[jira] [Updated] (SLING-10790) BundleEntryHandler.extractArtifactId may use wrong GAV
[
https://issues.apache.org/jira/browse/SLING-10790?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Carsten Ziegeler updated SLING-10790:
-
Fix Version/s: (was: Content-Package to Feature Model Converter 1.1.16)
> BundleEntryHandler.extractArtifactId may use wrong GAV
> --
>
> Key: SLING-10790
> URL: https://issues.apache.org/jira/browse/SLING-10790
> Project: Sling
> Issue Type: Bug
> Components: Content-Package to Feature Model Converter
>Reporter: Angela Schreiber
>Priority: Minor
>
> [~kpauls], if my reading of {{BundleEntryHandler.extractArtifactId}} is
> correct it the method might be ending up using the wrong
> groupId/artifactId/version.
> the code will loop over jar-entries and stop if the extracted GAV matches the
> bundle name. however, groupId/artifactId/version are not reset to {{null}} in
> case they were successfully extracted but didn't end up matching the bundle
> name i.e. {quote}it was the pom.properties we were looking for{quote}.
> i can't tell how big of an issue that is (and how likely). but given the fact
> that there is some extra effort to verify that the parsed pom is actually the
> right one, it might actually be relevant. the relies on a compliant content
> package that does contain a matching pom, which may or may not be the case...
> logging a warning or throwing a ConverterException in case of violation might
> help spotting troublesome content packages instead of getting some sort of
> side effect if another pom was spotted.
> a heavily simplified copy of the method:
> {code}
> String artifactId = null;
> String version = null;
> String groupId = null;
> String classifier = null;
> for (Enumeration e = jarFile.entries();
> e.hasMoreElements();) {
> [...]
> // extract groupId/artifactId/version
> [...]
>
> if (groupId != null && artifactId != null && version != null) {
> // bundleName is now the bare name without extension
> String synthesized = artifactId + "-" + version;
> // it was the pom.properties we were looking for
> if (bundleName.startsWith(synthesized) ||
> bundleName.equals(artifactId)) {
> [...]
>
> // no need to iterate further
> break;
> }
> }
> }
>
> if (groupId == null) {
> [...]
> }
> return new ArtifactId(groupId, artifactId, version, classifier,
> JAR_TYPE);
> {code}
> feel free to resolve as not a problem in case my reading of the code is all
> wrong.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Updated] (SLING-10790) BundleEntryHandler.extractArtifactId may use wrong GAV
[
https://issues.apache.org/jira/browse/SLING-10790?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Munteanu updated SLING-10790:
Fix Version/s: Content-Package to Feature Model Converter 1.1.16
(was: Content-Package to Feature Model Converter 1.1.14)
> BundleEntryHandler.extractArtifactId may use wrong GAV
> --
>
> Key: SLING-10790
> URL: https://issues.apache.org/jira/browse/SLING-10790
> Project: Sling
> Issue Type: Bug
> Components: Content-Package to Feature Model Converter
>Reporter: Angela Schreiber
>Priority: Minor
> Fix For: Content-Package to Feature Model Converter 1.1.16
>
>
> [~kpauls], if my reading of {{BundleEntryHandler.extractArtifactId}} is
> correct it the method might be ending up using the wrong
> groupId/artifactId/version.
> the code will loop over jar-entries and stop if the extracted GAV matches the
> bundle name. however, groupId/artifactId/version are not reset to {{null}} in
> case they were successfully extracted but didn't end up matching the bundle
> name i.e. {quote}it was the pom.properties we were looking for{quote}.
> i can't tell how big of an issue that is (and how likely). but given the fact
> that there is some extra effort to verify that the parsed pom is actually the
> right one, it might actually be relevant. the relies on a compliant content
> package that does contain a matching pom, which may or may not be the case...
> logging a warning or throwing a ConverterException in case of violation might
> help spotting troublesome content packages instead of getting some sort of
> side effect if another pom was spotted.
> a heavily simplified copy of the method:
> {code}
> String artifactId = null;
> String version = null;
> String groupId = null;
> String classifier = null;
> for (Enumeration e = jarFile.entries();
> e.hasMoreElements();) {
> [...]
> // extract groupId/artifactId/version
> [...]
>
> if (groupId != null && artifactId != null && version != null) {
> // bundleName is now the bare name without extension
> String synthesized = artifactId + "-" + version;
> // it was the pom.properties we were looking for
> if (bundleName.startsWith(synthesized) ||
> bundleName.equals(artifactId)) {
> [...]
>
> // no need to iterate further
> break;
> }
> }
> }
>
> if (groupId == null) {
> [...]
> }
> return new ArtifactId(groupId, artifactId, version, classifier,
> JAR_TYPE);
> {code}
> feel free to resolve as not a problem in case my reading of the code is all
> wrong.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Updated] (SLING-10790) BundleEntryHandler.extractArtifactId may use wrong GAV
[
https://issues.apache.org/jira/browse/SLING-10790?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Karl Pauls updated SLING-10790:
---
Fix Version/s: Content-Package to Feature Model Converter 1.1.14
Content-Package to Feature Model Converter 1.1.14
(was: Content-Package to Feature Model Converter 1.1.12)
> BundleEntryHandler.extractArtifactId may use wrong GAV
> --
>
> Key: SLING-10790
> URL: https://issues.apache.org/jira/browse/SLING-10790
> Project: Sling
> Issue Type: Bug
> Components: Content-Package to Feature Model Converter
>Reporter: Angela Schreiber
>Priority: Minor
> Fix For: Content-Package to Feature Model Converter 1.1.14
>
>
> [~kpauls], if my reading of {{BundleEntryHandler.extractArtifactId}} is
> correct it the method might be ending up using the wrong
> groupId/artifactId/version.
> the code will loop over jar-entries and stop if the extracted GAV matches the
> bundle name. however, groupId/artifactId/version are not reset to {{null}} in
> case they were successfully extracted but didn't end up matching the bundle
> name i.e. {quote}it was the pom.properties we were looking for{quote}.
> i can't tell how big of an issue that is (and how likely). but given the fact
> that there is some extra effort to verify that the parsed pom is actually the
> right one, it might actually be relevant. the relies on a compliant content
> package that does contain a matching pom, which may or may not be the case...
> logging a warning or throwing a ConverterException in case of violation might
> help spotting troublesome content packages instead of getting some sort of
> side effect if another pom was spotted.
> a heavily simplified copy of the method:
> {code}
> String artifactId = null;
> String version = null;
> String groupId = null;
> String classifier = null;
> for (Enumeration e = jarFile.entries();
> e.hasMoreElements();) {
> [...]
> // extract groupId/artifactId/version
> [...]
>
> if (groupId != null && artifactId != null && version != null) {
> // bundleName is now the bare name without extension
> String synthesized = artifactId + "-" + version;
> // it was the pom.properties we were looking for
> if (bundleName.startsWith(synthesized) ||
> bundleName.equals(artifactId)) {
> [...]
>
> // no need to iterate further
> break;
> }
> }
> }
>
> if (groupId == null) {
> [...]
> }
> return new ArtifactId(groupId, artifactId, version, classifier,
> JAR_TYPE);
> {code}
> feel free to resolve as not a problem in case my reading of the code is all
> wrong.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Updated] (SLING-10790) BundleEntryHandler.extractArtifactId may use wrong GAV
[
https://issues.apache.org/jira/browse/SLING-10790?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber updated SLING-10790:
-
Summary: BundleEntryHandler.extractArtifactId may use wrong GAV (was:
BundleEntryHandler.extractArtifactId may used wrong GAV)
> BundleEntryHandler.extractArtifactId may use wrong GAV
> --
>
> Key: SLING-10790
> URL: https://issues.apache.org/jira/browse/SLING-10790
> Project: Sling
> Issue Type: Bug
> Components: Content-Package to Feature Model Converter
>Reporter: Angela Schreiber
>Priority: Minor
>
> [~kpauls], if my reading of {{BundleEntryHandler.extractArtifactId}} is
> correct it the method might be ending up using the wrong
> groupId/artifactId/version.
> the code will loop over jar-entries and stop if the extracted GAV matches the
> bundle name. however, groupId/artifactId/version are not reset to {{null}} in
> case they were successfully extracted but didn't end up matching the bundle
> name i.e. {quote}it was the pom.properties we were looking for{quote}.
> i can't tell how big of an issue that is (and how likely). but given the fact
> that there is some extra effort to verify that the parsed pom is actually the
> right one, it might actually be relevant. the relies on a compliant content
> package that does contain a matching pom, which may or may not be the case...
> logging a warning or throwing a ConverterException in case of violation might
> help spotting troublesome content packages instead of getting some sort of
> side effect if another pom was spotted.
> a heavily simplified copy of the method:
> {code}
> String artifactId = null;
> String version = null;
> String groupId = null;
> String classifier = null;
> for (Enumeration e = jarFile.entries();
> e.hasMoreElements();) {
> [...]
> // extract groupId/artifactId/version
> [...]
>
> if (groupId != null && artifactId != null && version != null) {
> // bundleName is now the bare name without extension
> String synthesized = artifactId + "-" + version;
> // it was the pom.properties we were looking for
> if (bundleName.startsWith(synthesized) ||
> bundleName.equals(artifactId)) {
> [...]
>
> // no need to iterate further
> break;
> }
> }
> }
>
> if (groupId == null) {
> [...]
> }
> return new ArtifactId(groupId, artifactId, version, classifier,
> JAR_TYPE);
> {code}
> feel free to resolve as not a problem in case my reading of the code is all
> wrong.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
