Hi, I'm not sure how important "mailreader" example is by opt to throw it away, it depends on "struts-mailreader-dao" ver. 1.3.5 which is part of Struts 1 as far I understand. If no objections will be posted within 72h I will accept this by lazy consensus.
Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ https://www.apache.org/foundation/glossary.html#LazyConsensus niedz., 1 gru 2019 o 17:52 Apache Jenkins Server <jenk...@builds.apache.org> napisał(a): > > See > <https://builds.apache.org/job/Struts-examples-JDK8-dependency-check/6/display/redirect?page=changes> > > Changes: > > [lukaszlenart] Upgrades to Struts 2.5.22 > > > ------------------------------------------ > [...truncated 105.71 KB...] > [INFO] > > Dependency-Check is an open source tool performing a best effort analysis of > 3rd party dependencies; false positives and false negatives may exist in the > analysis performed by the tool. Use of the tool and the reporting provided > constitutes acceptance for use in an AS IS condition, and there are NO > warranties, implied or otherwise, with regard to the analysis or its use. Any > use of the tool and the reporting provided is at the user?s risk. In no event > shall the copyright holder or OWASP be held liable for any damages whatsoever > arising out of or in connection with the use of this tool, the analysis > performed, or the resulting report. > > > [INFO] Analysis Started > [INFO] Finished Archive Analyzer (0 seconds) > [INFO] Finished File Name Analyzer (0 seconds) > [INFO] Finished Jar Analyzer (0 seconds) > [INFO] Finished Dependency Merging Analyzer (0 seconds) > [INFO] Finished Version Filter Analyzer (0 seconds) > [INFO] Finished Hint Analyzer (0 seconds) > [INFO] Created CPE Index (1 seconds) > [INFO] Finished CPE Analyzer (1 seconds) > [INFO] Finished False Positive Analyzer (0 seconds) > [INFO] Finished NVD CVE Analyzer (0 seconds) > [INFO] Finished RetireJS Analyzer (0 seconds) > [INFO] Finished Sonatype OSS Index Analyzer (0 seconds) > [INFO] Finished Vulnerability Suppression Analyzer (0 seconds) > [INFO] Finished Dependency Bundling Analyzer (0 seconds) > [INFO] Analysis Complete (1 seconds) > [INFO] > [INFO] ----------------------< org.demo:json-customize > >----------------------- > [INFO] Building Customized JSON produce 1.0-SNAPSHOT > [22/42] > [INFO] --------------------------------[ war > ]--------------------------------- > Downloading from apache-public: > https://repository.apache.org/content/groups/public/net/sf/flexjson/flexjson/3.3/flexjson-3.3.pom > Downloading from apache-staging: > https://repository.apache.org/content/groups/staging/net/sf/flexjson/flexjson/3.3/flexjson-3.3.pom > Downloading from apache-snapshots: > https://repository.apache.org/content/groups/snapshots/net/sf/flexjson/flexjson/3.3/flexjson-3.3.pom > Downloading from oss-snapshots: > https://oss.sonatype.org/content/repositories/snapshots/net/sf/flexjson/flexjson/3.3/flexjson-3.3.pom > Downloading from central: > https://repo.maven.apache.org/maven2/net/sf/flexjson/flexjson/3.3/flexjson-3.3.pom > Progress (1): 2.2/6.0 kBProgress (1): 5.0/6.0 kBProgress (1): 6.0 kB > Downloaded from central: > https://repo.maven.apache.org/maven2/net/sf/flexjson/flexjson/3.3/flexjson-3.3.pom > (6.0 kB at 317 kB/s) > Downloading from apache-public: > https://repository.apache.org/content/groups/public/net/sf/flexjson/flexjson/3.3/flexjson-3.3.jar > Downloading from apache-staging: > https://repository.apache.org/content/groups/staging/net/sf/flexjson/flexjson/3.3/flexjson-3.3.jar > Downloading from apache-snapshots: > https://repository.apache.org/content/groups/snapshots/net/sf/flexjson/flexjson/3.3/flexjson-3.3.jar > Downloading from oss-snapshots: > https://oss.sonatype.org/content/repositories/snapshots/net/sf/flexjson/flexjson/3.3/flexjson-3.3.jar > Downloading from central: > https://repo.maven.apache.org/maven2/net/sf/flexjson/flexjson/3.3/flexjson-3.3.jar > Progress (1): 2.2/92 kBProgress (1): 5.0/92 kBProgress (1): 7.7/92 kBProgress > (1): 10/92 kB Progress (1): 13/92 kBProgress (1): 16/92 kBProgress (1): 19/92 > kBProgress (1): 21/92 kBProgress (1): 24/92 kBProgress (1): 27/92 kBProgress > (1): 30/92 kBProgress (1): 32/92 kBProgress (1): 36/92 kBProgress (1): 40/92 > kBProgress (1): 45/92 kBProgress (1): 49/92 kBProgress (1): 53/92 kBProgress > (1): 57/92 kBProgress (1): 61/92 kBProgress (1): 65/92 kBProgress (1): 69/92 > kBProgress (1): 73/92 kBProgress (1): 77/92 kBProgress (1): 81/92 kBProgress > (1): 85/92 kBProgress (1): 90/92 kBProgress (1): 92 kB > Downloaded from central: > https://repo.maven.apache.org/maven2/net/sf/flexjson/flexjson/3.3/flexjson-3.3.jar > (92 kB at 3.4 MB/s) > [INFO] > [INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ > json-customize --- > [INFO] Using 'UTF-8' encoding to copy filtered resources. > [INFO] Copying 2 resources > [INFO] > [INFO] --- maven-compiler-plugin:3.3:compile (default-compile) @ > json-customize --- > [INFO] Changes detected - recompiling the module! > [INFO] Compiling 9 source files to > <https://builds.apache.org/job/Struts-examples-JDK8-dependency-check/ws/json-customize/target/classes> > [INFO] > [INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ > json-customize --- > [INFO] Using 'UTF-8' encoding to copy filtered resources. > [INFO] skip non existing resourceDirectory > <https://builds.apache.org/job/Struts-examples-JDK8-dependency-check/ws/json-customize/src/test/resources> > [INFO] > [INFO] --- maven-compiler-plugin:3.3:testCompile (default-testCompile) @ > json-customize --- > [INFO] No sources to compile > [INFO] > [INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ json-customize > --- > [INFO] No tests to run. > [INFO] > [INFO] --- maven-war-plugin:2.2:war (default-war) @ json-customize --- > [INFO] Packaging webapp > [INFO] Assembling webapp [json-customize] in > [<https://builds.apache.org/job/Struts-examples-JDK8-dependency-check/ws/json-customize/target/json-customize-1.0-SNAPSHOT]> > [INFO] Processing war project > [INFO] Copying webapp resources > [<https://builds.apache.org/job/Struts-examples-JDK8-dependency-check/ws/json-customize/src/main/webapp]> > [INFO] Webapp assembled in [22 msecs] > [INFO] Building war: > <https://builds.apache.org/job/Struts-examples-JDK8-dependency-check/ws/json-customize/target/json-customize-1.0-SNAPSHOT.war> > [INFO] WEB-INF/web.xml already added, skipping > [INFO] > [INFO] --- dependency-check-maven:5.2.2:check (default) @ json-customize --- > [INFO] Checking for updates > [INFO] Skipping NVD check since last check was within 4 hours. > [INFO] Skipping RetireJS update since last update was within 24 hours. > [INFO] Check for updates complete (1 ms) > [INFO] > > Dependency-Check is an open source tool performing a best effort analysis of > 3rd party dependencies; false positives and false negatives may exist in the > analysis performed by the tool. Use of the tool and the reporting provided > constitutes acceptance for use in an AS IS condition, and there are NO > warranties, implied or otherwise, with regard to the analysis or its use. Any > use of the tool and the reporting provided is at the user?s risk. In no event > shall the copyright holder or OWASP be held liable for any damages whatsoever > arising out of or in connection with the use of this tool, the analysis > performed, or the resulting report. > > > [INFO] Analysis Started > [INFO] Finished Archive Analyzer (0 seconds) > [INFO] Finished File Name Analyzer (0 seconds) > [INFO] Finished Jar Analyzer (0 seconds) > [INFO] Finished Dependency Merging Analyzer (0 seconds) > [INFO] Finished Version Filter Analyzer (0 seconds) > [INFO] Finished Hint Analyzer (0 seconds) > [INFO] Created CPE Index (1 seconds) > [INFO] Finished CPE Analyzer (1 seconds) > [INFO] Finished False Positive Analyzer (0 seconds) > [INFO] Finished NVD CVE Analyzer (0 seconds) > [INFO] Finished RetireJS Analyzer (0 seconds) > [INFO] Finished Sonatype OSS Index Analyzer (0 seconds) > [INFO] Finished Vulnerability Suppression Analyzer (0 seconds) > [INFO] Finished Dependency Bundling Analyzer (0 seconds) > [INFO] Analysis Complete (1 seconds) > [INFO] > [INFO] --------------------< org.apache.struts:mailreader > >-------------------- > [INFO] Building Struts 2 Mail Reader Webapp 1.0.0 > [23/42] > [INFO] --------------------------------[ war > ]--------------------------------- > Downloading from apache-public: > https://repository.apache.org/content/groups/public/org/apache/struts/struts-mailreader-dao/1.3.5/struts-mailreader-dao-1.3.5.pom > Progress (1): 1.9 kB Downloaded from apache-public: > https://repository.apache.org/content/groups/public/org/apache/struts/struts-mailreader-dao/1.3.5/struts-mailreader-dao-1.3.5.pom > (1.9 kB at 2.5 kB/s) > Downloading from apache-public: > https://repository.apache.org/content/groups/public/org/apache/struts/struts-parent/1.3.5/struts-parent-1.3.5.pom > Progress (1): 4.1/6.8 kBProgress (1): 6.8 kB > Downloaded from apache-public: > https://repository.apache.org/content/groups/public/org/apache/struts/struts-parent/1.3.5/struts-parent-1.3.5.pom > (6.8 kB at 8.8 kB/s) > Downloading from apache-public: > https://repository.apache.org/content/groups/public/org/apache/struts/struts-master/3/struts-master-3.pom > Progress (1): 4.1/11 kBProgress (1): 7.7/11 kBProgress (1): 8.2/11 kBProgress > (1): 11 kB Downloaded from apache-public: > https://repository.apache.org/content/groups/public/org/apache/struts/struts-master/3/struts-master-3.pom > (11 kB at 15 kB/s) > Downloading from apache-public: > https://repository.apache.org/content/groups/public/org/apache/struts/struts-mailreader-dao/1.3.5/struts-mailreader-dao-1.3.5.jar > Downloading from apache-public: > https://repository.apache.org/content/groups/public/commons-beanutils/commons-beanutils/1.6/commons-beanutils-1.6.jar > Progress (1): 4.1/21 kBProgress (1): 7.7/21 kBProgress (1): 8.2/21 kBProgress > (2): 8.2/21 kB | 4.1/118 kBProgress (2): 8.2/21 kB | 7.7/118 kBProgress (2): > 8.2/21 kB | 8.2/118 kBProgress (2): 12/21 kB | 8.2/118 kB Progress (2): 16/21 > kB | 8.2/118 kBProgress (2): 16/21 kB | 8.2/118 kBProgress (2): 20/21 kB | > 8.2/118 kBProgress (2): 21 kB | 8.2/118 kB Progress (2): 21 kB | 12/118 kB > Progress (2): 21 kB | 16/118 kBProgress (2): 21 kB | 16/118 kBProgress (2): > 21 kB | 20/118 kBProgress (2): 21 kB | 24/118 kBProgress (2): 21 kB | 25/118 > kBProgress (2): 21 kB | 29/118 kBProgress (2): 21 kB | 32/118 kBProgress (2): > 21 kB | 33/118 kBProgress (2): 21 kB | 37/118 kBProgress (2): 21 kB | 41/118 > kBProgress (2): 21 kB | 41/118 kBProgress (2): 21 kB | 45/118 kBProgress (2): > 21 kB | 49/118 kBProgress (2): 21 kB | 49/118 kBProgress (2): 21 kB | 53/118 > kBProgress (2): 21 kB | 57/118 kBProgress (2): 21 kB | 57/118 kBProgress (2): > 21 kB | 61/118 kBProgress (2): 21 kB | 65/118 kBProgress (2): 21 kB | 66/118 > kBProgress (2): 21 kB | 70/118 kBProgress (2): 21 kB | 74/118 kBProgress (2): > 21 kB | 74/118 kBProgress (2): 21 kB | 78/118 kBProgress (2): 21 kB | 82/118 > kBProgress (2): 21 kB | 82/118 kBProgress (2): 21 kB | 86/118 kBProgress (2): > 21 kB | 90/118 kBProgress (2): 21 kB | 90/118 kBProgress (2): 21 kB | 94/118 > kBProgress (2): 21 kB | 98/118 kBProgress (2): 21 kB | 98/118 kBProgress (2): > 21 kB | 102/118 kBProgress (2): 21 kB | 106/118 kBProgress (2): 21 kB | > 106/118 kBProgress (2): 21 kB | 111/118 kBProgress (2): 21 kB | 114/118 > kBProgress (2): 21 kB | 115/118 kBProgress (2): 21 kB | 118 kB > Downloaded from apache-public: > https://repository.apache.org/content/groups/public/org/apache/struts/struts-mailreader-dao/1.3.5/struts-mailreader-dao-1.3.5.jar > (21 kB at 25 kB/s) > Downloaded from apache-public: > https://repository.apache.org/content/groups/public/commons-beanutils/commons-beanutils/1.6/commons-beanutils-1.6.jar > (118 kB at 114 kB/s) > [INFO] > [INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ > mailreader --- > [INFO] Using 'UTF-8' encoding to copy filtered resources. > [INFO] Copying 8 resources > [INFO] > [INFO] --- maven-compiler-plugin:3.3:compile (default-compile) @ mailreader > --- > [INFO] Changes detected - recompiling the module! > [INFO] Compiling 9 source files to > <https://builds.apache.org/job/Struts-examples-JDK8-dependency-check/ws/mailreader/target/classes> > [INFO] > <https://builds.apache.org/job/Struts-examples-JDK8-dependency-check/ws/mailreader/src/main/java/mailreader2/MailreaderSupport.java>: > Some input files use unchecked or unsafe operations. > [INFO] > <https://builds.apache.org/job/Struts-examples-JDK8-dependency-check/ws/mailreader/src/main/java/mailreader2/MailreaderSupport.java>: > Recompile with -Xlint:unchecked for details. > [INFO] > [INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ > mailreader --- > [INFO] Using 'UTF-8' encoding to copy filtered resources. > [INFO] skip non existing resourceDirectory > <https://builds.apache.org/job/Struts-examples-JDK8-dependency-check/ws/mailreader/src/test/resources> > [INFO] > [INFO] --- maven-compiler-plugin:3.3:testCompile (default-testCompile) @ > mailreader --- > [INFO] No sources to compile > [INFO] > [INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ mailreader --- > [INFO] No tests to run. > [INFO] > [INFO] --- maven-war-plugin:2.2:war (default-war) @ mailreader --- > [INFO] Packaging webapp > [INFO] Assembling webapp [mailreader] in > [<https://builds.apache.org/job/Struts-examples-JDK8-dependency-check/ws/mailreader/target/mailreader-1.0.0]> > [INFO] Processing war project > [INFO] Copying webapp resources > [<https://builds.apache.org/job/Struts-examples-JDK8-dependency-check/ws/mailreader/src/main/webapp]> > [INFO] Webapp assembled in [62 msecs] > [INFO] Building war: > <https://builds.apache.org/job/Struts-examples-JDK8-dependency-check/ws/mailreader/target/mailreader-1.0.0.war> > [INFO] WEB-INF/web.xml already added, skipping > [INFO] > [INFO] --- dependency-check-maven:5.2.2:check (default) @ mailreader --- > [INFO] Checking for updates > [INFO] Skipping NVD check since last check was within 4 hours. > [INFO] Skipping RetireJS update since last update was within 24 hours. > [INFO] Check for updates complete (2 ms) > [INFO] > > Dependency-Check is an open source tool performing a best effort analysis of > 3rd party dependencies; false positives and false negatives may exist in the > analysis performed by the tool. Use of the tool and the reporting provided > constitutes acceptance for use in an AS IS condition, and there are NO > warranties, implied or otherwise, with regard to the analysis or its use. Any > use of the tool and the reporting provided is at the user?s risk. In no event > shall the copyright holder or OWASP be held liable for any damages whatsoever > arising out of or in connection with the use of this tool, the analysis > performed, or the resulting report. > > > [INFO] Analysis Started > [INFO] Finished Archive Analyzer (0 seconds) > [INFO] Finished File Name Analyzer (0 seconds) > [INFO] Finished Jar Analyzer (0 seconds) > [INFO] Finished Dependency Merging Analyzer (0 seconds) > [INFO] Finished Version Filter Analyzer (0 seconds) > [INFO] Finished Hint Analyzer (0 seconds) > [INFO] Created CPE Index (1 seconds) > [INFO] Finished CPE Analyzer (1 seconds) > [INFO] Finished False Positive Analyzer (0 seconds) > [INFO] Finished NVD CVE Analyzer (0 seconds) > [INFO] Finished RetireJS Analyzer (0 seconds) > [INFO] Finished Sonatype OSS Index Analyzer (0 seconds) > [INFO] Finished Vulnerability Suppression Analyzer (0 seconds) > [INFO] Finished Dependency Bundling Analyzer (0 seconds) > [INFO] Analysis Complete (2 seconds) > [WARNING] > > One or more dependencies were identified with known vulnerabilities in Struts > 2 Mail Reader Webapp: > > struts-mailreader-dao-1.3.5.jar > (pkg:maven/org.apache.struts/struts-mailreader-dao@1.3.5, > cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*) : CVE-2011-3923, CVE-2012-0394, > CVE-2013-2115, CVE-2014-0114, CVE-2015-0899, CVE-2016-1181, CVE-2016-1182 > commons-beanutils-1.6.jar (pkg:maven/commons-beanutils/commons-beanutils@1.6, > cpe:2.3:a:apache:commons_beanutils:1.6:*:*:*:*:*:*:*) : CVE-2014-0114, > CVE-2019-10086 > commons-collections-2.1.jar > (pkg:maven/commons-collections/commons-collections@2.1, > cpe:2.3:a:apache:commons_collections:2.1:*:*:*:*:*:*:*) : CVE-2015-6420, > CVE-2017-15708, Remote code execution > > > See the dependency-check report for more details. > > > [INFO] > ------------------------------------------------------------------------ > [INFO] Reactor Summary: > [INFO] > [INFO] Struts 2 Examples 1.0.0 ............................ SUCCESS [ 20.223 > s] > [INFO] Action chaining 1.0-SNAPSHOT ....................... SUCCESS [ 4.197 > s] > [INFO] Annotations with Convention Plugin ................. SUCCESS [ 6.484 > s] > [INFO] Basic Struts2 Example .............................. SUCCESS [ 2.934 > s] > [INFO] Bean Validation .................................... SUCCESS [ 5.644 > s] > [INFO] Struts 2 Blank Webapp .............................. SUCCESS [ 8.153 > s] > [INFO] Coding Struts 2 Action ............................. SUCCESS [ 2.832 > s] > [INFO] Control Tags ....................................... SUCCESS [ 2.928 > s] > [INFO] CRUD Example 1.0-SNAPSHOT .......................... SUCCESS [ 2.954 > s] > [INFO] Debugging Struts ................................... SUCCESS [ 4.757 > s] > [INFO] Exception handling ................................. SUCCESS [ 3.112 > s] > [INFO] Exclude Parameters ................................. SUCCESS [ 2.813 > s] > [INFO] File upload ........................................ SUCCESS [ 2.716 > s] > [INFO] Form Processing .................................... SUCCESS [ 2.711 > s] > [INFO] Form Tags .......................................... SUCCESS [ 2.657 > s] > [INFO] Form validation .................................... SUCCESS [ 2.723 > s] > [INFO] XML based form validation .......................... SUCCESS [ 2.604 > s] > [INFO] Hello World Struts 2 Example Application ........... SUCCESS [ 2.583 > s] > [INFO] Http Session ....................................... SUCCESS [ 2.644 > s] > [INFO] Struts 2 Interceptors .............................. SUCCESS [ 2.400 > s] > [INFO] JSON produce/consume 1.0-SNAPSHOT .................. SUCCESS [ 6.842 > s] > [INFO] Customized JSON produce 1.0-SNAPSHOT ............... SUCCESS [ 5.530 > s] > [INFO] Struts 2 Mail Reader Webapp ........................ FAILURE [ 7.160 > s] > [INFO] Message resource ................................... SKIPPED > [INFO] Message Store 1.0-SNAPSHOT ......................... SKIPPED > [INFO] Portlet Webapp ..................................... SKIPPED > [INFO] Preparable Interface ............................... SKIPPED > [INFO] REST to Action Mapper Example Application .......... SKIPPED > [INFO] REST Plugin based application with AngularJS ....... SKIPPED > [INFO] Struts2 with Basic Shiro Security Integration ...... SKIPPED > [INFO] Struts2 with Spring Integration .................... SKIPPED > [INFO] Custom TextProvider ................................ SKIPPED > [INFO] Struts Tiles Example ............................... SKIPPED > [INFO] Struts 2 Themes .................................... SKIPPED > [INFO] Struts 2 Themes Override ........................... SKIPPED > [INFO] Type Conversion .................................... SKIPPED > [INFO] Unit Testing ....................................... SKIPPED > [INFO] Using Struts 2 Tags ................................ SKIPPED > [INFO] validation-messages ................................ SKIPPED > [INFO] Wildcard Method Selection .......................... SKIPPED > [INFO] Wildcard RegEx pattern matching 1 .................. SKIPPED > [INFO] Unknown handler 1.0.0 .............................. SKIPPED > [INFO] > ------------------------------------------------------------------------ > [INFO] BUILD FAILURE > [INFO] > ------------------------------------------------------------------------ > [INFO] Total time: 01:48 min > [INFO] Finished at: 2019-12-01T16:52:00Z > [INFO] > ------------------------------------------------------------------------ > [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.2.2:check > (default) on project mailreader: > [ERROR] > [ERROR] One or more dependencies were identified with vulnerabilities that > have a CVSS score greater than or equal to '7.0': > [ERROR] > [ERROR] struts-mailreader-dao-1.3.5.jar: CVE-2016-1181, CVE-2013-2115, > CVE-2016-1182, CVE-2014-0114, CVE-2011-3923, CVE-2015-0899 > [ERROR] commons-beanutils-1.6.jar: CVE-2014-0114, CVE-2019-10086 > [ERROR] commons-collections-2.1.jar: CVE-2015-6420, CVE-2017-15708 > [ERROR] > [ERROR] See the dependency-check report for more details. > [ERROR] > [ERROR] > [ERROR] -> [Help 1] > [ERROR] > [ERROR] To see the full stack trace of the errors, re-run Maven with the -e > switch. > [ERROR] Re-run Maven using the -X switch to enable full debug logging. > [ERROR] > [ERROR] For more information about the errors and possible solutions, please > read the following articles: > [ERROR] [Help 1] > http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException > [ERROR] > [ERROR] After correcting the problems, you can resume the build with the > command > [ERROR] mvn <goals> -rf :mailreader > Build step 'Execute shell' marked build as failure > [locks-and-latches] Releasing all the locks > [locks-and-latches] All the locks released > Setting MAVEN_3_LATEST__HOME=/home/jenkins/tools/maven/latest3/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org > For additional commands, e-mail: dev-h...@struts.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@struts.apache.org For additional commands, e-mail: dev-h...@struts.apache.org
