale.US).contains("windows")) {
return;
}
pb.command("ln", "-s", "--", hpi.getLatest().version, "latest");
pb.directory(dir);
Path newLink = Paths.get("latest");
Path existingFile = Paths.get(hpi.getLatest().version);
try {
int r = pb.start().waitFor();
if (r != 0) {
throw new IOException("ln failed: " + r); // TODO better logging
}
} catch (InterruptedException ex) {
Files.createSymbolicLink(newLink, existingFile);
} catch (IOException | UnsupportedOperationException ex) {
LOGGER.log(Level.WARNING, "Failed to link ");
}
}
Expand All @@ -157,21 +156,15 @@ protected void stage(MavenArtifact a, File dst) throws IOException {
throw new IOException("Failed to create " + parentFile);
}

ProcessBuilder pb = new ProcessBuilder();
if (System.getProperty("os.name").toLowerCase(Locale.US).contains("windows")) {
return;
}
pb.command("ln", "-f", src.getAbsolutePath(), dst.getAbsolutePath());
Process p = pb.start();
Path newLink = Paths.get(dst.getAbsolutePath());
Path existingFile = Paths.get(src.getAbsolutePath());
try {
if (p.waitFor() != 0) {
throw new IOException("'ln -f " + src.getAbsolutePath() + " " + dst.getAbsolutePath() +
"' failed with code " + p.exitValue() + "\nError: " + IOUtils.toString(p.getErrorStream()) + "\nOutput: " + IOUtils.toString(p.getInputStream()));
} else {
LOGGER.log(Level.INFO, "Created new download file " + dst + " from " + src);
}
} catch (InterruptedException ex) {
LOGGER.log(Level.WARNING, "Interrupted creating " + dst + " from " + src, ex);
Files.createSymbolicLink(newLink, existingFile);
} catch (IOException | UnsupportedOperationException ex) {
LOGGER.log(Level.WARNING, "Failed to create " + dst + " from " + src, ex);
}

}
Expand Down

0 comments on commit 45399cd

Please sign in to comment.