Re: Discuss policy for updating dependencies

[Eric Norman]

>
> There are lots of vulnerabilities reported which do not affect our usage
> of dependencies.


While this is probably true, is this an argument you want to keep having
over and over again?  I have found some security focused folks don't trust
the engineering assurances that we are not affected.   Especially when
their automated scanning tools keep flagging the problems.

It's probably easier in the long run to just conceded the point the
security tools are flagging, update the dependencies and move on.

Regards,
Eric

On Wed, Oct 19, 2022 at 11:05 AM Konrad Windszus  wrote:

> Hi,
> There are lots of vulnerabilities reported which do not affect our usage
> of dependencies.
> Therefore I am still in favour of putting the responsibility towards those
> who build applications/distributions out of Sling bundles.
> For Sling Starter this is obviously us.
>
> I would recommend to introduce some automated means (apart from
> dependabot) to check for vulnerabilities on all Maven projects which are
> not OSGi bundles.
> Something like
> https://jeremylong.github.io/DependencyCheck/dependency-check-maven/ <
> https://jeremylong.github.io/DependencyCheck/dependency-check-maven/>
> works for that use case.,
>
> A new policy for not depending on vulnerable dependencies will put a lot
> of pressure on us, to release bundles way more often than we currently do
> (for no functional benefit).
>
> However, what is documented at
> https://cwiki.apache.org/confluence/display/SLING/Dependabot probably
> needs to be documented on our web site for consumers as well, so that the
> expectations can be managed.
>
> Regards,
> Konrad
>
>
> > On 19. Oct 2022, at 17:28, Carsten Ziegeler 
> wrote:
> >
> > Hi,
> >
> > in light of https://issues.apache.org/jira/browse/SLING-11623 I think
> its worth to have a hopefully brief discussion about our dependency update
> policy.
> >
> > https://cwiki.apache.org/confluence/display/SLING/Dependabot captures
> what we said in the past and I think this is a good guideline, keeping the
> dependency at the lowest required.
> >
> > However :) with security issues in dependencies like the above, we leave
> all the responsibility on our users. Clearly, we don't want any of our
> users to run with known security issues, so if we update our dependencies
> to versions without known issues, we help our customers as they have to
> update the dependencies as well. It makes the world a little bit safer and
> avoids all these continuous scanning reports.
> >
> > I'm currently torn between the two, slightly prefering to update
> dependencies in case of security issues.
> >
> > Regards
> > Carsten
> > --
> > Carsten Ziegeler
> > Adobe
> > cziege...@apache.org
>
>

Re: Discuss policy for updating dependencies

[Konrad Windszus]

Hi,
There are lots of vulnerabilities reported which do not affect our usage of 
dependencies.
Therefore I am still in favour of putting the responsibility towards those who 
build applications/distributions out of Sling bundles.
For Sling Starter this is obviously us.

I would recommend to introduce some automated means (apart from dependabot) to 
check for vulnerabilities on all Maven projects which are not OSGi bundles.
Something like 
https://jeremylong.github.io/DependencyCheck/dependency-check-maven/ 
 works 
for that use case.,

A new policy for not depending on vulnerable dependencies will put a lot of 
pressure on us, to release bundles way more often than we currently do (for no 
functional benefit).

However, what is documented at 
https://cwiki.apache.org/confluence/display/SLING/Dependabot probably needs to 
be documented on our web site for consumers as well, so that the expectations 
can be managed.

Regards,
Konrad


> On 19. Oct 2022, at 17:28, Carsten Ziegeler  wrote:
> 
> Hi,
> 
> in light of https://issues.apache.org/jira/browse/SLING-11623 I think its 
> worth to have a hopefully brief discussion about our dependency update policy.
> 
> https://cwiki.apache.org/confluence/display/SLING/Dependabot captures what we 
> said in the past and I think this is a good guideline, keeping the dependency 
> at the lowest required.
> 
> However :) with security issues in dependencies like the above, we leave all 
> the responsibility on our users. Clearly, we don't want any of our users to 
> run with known security issues, so if we update our dependencies to versions 
> without known issues, we help our customers as they have to update the 
> dependencies as well. It makes the world a little bit safer and avoids all 
> these continuous scanning reports.
> 
> I'm currently torn between the two, slightly prefering to update dependencies 
> in case of security issues.
> 
> Regards
> Carsten
> -- 
> Carsten Ziegeler
> Adobe
> cziege...@apache.org

Re: Discuss policy for updating dependencies

[Eric Norman]

I would generally prefer that no dependencies have known security issues.
Basically, my position on this is the same as it was ~3 years ago from the
thread at [1].

Also, I'd agree with what was reported at [2] that it doesn't make sense to
depend on versions that have been declared as EOL when there is a newer
alternative that is still maintained.

1. https://lists.apache.org/thread/jhj626gn9xzng3bdxkmyx6ozyvcg7rlq
2. https://issues.apache.org/jira/browse/SLING-11621

Regards,
Eric

On Wed, Oct 19, 2022 at 8:28 AM Carsten Ziegeler 
wrote:

> Hi,
>
> in light of https://issues.apache.org/jira/browse/SLING-11623 I think
> its worth to have a hopefully brief discussion about our dependency
> update policy.
>
> https://cwiki.apache.org/confluence/display/SLING/Dependabot captures
> what we said in the past and I think this is a good guideline, keeping
> the dependency at the lowest required.
>
> However :) with security issues in dependencies like the above, we leave
> all the responsibility on our users. Clearly, we don't want any of our
> users to run with known security issues, so if we update our
> dependencies to versions without known issues, we help our customers as
> they have to update the dependencies as well. It makes the world a
> little bit safer and avoids all these continuous scanning reports.
>
> I'm currently torn between the two, slightly prefering to update
> dependencies in case of security issues.
>
> Regards
> Carsten
> --
> Carsten Ziegeler
> Adobe
> cziege...@apache.org
>

Discuss policy for updating dependencies

[Carsten Ziegeler]

Hi,

in light of https://issues.apache.org/jira/browse/SLING-11623 I think 
its worth to have a hopefully brief discussion about our dependency 
update policy.


https://cwiki.apache.org/confluence/display/SLING/Dependabot captures 
what we said in the past and I think this is a good guideline, keeping 
the dependency at the lowest required.


However :) with security issues in dependencies like the above, we leave 
all the responsibility on our users. Clearly, we don't want any of our 
users to run with known security issues, so if we update our 
dependencies to versions without known issues, we help our customers as 
they have to update the dependencies as well. It makes the world a 
little bit safer and avoids all these continuous scanning reports.


I'm currently torn between the two, slightly prefering to update 
dependencies in case of security issues.


Regards
Carsten
--
Carsten Ziegeler
Adobe
cziege...@apache.org

[jira] [Resolved] (SLING-11630) Feature model IOUtils should not use caches for jar files from jar url connection

[Karl Pauls (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-11630?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Karl Pauls resolved SLING-11630.

Resolution: Fixed

Done in https://github.com/apache/sling-org-apache-sling-feature/pull/31

> Feature model IOUtils should not use caches for jar files from jar url 
> connection
> -
>
> Key: SLING-11630
> URL: https://issues.apache.org/jira/browse/SLING-11630
> Project: Sling
>  Issue Type: Bug
>  Components: Feature Model
>Affects Versions: Feature Model 1.2.30
>Reporter: Karl Pauls
>Assignee: Karl Pauls
>Priority: Major
> Fix For: Feature Model 1.3.0
>
>
> The JarUrlConnection is set to use caches for JarFiles by default. That is a 
> problem because if there is more than one connection for the same JarFile and 
> the connection is going away, it will close the JarFile - potentially causing 
> the users of the JarFile from the other (still open) connection with a closed 
> JarFile. 
> To work around this problem, the IOUtils should set use caches to false on 
> the connections it creates.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[GitHub] [sling-org-apache-sling-feature] karlpauls merged pull request #31: Set use caches to false in IOUtils get jar to work around a possible …

[GitBox]

karlpauls merged PR #31:
URL: https://github.com/apache/sling-org-apache-sling-feature/pull/31


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[jira] [Created] (SLING-11630) Feature model IOUtils should not use caches for jar files from jar url connection

[Karl Pauls (Jira)]

Karl Pauls created SLING-11630:
--

 Summary: Feature model IOUtils should not use caches for jar files 
from jar url connection
 Key: SLING-11630
 URL: https://issues.apache.org/jira/browse/SLING-11630
 Project: Sling
  Issue Type: Bug
  Components: Feature Model
Affects Versions: Feature Model 1.2.30
Reporter: Karl Pauls
Assignee: Karl Pauls
 Fix For: Feature Model 1.3.0


The JarUrlConnection is set to use caches for JarFiles by default. That is a 
problem because if there is more than one connection for the same JarFile and 
the connection is going away, it will close the JarFile - potentially causing 
the users of the JarFile from the other (still open) connection with a closed 
JarFile. 

To work around this problem, the IOUtils should set use caches to false on the 
connections it creates.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Resolved] (SLING-11629) Update to Sling Bundle Parent 49

[Oliver Lietz (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-11629?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Oliver Lietz resolved SLING-11629.
--
Resolution: Done

> Update to Sling Bundle Parent 49
> 
>
> Key: SLING-11629
> URL: https://issues.apache.org/jira/browse/SLING-11629
> Project: Sling
>  Issue Type: Task
>  Components: Commons
>Reporter: Oliver Lietz
>Assignee: Oliver Lietz
>Priority: Major
> Fix For: Commons Messaging Mail 2.0.2
>
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (SLING-11629) Update to Sling Bundle Parent 49

[Oliver Lietz (Jira)]

Oliver Lietz created SLING-11629:


 Summary: Update to Sling Bundle Parent 49
 Key: SLING-11629
 URL: https://issues.apache.org/jira/browse/SLING-11629
 Project: Sling
  Issue Type: Task
  Components: Commons
Reporter: Oliver Lietz
Assignee: Oliver Lietz
 Fix For: Commons Messaging Mail 2.0.2






--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Resolved] (SLING-11628) Update to Sling Bundle Parent 49

[Oliver Lietz (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-11628?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Oliver Lietz resolved SLING-11628.
--
Resolution: Done

> Update to Sling Bundle Parent 49
> 
>
> Key: SLING-11628
> URL: https://issues.apache.org/jira/browse/SLING-11628
> Project: Sling
>  Issue Type: Task
>  Components: Commons
>Reporter: Oliver Lietz
>Assignee: Oliver Lietz
>Priority: Major
> Fix For: Commons Messaging 1.0.4
>
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (SLING-11628) Update to Sling Bundle Parent 49

[Oliver Lietz (Jira)]

Oliver Lietz created SLING-11628:


 Summary: Update to Sling Bundle Parent 49
 Key: SLING-11628
 URL: https://issues.apache.org/jira/browse/SLING-11628
 Project: Sling
  Issue Type: Task
  Components: Commons
Reporter: Oliver Lietz
Assignee: Oliver Lietz
 Fix For: Commons Messaging 1.0.4






--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Resolved] (SLING-11351) Update to Sling Bundle Parent 49

[Oliver Lietz (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-11351?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Oliver Lietz resolved SLING-11351.
--
Resolution: Done

> Update to Sling Bundle Parent 49
> 
>
> Key: SLING-11351
> URL: https://issues.apache.org/jira/browse/SLING-11351
> Project: Sling
>  Issue Type: Task
>  Components: Commons
>Reporter: Oliver Lietz
>Assignee: Oliver Lietz
>Priority: Major
> Fix For: Commons Content Processing 2.0.0
>
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Resolved] (SLING-11626) Make report thread safe

[Oliver Lietz (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-11626?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Oliver Lietz resolved SLING-11626.
--
Resolution: Done

> Make report thread safe
> ---
>
> Key: SLING-11626
> URL: https://issues.apache.org/jira/browse/SLING-11626
> Project: Sling
>  Issue Type: Improvement
>  Components: Commons
>Reporter: Oliver Lietz
>Assignee: Oliver Lietz
>Priority: Major
> Fix For: Commons Content Processing 2.0.0
>
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Resolved] (SLING-11349) Support rereading and rewriting of content

[Oliver Lietz (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-11349?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Oliver Lietz resolved SLING-11349.
--
Resolution: Done

> Support rereading and rewriting of content
> --
>
> Key: SLING-11349
> URL: https://issues.apache.org/jira/browse/SLING-11349
> Project: Sling
>  Issue Type: Improvement
>  Components: Commons
>Reporter: Oliver Lietz
>Assignee: Oliver Lietz
>Priority: Major
> Fix For: Commons Content Processing 2.0.0
>
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Resolved] (SLING-11625) Make report thread safe

[Oliver Lietz (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-11625?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Oliver Lietz resolved SLING-11625.
--
Resolution: Done

> Make report thread safe
> ---
>
> Key: SLING-11625
> URL: https://issues.apache.org/jira/browse/SLING-11625
> Project: Sling
>  Issue Type: Improvement
>  Components: Commons
>Reporter: Oliver Lietz
>Assignee: Oliver Lietz
>Priority: Major
> Fix For: Commons Content Analyzing 2.0.0
>
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Resolved] (SLING-11348) Support rereading of content

[Oliver Lietz (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-11348?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Oliver Lietz resolved SLING-11348.
--
Resolution: Done

> Support rereading of content
> 
>
> Key: SLING-11348
> URL: https://issues.apache.org/jira/browse/SLING-11348
> Project: Sling
>  Issue Type: Improvement
>  Components: Commons
>Reporter: Oliver Lietz
>Assignee: Oliver Lietz
>Priority: Major
> Fix For: Commons Content Analyzing 2.0.0
>
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Resolved] (SLING-11350) Update to Sling Bundle Parent 49

[Oliver Lietz (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-11350?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Oliver Lietz resolved SLING-11350.
--
Resolution: Done

> Update to Sling Bundle Parent 49
> 
>
> Key: SLING-11350
> URL: https://issues.apache.org/jira/browse/SLING-11350
> Project: Sling
>  Issue Type: Task
>  Components: Commons
>Reporter: Oliver Lietz
>Assignee: Oliver Lietz
>Priority: Major
> Fix For: Commons Content Analyzing 2.0.0
>
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[GitHub] [sling-org-apache-sling-xss] rombert commented on a diff in pull request #30: Add tests for the dynamic and global attribute

[GitBox]

rombert commented on code in PR #30:
URL: 
https://github.com/apache/sling-org-apache-sling-xss/pull/30#discussion_r999362695


##
src/test/java/org/apache/sling/xss/impl/AntiSamyPolicyWithTestConfigTest.java:
##
@@ -0,0 +1,146 @@
+/*~~
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements.  See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership.  The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License.  You may obtain a copy of the License at
+ ~
+ ~   http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied.  See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ 
~*/
+package org.apache.sling.xss.impl;
+
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import javax.xml.stream.XMLStreamException;
+
+import java.io.IOException;
+import java.util.regex.Pattern;
+
+import org.apache.sling.xss.impl.xml.AntiSamyPolicy;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.MethodSource;
+
+public class AntiSamyPolicyWithTestConfigTest {
+
+public static final String POLICY_FILE = "./testConfig.xml";

Review Comment:
   Please set a self-explanatory name , e.g. `configWithFeatureFoo.xml` so it's 
immediately clear what it contains.



##
src/main/java/org/apache/sling/xss/impl/AntiSamyPolicyAdapter.java:
##
@@ -222,43 +224,28 @@ public boolean apply(String s) {
 private static Predicate matchesPatternsOrLiterals(List 
patternList, boolean ignoreCase, List literalList) {
 return new Predicate() {
 public boolean apply(String s) {
-// check if the string matches to the pattern
-for (Pattern pattern : patternList) {
-if (pattern.matcher(s).matches()) {
-return true;
-}
-}
-// if the pattern does not match it goes through the literals
-for (String string : literalList) {
-s = ignoreCase
-? s.toLowerCase()
-: s;
-if (string.equals(s)) {
-return true;
-}
-}
-// if it neither matches the patterns nor the literals it 
returns false
-return false;
+// check if the string matches to the pattern or one of the 
literal
+s = ignoreCase ? s.toLowerCase() : s;
+return matchesToPatterns(patternList).apply(s) || 
literalList.contains(s);
 }
 };
 }
 
-public AttributePolicy newDynamicAttributePolicy(final Pattern pattern) {
+public AttributePolicy newDynamicAttributePolicy(final List 
patternList, final boolean ignoreCase, final List literalList) {
 return new AttributePolicy() {
 @Override
 public @Nullable String apply(String elementName, String 
attributeName, String value) {
-return pattern.matcher(value).matches() ? value : null;
-}
-};
-}
+if (!literalList.isEmpty() && !patternList.isEmpty()) {
+return matchesPatternsOrLiterals(patternList,ignoreCase, 
literalList).apply(value) ? value : null;
 
-public AttributePolicy newDynamicAttributePolicy(boolean ignoreCase, 
String... allowedValues) {
-final List allowed = Arrays.asList(allowedValues);
-return new AttributePolicy() {
-@Override
-public @Nullable String apply(String elementName, String 
attributeName, String uncanonValue) {
-String value = ignoreCase ? uncanonValue.toLowerCase() : 
uncanonValue;
-return allowed.contains(value) ? value : null;
+} else if (!literalList.isEmpty()) {
+value = ignoreCase ? value.toLowerCase() : value;

Review Comment:
   `String.toLowerCase` without an explicit locale can be dangerous, see 
https://stackoverflow.com/questions/11063102/using-locales-with-javas-tolowercase-and-touppercase
 for some discussion. Please figure out whether we can run in the default 
locale or need to use something like english.



##

[GitHub] [sling-org-apache-sling-xss] rombert commented on pull request #30: Add tests for the dynamic and global attribute

[GitBox]

rombert commented on PR #30:
URL: 
https://github.com/apache/sling-org-apache-sling-xss/pull/30#issuecomment-1283913227

   
   
   
   
   > > @kwin - is this failure related to your recent changes? 
https://ci-builds.apache.org/blue/organizations/jenkins/Sling%2Fmodules%2Fsling-org-apache-sling-xss/detail/PR-30/1/pipeline
 fails with
   > > ```
   > > + mvn -U -B -e clean compile
   > > - withMaven Wrapper script -
   > > The JAVA_HOME environment variable is not defined correctly,
   > > this environment variable is needed to run this program.
   > > script returned exit code 1
   > > ```
   > 
   > @rombert Thanks for the pointer, I accidentally removed a variable 
specifying the default node label. That made ASF Jenkins run certain stages on 
nodes not having Java installed. I fixed it (hopefully) with 
[apache/sling-tooling-jenkins@849fe59](https://github.com/apache/sling-tooling-jenkins/commit/849fe59626774cb8f8a336ec18ef04d4461738d7).
   
   Looks good now, thanks @kwin!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [sling-org-apache-sling-xss] sonarcloud[bot] commented on pull request #30: Add tests for the dynamic and global attribute

[GitBox]

sonarcloud[bot] commented on PR #30:
URL: 
https://github.com/apache/sling-org-apache-sling-xss/pull/30#issuecomment-1283894539

   SonarCloud Quality Gate failed.  [![Quality Gate 
failed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/failed-16px.png
 'Quality Gate 
failed')](https://sonarcloud.io/dashboard?id=apache_sling-org-apache-sling-xss=30)
   
   
[![Bug](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/bug-16px.png
 
'Bug')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-xss=30=false=BUG)
 
[![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png
 
'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-xss=30=false=BUG)
 [0 
Bugs](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-xss=30=false=BUG)
  
   
[![Vulnerability](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/vulnerability-16px.png
 
'Vulnerability')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-xss=30=false=VULNERABILITY)
 
[![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png
 
'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-xss=30=false=VULNERABILITY)
 [0 
Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-xss=30=false=VULNERABILITY)
  
   [![Security 
Hotspot](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/security_hotspot-16px.png
 'Security 
Hotspot')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-xss=30=false=SECURITY_HOTSPOT)
 
[![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png
 
'A')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-xss=30=false=SECURITY_HOTSPOT)
 [0 Security 
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-xss=30=false=SECURITY_HOTSPOT)
  
   [![Code 
Smell](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/code_smell-16px.png
 'Code 
Smell')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-xss=30=false=CODE_SMELL)
 
[![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png
 
'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-xss=30=false=CODE_SMELL)
 [4 Code 
Smells](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-xss=30=false=CODE_SMELL)
   
   
[![74.1%](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/CoverageChart/60-16px.png
 
'74.1%')](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-xss=30=new_coverage=list)
 [74.1% 
Coverage](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-xss=30=new_coverage=list)
  
   
[![0.0%](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/Duplications/3-16px.png
 
'0.0%')](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-xss=30=new_duplicated_lines_density=list)
 [0.0% 
Duplication](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-xss=30=new_duplicated_lines_density=list)
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[jira] [Commented] (SLING-11627) ConcurrentModificationException when merging configurations

[Carsten Ziegeler (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-11627?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17620281#comment-17620281
 ] 

Carsten Ziegeler commented on SLING-11627:
--

Some code clean up 
https://github.com/apache/sling-org-apache-sling-feature/commit/8c05b0650ce21a0607cce7f8c029f93f21114886

> ConcurrentModificationException when merging configurations
> ---
>
> Key: SLING-11627
> URL: https://issues.apache.org/jira/browse/SLING-11627
> Project: Sling
>  Issue Type: Bug
>  Components: Feature Model
>Affects Versions: Feature Model 1.2.30
>Reporter: Carsten Ziegeler
>Assignee: Carsten Ziegeler
>Priority: Major
> Fix For: Feature Model 1.3.0
>
>
> When there is a clash of configurations, merging two features using the 
> BuilderUtil might throw a concurrent modification exception



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Resolved] (SLING-11627) ConcurrentModificationException when merging configurations

[Carsten Ziegeler (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-11627?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Carsten Ziegeler resolved SLING-11627.
--
Resolution: Fixed

> ConcurrentModificationException when merging configurations
> ---
>
> Key: SLING-11627
> URL: https://issues.apache.org/jira/browse/SLING-11627
> Project: Sling
>  Issue Type: Bug
>  Components: Feature Model
>Affects Versions: Feature Model 1.2.30
>Reporter: Carsten Ziegeler
>Assignee: Carsten Ziegeler
>Priority: Major
> Fix For: Feature Model 1.3.0
>
>
> When there is a clash of configurations, merging two features using the 
> BuilderUtil might throw a concurrent modification exception



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[GitHub] [sling-org-apache-sling-feature] sonarcloud[bot] commented on pull request #31: Set use caches to false in IOUtils get jar to work around a possible …

[GitBox]

sonarcloud[bot] commented on PR #31:
URL: 
https://github.com/apache/sling-org-apache-sling-feature/pull/31#issuecomment-1283890757

   Kudos, SonarCloud Quality Gate passed!  [![Quality Gate 
passed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/passed-16px.png
 'Quality Gate 
passed')](https://sonarcloud.io/dashboard?id=apache_sling-org-apache-sling-feature=31)
   
   
[![Bug](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/bug-16px.png
 
'Bug')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature=31=false=BUG)
 
[![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png
 
'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature=31=false=BUG)
 [0 
Bugs](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature=31=false=BUG)
  
   
[![Vulnerability](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/vulnerability-16px.png
 
'Vulnerability')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature=31=false=VULNERABILITY)
 
[![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png
 
'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature=31=false=VULNERABILITY)
 [0 
Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature=31=false=VULNERABILITY)
  
   [![Security 
Hotspot](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/security_hotspot-16px.png
 'Security 
Hotspot')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-feature=31=false=SECURITY_HOTSPOT)
 
[![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png
 
'A')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-feature=31=false=SECURITY_HOTSPOT)
 [0 Security 
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-feature=31=false=SECURITY_HOTSPOT)
  
   [![Code 
Smell](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/code_smell-16px.png
 'Code 
Smell')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature=31=false=CODE_SMELL)
 
[![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png
 
'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature=31=false=CODE_SMELL)
 [0 Code 
Smells](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature=31=false=CODE_SMELL)
   
   
[![100.0%](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/CoverageChart/100-16px.png
 
'100.0%')](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-feature=31=new_coverage=list)
 [100.0% 
Coverage](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-feature=31=new_coverage=list)
  
   
[![0.0%](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/Duplications/3-16px.png
 
'0.0%')](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-feature=31=new_duplicated_lines_density=list)
 [0.0% 
Duplication](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-feature=31=new_duplicated_lines_density=list)
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [sling-org-apache-sling-feature] karlpauls opened a new pull request, #31: Set use caches to false in IOUtils get jar to work around a possible …

[GitBox]

karlpauls opened a new pull request, #31:
URL: https://github.com/apache/sling-org-apache-sling-feature/pull/31

   …jvm issue


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [sling-org-apache-sling-xss] kwin commented on pull request #30: Add tests for the dynamic and global attribute

[GitBox]

kwin commented on PR #30:
URL: 
https://github.com/apache/sling-org-apache-sling-xss/pull/30#issuecomment-1283877213

   > @kwin - is this failure related to your recent changes? 
https://ci-builds.apache.org/blue/organizations/jenkins/Sling%2Fmodules%2Fsling-org-apache-sling-xss/detail/PR-30/1/pipeline
 fails with
   > 
   > ```
   > + mvn -U -B -e clean compile
   > - withMaven Wrapper script -
   > The JAVA_HOME environment variable is not defined correctly,
   > this environment variable is needed to run this program.
   > script returned exit code 1
   > ```
   
   @rombert Thanks for the pointer, I accidentally removed a variable 
specifying the default node label. That made ASF Jenkins run certain stages on 
nodes not having Java installed. I fixed it (hopefully) with 
https://github.com/apache/sling-tooling-jenkins/commit/849fe59626774cb8f8a336ec18ef04d4461738d7.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[jira] [Commented] (SLING-11627) ConcurrentModificationException when merging configurations

[Carsten Ziegeler (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-11627?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17620236#comment-17620236
 ] 

Carsten Ziegeler commented on SLING-11627:
--

Potential fix in 
https://github.com/apache/sling-org-apache-sling-feature/commit/9138a38d88916ab05a7abd6878441fbac0cfa6d7
 which also avoids merging the extra properties containing the origins

> ConcurrentModificationException when merging configurations
> ---
>
> Key: SLING-11627
> URL: https://issues.apache.org/jira/browse/SLING-11627
> Project: Sling
>  Issue Type: Bug
>  Components: Feature Model
>Affects Versions: Feature Model 1.2.30
>Reporter: Carsten Ziegeler
>Assignee: Carsten Ziegeler
>Priority: Major
> Fix For: Feature Model 1.3.0
>
>
> When there is a clash of configurations, merging two features using the 
> BuilderUtil might throw a concurrent modification exception



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (SLING-11627) ConcurrentModificationException when merging configurations

[Carsten Ziegeler (Jira)]

Carsten Ziegeler created SLING-11627:


 Summary: ConcurrentModificationException when merging 
configurations
 Key: SLING-11627
 URL: https://issues.apache.org/jira/browse/SLING-11627
 Project: Sling
  Issue Type: Bug
  Components: Feature Model
Affects Versions: Feature Model 1.2.30
Reporter: Carsten Ziegeler
Assignee: Carsten Ziegeler
 Fix For: Feature Model 1.3.0


When there is a clash of configurations, merging two features using the 
BuilderUtil might throw a concurrent modification exception



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (SLING-11396) Jenkins: Allow to configure build OS

[Konrad Windszus (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-11396?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17620233#comment-17620233
 ] 

Konrad Windszus commented on SLING-11396:
-

With 
https://github.com/apache/sling-tooling-jenkins/commit/849fe59626774cb8f8a336ec18ef04d4461738d7
 I readded the {{mainNodeLevel}} variable as this is still used for certain 
stages.

> Jenkins: Allow to configure build OS
> 
>
> Key: SLING-11396
> URL: https://issues.apache.org/jira/browse/SLING-11396
> Project: Sling
>  Issue Type: Improvement
>  Components: Build and Source Control
>Reporter: Konrad Windszus
>Assignee: Konrad Windszus
>Priority: Major
>  Time Spent: 10m
>  Remaining Estimate: 0h
>
> As ASF provides Jenkins nodes for different operating systems 
> (https://cwiki.apache.org/confluence/display/INFRA/ci-builds.apache.org) we 
> should allow Sling modules to parameterize the OS as well.
> This requires an extension of 
> https://cwiki.apache.org/confluence/display/SLING/Sling+module+descriptor.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (SLING-11625) Make report thread safe

[Oliver Lietz (Jira)]

Oliver Lietz created SLING-11625:


 Summary: Make report thread safe
 Key: SLING-11625
 URL: https://issues.apache.org/jira/browse/SLING-11625
 Project: Sling
  Issue Type: Improvement
  Components: Commons
Reporter: Oliver Lietz
Assignee: Oliver Lietz
 Fix For: Commons Content Analyzing 2.0.0






--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (SLING-11626) Make report thread safe

[Oliver Lietz (Jira)]

Oliver Lietz created SLING-11626:


 Summary: Make report thread safe
 Key: SLING-11626
 URL: https://issues.apache.org/jira/browse/SLING-11626
 Project: Sling
  Issue Type: Improvement
  Components: Commons
Reporter: Oliver Lietz
Assignee: Oliver Lietz
 Fix For: Commons Content Processing 2.0.0






--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (SLING-11351) Update to Sling Bundle Parent 49

[Oliver Lietz (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-11351?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Oliver Lietz updated SLING-11351:
-
Summary: Update to Sling Bundle Parent 49  (was: Update to Sling Bundle 
Parent 48)

> Update to Sling Bundle Parent 49
> 
>
> Key: SLING-11351
> URL: https://issues.apache.org/jira/browse/SLING-11351
> Project: Sling
>  Issue Type: Task
>  Components: Commons
>Reporter: Oliver Lietz
>Assignee: Oliver Lietz
>Priority: Major
> Fix For: Commons Content Processing 2.0.0
>
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (SLING-11350) Update to Sling Bundle Parent 49

[Oliver Lietz (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-11350?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Oliver Lietz updated SLING-11350:
-
Summary: Update to Sling Bundle Parent 49  (was: Update to Sling Bundle 
Parent 48)

> Update to Sling Bundle Parent 49
> 
>
> Key: SLING-11350
> URL: https://issues.apache.org/jira/browse/SLING-11350
> Project: Sling
>  Issue Type: Task
>  Components: Commons
>Reporter: Oliver Lietz
>Assignee: Oliver Lietz
>Priority: Major
> Fix For: Commons Content Analyzing 2.0.0
>
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[GitHub] [sling-org-apache-sling-xss] rombert commented on pull request #30: Add tests for the dynamic and global attribute

[GitBox]

rombert commented on PR #30:
URL: 
https://github.com/apache/sling-org-apache-sling-xss/pull/30#issuecomment-1283704781

   @nonanalou - while we figure out the CI issues, can you please reference a 
Jira issue in:
   - the PR summary
   - commit message
   ?
   
   `SLING- - Fix problem X` is the pattern we prefer.
   
   Thanks!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [sling-org-apache-sling-xss] rombert commented on pull request #30: Add tests for the dynamic and global attribute

[GitBox]

rombert commented on PR #30:
URL: 
https://github.com/apache/sling-org-apache-sling-xss/pull/30#issuecomment-1283703470

   @kwin - is this failure related to your recent changes? 
https://ci-builds.apache.org/blue/organizations/jenkins/Sling%2Fmodules%2Fsling-org-apache-sling-xss/detail/PR-30/1/pipeline
 fails with
   
   ```
   + mvn -U -B -e clean compile
   - withMaven Wrapper script -
   The JAVA_HOME environment variable is not defined correctly,
   this environment variable is needed to run this program.
   script returned exit code 1
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [sling-org-apache-sling-xss] nonanalou opened a new pull request, #30: Add tests for the dynamic and global attribute

[GitBox]

nonanalou opened a new pull request, #30:
URL: https://github.com/apache/sling-org-apache-sling-xss/pull/30

* Correct the policy adapter so that the conditions are added with an "or" 
instead of an "and".


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[jira] [Commented] (SLING-11623) update commons text

[Robert Munteanu (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-11623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17620125#comment-17620125
 ] 

Robert Munteanu commented on SLING-11623:
-

[~kwin] - we touch on the "update OSGi dependencies as needed" topic at 
https://cwiki.apache.org/confluence/display/SLING/Dependabot . I wrote that 
page, but I think it captures the consensus that we have.

We already get "false flag" security reports already, either in Sling or in 
downstream distributions which include our bundles. I think we should follow 
the implicit policy we have to keep the imports as relaxed as possible. If we 
want to change that, let's have a discussion on the dev list and start 
implementing it consistently. Doing different things for some 
bundles/dependencies will only make things more confusing.

> update commons text
> ---
>
> Key: SLING-11623
> URL: https://issues.apache.org/jira/browse/SLING-11623
> Project: Sling
>  Issue Type: Improvement
>  Components: Commons, Feature Model, Maven Plugins and Archetypes, 
> XSS Protection API
>Affects Versions: XSS Protection API 2.3.0, slingfeature-maven-plugin 
> 1.6.8, Feature Model Launcher 1.2.0, Rewriter 1.3.4
>Reporter: Joerg Hoh
>Assignee: Joerg Hoh
>Priority: Major
> Fix For: slingfeature-maven-plugin 1.6.10, Feature Model Launcher 
> 1.2.2, Rewriter 1.3.6, XSS Protection API 2.3.2
>
>  Time Spent: 40m
>  Remaining Estimate: 0h
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Comment Edited] (SLING-11623) update commons text

[Konrad Windszus (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-11623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17620081#comment-17620081
 ] 

Konrad Windszus edited comment on SLING-11623 at 10/19/22 7:58 AM:
---

I think we discussed this several times and just increasing the dependency 
versions to prevent false positives of security scanners for no reason 
restricts compatibility with older distributions. In OSGi world only the run 
time matters!


was (Author: kwin):
I think we discussed this several times and just increasing the dependencies to 
prevent false positives of security scanners for no reason restricts 
compatibility with older distributions. In OSGi world only the run time matters!

> update commons text
> ---
>
> Key: SLING-11623
> URL: https://issues.apache.org/jira/browse/SLING-11623
> Project: Sling
>  Issue Type: Improvement
>  Components: Commons, Feature Model, Maven Plugins and Archetypes, 
> XSS Protection API
>Affects Versions: XSS Protection API 2.3.0, slingfeature-maven-plugin 
> 1.6.8, Feature Model Launcher 1.2.0, Rewriter 1.3.4
>Reporter: Joerg Hoh
>Assignee: Joerg Hoh
>Priority: Major
> Fix For: slingfeature-maven-plugin 1.6.10, Feature Model Launcher 
> 1.2.2, Rewriter 1.3.6, XSS Protection API 2.3.2
>
>  Time Spent: 40m
>  Remaining Estimate: 0h
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (SLING-11623) update commons text

[Konrad Windszus (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-11623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17620081#comment-17620081
 ] 

Konrad Windszus commented on SLING-11623:
-

I think we discussed this several times and just increasing the dependencies to 
prevent false positives of security scanners for no reason restricts 
compatibility with older distributions. In OSGi world only the run time matters!

> update commons text
> ---
>
> Key: SLING-11623
> URL: https://issues.apache.org/jira/browse/SLING-11623
> Project: Sling
>  Issue Type: Improvement
>  Components: Commons, Feature Model, Maven Plugins and Archetypes, 
> XSS Protection API
>Affects Versions: XSS Protection API 2.3.0, slingfeature-maven-plugin 
> 1.6.8, Feature Model Launcher 1.2.0, Rewriter 1.3.4
>Reporter: Joerg Hoh
>Assignee: Joerg Hoh
>Priority: Major
> Fix For: slingfeature-maven-plugin 1.6.10, Feature Model Launcher 
> 1.2.2, Rewriter 1.3.6, XSS Protection API 2.3.2
>
>  Time Spent: 40m
>  Remaining Estimate: 0h
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (SLING-11623) update commons text

[Joerg Hoh (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-11623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17620073#comment-17620073
 ] 

Joerg Hoh commented on SLING-11623:
---

[~rombert] I know :-)

On the other hand side I want to avoid any misunderstandings of "security 
scanners" which assume that you always use the dependency versions you 
reference. So I updated the dependency even if it does not have any impact on 
these bundles.

> update commons text
> ---
>
> Key: SLING-11623
> URL: https://issues.apache.org/jira/browse/SLING-11623
> Project: Sling
>  Issue Type: Improvement
>  Components: Commons, Feature Model, Maven Plugins and Archetypes, 
> XSS Protection API
>Affects Versions: XSS Protection API 2.3.0, slingfeature-maven-plugin 
> 1.6.8, Feature Model Launcher 1.2.0, Rewriter 1.3.4
>Reporter: Joerg Hoh
>Assignee: Joerg Hoh
>Priority: Major
> Fix For: slingfeature-maven-plugin 1.6.10, Feature Model Launcher 
> 1.2.2, Rewriter 1.3.6, XSS Protection API 2.3.2
>
>  Time Spent: 40m
>  Remaining Estimate: 0h
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[GitHub] [sling-whiteboard] sonarcloud[bot] commented on pull request #91: Bump jackson-databind from 2.13.3 to 2.13.4.1 in /org.apache.sling.jaxrs/bundle

[GitBox]

sonarcloud[bot] commented on PR #91:
URL: https://github.com/apache/sling-whiteboard/pull/91#issuecomment-1283514196

   Kudos, SonarCloud Quality Gate passed!  [![Quality Gate 
passed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/passed-16px.png
 'Quality Gate 
passed')](https://sonarcloud.io/dashboard?id=apache_sling-whiteboard=91)
   
   
[![Bug](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/bug-16px.png
 
'Bug')](https://sonarcloud.io/project/issues?id=apache_sling-whiteboard=91=false=BUG)
 
[![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png
 
'A')](https://sonarcloud.io/project/issues?id=apache_sling-whiteboard=91=false=BUG)
 [0 
Bugs](https://sonarcloud.io/project/issues?id=apache_sling-whiteboard=91=false=BUG)
  
   
[![Vulnerability](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/vulnerability-16px.png
 
'Vulnerability')](https://sonarcloud.io/project/issues?id=apache_sling-whiteboard=91=false=VULNERABILITY)
 
[![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png
 
'A')](https://sonarcloud.io/project/issues?id=apache_sling-whiteboard=91=false=VULNERABILITY)
 [0 
Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-whiteboard=91=false=VULNERABILITY)
  
   [![Security 
Hotspot](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/security_hotspot-16px.png
 'Security 
Hotspot')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-whiteboard=91=false=SECURITY_HOTSPOT)
 
[![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png
 
'A')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-whiteboard=91=false=SECURITY_HOTSPOT)
 [0 Security 
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-whiteboard=91=false=SECURITY_HOTSPOT)
  
   [![Code 
Smell](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/code_smell-16px.png
 'Code 
Smell')](https://sonarcloud.io/project/issues?id=apache_sling-whiteboard=91=false=CODE_SMELL)
 
[![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png
 
'A')](https://sonarcloud.io/project/issues?id=apache_sling-whiteboard=91=false=CODE_SMELL)
 [0 Code 
Smells](https://sonarcloud.io/project/issues?id=apache_sling-whiteboard=91=false=CODE_SMELL)
   
   [![No Coverage 
information](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/CoverageChart/NoCoverageInfo-16px.png
 'No Coverage 
information')](https://sonarcloud.io/component_measures?id=apache_sling-whiteboard=91=coverage=list)
 No Coverage information  
   [![No Duplication 
information](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/Duplications/NoDuplicationInfo-16px.png
 'No Duplication 
information')](https://sonarcloud.io/component_measures?id=apache_sling-whiteboard=91=duplicated_lines_density=list)
 No Duplication information
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [sling-whiteboard] dependabot[bot] opened a new pull request, #91: Bump jackson-databind from 2.13.3 to 2.13.4.1 in /org.apache.sling.jaxrs/bundle

[GitBox]

dependabot[bot] opened a new pull request, #91:
URL: https://github.com/apache/sling-whiteboard/pull/91

   Bumps [jackson-databind](https://github.com/FasterXML/jackson) from 2.13.3 
to 2.13.4.1.
   
   Commits
   
   See full diff in https://github.com/FasterXML/jackson/commits;>compare view
   
   
   
   
   
   [![Dependabot compatibility 
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.fasterxml.jackson.core:jackson-databind=maven=2.13.3=2.13.4.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
   
   Dependabot will resolve any conflicts with this PR as long as you don't 
alter it yourself. You can also trigger a rebase manually by commenting 
`@dependabot rebase`.
   
   [//]: # (dependabot-automerge-start)
   [//]: # (dependabot-automerge-end)
   
   ---
   
   
   Dependabot commands and options
   
   
   You can trigger Dependabot actions by commenting on this PR:
   - `@dependabot rebase` will rebase this PR
   - `@dependabot recreate` will recreate this PR, overwriting any edits that 
have been made to it
   - `@dependabot merge` will merge this PR after your CI passes on it
   - `@dependabot squash and merge` will squash and merge this PR after your CI 
passes on it
   - `@dependabot cancel merge` will cancel a previously requested merge and 
block automerging
   - `@dependabot reopen` will reopen this PR if it is closed
   - `@dependabot close` will close this PR and stop Dependabot recreating it. 
You can achieve the same result by closing it manually
   - `@dependabot ignore this major version` will close this PR and stop 
Dependabot creating any more for this major version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this minor version` will close this PR and stop 
Dependabot creating any more for this minor version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this dependency` will close this PR and stop 
Dependabot creating any more for this dependency (unless you reopen the PR or 
upgrade to it yourself)
   - `@dependabot use these labels` will set the current labels as the default 
for future PRs for this repo and language
   - `@dependabot use these reviewers` will set the current reviewers as the 
default for future PRs for this repo and language
   - `@dependabot use these assignees` will set the current assignees as the 
default for future PRs for this repo and language
   - `@dependabot use this milestone` will set the current milestone as the 
default for future PRs for this repo and language
   
   You can disable automated security fix PRs for this repo from the [Security 
Alerts page](https://github.com/apache/sling-whiteboard/network/alerts).
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [sling-whiteboard] dependabot[bot] opened a new pull request, #90: Bump jackson-databind from 2.13.3 to 2.13.4.1 in /org.apache.sling.jaxrs/it

[GitBox]

dependabot[bot] opened a new pull request, #90:
URL: https://github.com/apache/sling-whiteboard/pull/90

   Bumps [jackson-databind](https://github.com/FasterXML/jackson) from 2.13.3 
to 2.13.4.1.
   
   Commits
   
   See full diff in https://github.com/FasterXML/jackson/commits;>compare view
   
   
   
   
   
   [![Dependabot compatibility 
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.fasterxml.jackson.core:jackson-databind=maven=2.13.3=2.13.4.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
   
   Dependabot will resolve any conflicts with this PR as long as you don't 
alter it yourself. You can also trigger a rebase manually by commenting 
`@dependabot rebase`.
   
   [//]: # (dependabot-automerge-start)
   [//]: # (dependabot-automerge-end)
   
   ---
   
   
   Dependabot commands and options
   
   
   You can trigger Dependabot actions by commenting on this PR:
   - `@dependabot rebase` will rebase this PR
   - `@dependabot recreate` will recreate this PR, overwriting any edits that 
have been made to it
   - `@dependabot merge` will merge this PR after your CI passes on it
   - `@dependabot squash and merge` will squash and merge this PR after your CI 
passes on it
   - `@dependabot cancel merge` will cancel a previously requested merge and 
block automerging
   - `@dependabot reopen` will reopen this PR if it is closed
   - `@dependabot close` will close this PR and stop Dependabot recreating it. 
You can achieve the same result by closing it manually
   - `@dependabot ignore this major version` will close this PR and stop 
Dependabot creating any more for this major version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this minor version` will close this PR and stop 
Dependabot creating any more for this minor version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this dependency` will close this PR and stop 
Dependabot creating any more for this dependency (unless you reopen the PR or 
upgrade to it yourself)
   - `@dependabot use these labels` will set the current labels as the default 
for future PRs for this repo and language
   - `@dependabot use these reviewers` will set the current reviewers as the 
default for future PRs for this repo and language
   - `@dependabot use these assignees` will set the current assignees as the 
default for future PRs for this repo and language
   - `@dependabot use this milestone` will set the current milestone as the 
default for future PRs for this repo and language
   
   You can disable automated security fix PRs for this repo from the [Security 
Alerts page](https://github.com/apache/sling-whiteboard/network/alerts).
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [sling-org-apache-sling-testing-clients] sonarcloud[bot] commented on pull request #40: Bump jackson-databind from 2.13.2.1 to 2.13.4.1

[GitBox]

sonarcloud[bot] commented on PR #40:
URL: 
https://github.com/apache/sling-org-apache-sling-testing-clients/pull/40#issuecomment-1283491684

   Kudos, SonarCloud Quality Gate passed!  [![Quality Gate 
passed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/passed-16px.png
 'Quality Gate 
passed')](https://sonarcloud.io/dashboard?id=apache_sling-org-apache-sling-testing-clients=40)
   
   
[![Bug](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/bug-16px.png
 
'Bug')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-clients=40=false=BUG)
 
[![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png
 
'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-clients=40=false=BUG)
 [0 
Bugs](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-clients=40=false=BUG)
  
   
[![Vulnerability](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/vulnerability-16px.png
 
'Vulnerability')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-clients=40=false=VULNERABILITY)
 
[![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png
 
'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-clients=40=false=VULNERABILITY)
 [0 
Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-clients=40=false=VULNERABILITY)
  
   [![Security 
Hotspot](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/security_hotspot-16px.png
 'Security 
Hotspot')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-testing-clients=40=false=SECURITY_HOTSPOT)
 
[![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png
 
'A')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-testing-clients=40=false=SECURITY_HOTSPOT)
 [0 Security 
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-testing-clients=40=false=SECURITY_HOTSPOT)
  
   [![Code 
Smell](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/code_smell-16px.png
 'Code 
Smell')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-clients=40=false=CODE_SMELL)
 
[![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png
 
'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-clients=40=false=CODE_SMELL)
 [0 Code 
Smells](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-clients=40=false=CODE_SMELL)
   
   [![No Coverage 
information](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/CoverageChart/NoCoverageInfo-16px.png
 'No Coverage 
information')](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-testing-clients=40=coverage=list)
 No Coverage information  
   
[![0.0%](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/Duplications/3-16px.png
 
'0.0%')](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-testing-clients=40=new_duplicated_lines_density=list)
 [0.0% 
Duplication](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-testing-clients=40=new_duplicated_lines_density=list)
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [sling-org-apache-sling-testing-clients] dependabot[bot] opened a new pull request, #40: Bump jackson-databind from 2.13.2.1 to 2.13.4.1

[GitBox]

dependabot[bot] opened a new pull request, #40:
URL: https://github.com/apache/sling-org-apache-sling-testing-clients/pull/40

   Bumps [jackson-databind](https://github.com/FasterXML/jackson) from 2.13.2.1 
to 2.13.4.1.
   
   Commits
   
   See full diff in https://github.com/FasterXML/jackson/commits;>compare view
   
   
   
   
   
   [![Dependabot compatibility 
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.fasterxml.jackson.core:jackson-databind=maven=2.13.2.1=2.13.4.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
   
   Dependabot will resolve any conflicts with this PR as long as you don't 
alter it yourself. You can also trigger a rebase manually by commenting 
`@dependabot rebase`.
   
   [//]: # (dependabot-automerge-start)
   [//]: # (dependabot-automerge-end)
   
   ---
   
   
   Dependabot commands and options
   
   
   You can trigger Dependabot actions by commenting on this PR:
   - `@dependabot rebase` will rebase this PR
   - `@dependabot recreate` will recreate this PR, overwriting any edits that 
have been made to it
   - `@dependabot merge` will merge this PR after your CI passes on it
   - `@dependabot squash and merge` will squash and merge this PR after your CI 
passes on it
   - `@dependabot cancel merge` will cancel a previously requested merge and 
block automerging
   - `@dependabot reopen` will reopen this PR if it is closed
   - `@dependabot close` will close this PR and stop Dependabot recreating it. 
You can achieve the same result by closing it manually
   - `@dependabot ignore this major version` will close this PR and stop 
Dependabot creating any more for this major version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this minor version` will close this PR and stop 
Dependabot creating any more for this minor version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this dependency` will close this PR and stop 
Dependabot creating any more for this dependency (unless you reopen the PR or 
upgrade to it yourself)
   - `@dependabot use these labels` will set the current labels as the default 
for future PRs for this repo and language
   - `@dependabot use these reviewers` will set the current reviewers as the 
default for future PRs for this repo and language
   - `@dependabot use these assignees` will set the current assignees as the 
default for future PRs for this repo and language
   - `@dependabot use this milestone` will set the current milestone as the 
default for future PRs for this repo and language
   
   You can disable automated security fix PRs for this repo from the [Security 
Alerts 
page](https://github.com/apache/sling-org-apache-sling-testing-clients/network/alerts).
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org