[
https://issues.apache.org/jira/browse/UNOMI-889?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Serge Huber updated UNOMI-889:
------------------------------
Description:
h2. Remove OGNL Usage from Unomi
h3. Description
Apache Unomi currently uses OGNL (Object Graph Navigation Language) which has
been deprecated since version 1.5.2. This dependency poses significant security
risks and has been deactivated by default since its deprecation. Additionally,
it's causing compatibility issues with Java 17. We need to completely remove
OGNL usage from the codebase, including all references in configuration,
documentation, and automated tests.
h3. Current Situation
* OGNL version 3.4.3 is currently used in the project (as seen in pom.xml)
* OGNL is deprecated since version 1.5.2
* Security vulnerabilities associated with OGNL usage
* Compatibility issues with Java 17
* OGNL is deactivated by default since deprecation
* Project already has a comprehensive hardcoded property resolver implementation
h3. Impact
* Security vulnerabilities in the application
* Potential compatibility issues with newer Java versions
* Maintenance overhead for deprecated technology
* Risk of security breaches due to OGNL's known vulnerabilities
h3. Proposed Solution
1. Remove OGNL dependency from pom.xml
2. Replace OGNL expressions with existing hardcoded property resolver:
* Use the current comprehensive property resolver implementation
* Expand the property resolver implementation if additional functionality is
needed
* Avoid introducing new scripting languages or expression evaluators to
prevent new security vulnerabilities
3. Update all configuration files that reference OGNL
4. Update documentation to remove OGNL references
5. Update and modify automated tests that use OGNL
6. Add migration guide for users who might be using OGNL expressions
h3. Technical Tasks
# Remove OGNL dependency from pom.xml
# Search and replace OGNL usage in:
** Configuration files
** Source code
** Test files
** Documentation
# Expand existing property resolver implementation if needed
# Update test cases to use property resolver
# Create migration guide for users
h3. Dependencies
* No new dependencies required
* Will remove OGNL dependency
h3. Testing Requirements
* Unit tests for property resolver functionality
* Integration tests to ensure functionality
* Security tests to verify removal of vulnerabilities
* Performance tests to ensure no degradation
h3. Documentation Updates
* Update configuration documentation
* Update API documentation
* Create migration guide
* Update examples and tutorials
h3. Security Considerations
* Ensure no security vulnerabilities are introduced during migration
* Verify all property resolution is properly sanitized
* Document security best practices for property resolver usage
h3. Migration Guide Requirements
* List of deprecated OGNL features
* Property resolver alternatives for each OGNL feature
* Code examples for migration
* Common pitfalls and how to avoid them
h3. Acceptance Criteria
* All OGNL dependencies removed from pom.xml
* No OGNL references in configuration files
* No OGNL usage in source code
* All tests passing with property resolver
* Documentation updated and migration guide created
* Security review completed
* Performance benchmarks show no degradation
h3. Additional Notes
* This change may require updates to dependent projects
* Consider creating a separate branch for this work
* May need to coordinate with other Apache projects using Unomi
was:
h2. Remove OGNL Usage from Unomi
h3. Description
Apache Unomi currently uses OGNL (Object Graph Navigation Language) which has
been deprecated since version 1.5.2. This dependency poses significant security
risks and has been deactivated by default since its deprecation. Additionally,
it's causing compatibility issues with Java 17. We need to completely remove
OGNL usage from the codebase, including all references in configuration,
documentation, and automated tests.
h3. Current Situation
* OGNL version 3.4.3 is currently used in the project (as seen in pom.xml)
* OGNL is deprecated since version 1.5.2
* Security vulnerabilities associated with OGNL usage
* Compatibility issues with Java 17
* OGNL is deactivated by default since deprecation
* Project already has a comprehensive hardcoded property resolver implementation
h3. Impact
* Security vulnerabilities in the application
* Potential compatibility issues with newer Java versions
* Maintenance overhead for deprecated technology
* Risk of security breaches due to OGNL's known vulnerabilities
h3. Proposed Solution
1. Remove OGNL dependency from pom.xml
2. Replace OGNL expressions with existing hardcoded property resolver:
* Use the current comprehensive property resolver implementation
* Expand the property resolver implementation if additional functionality is
needed
* Avoid introducing new scripting languages or expression evaluators to
prevent new security vulnerabilities
3. Update all configuration files that reference OGNL
4. Update documentation to remove OGNL references
5. Update and modify automated tests that use OGNL
6. Add migration guide for users who might be using OGNL expressions
h3. Technical Tasks
# Remove OGNL dependency from pom.xml
# Search and replace OGNL usage in:
** Configuration files
** Source code
** Test files
** Documentation
# Expand existing property resolver implementation if needed
# Update test cases to use property resolver
# Create migration guide for users
h3. Dependencies
* No new dependencies required
* Will remove OGNL dependency
h3. Testing Requirements
* Unit tests for property resolver functionality
* Integration tests to ensure functionality
* Security tests to verify removal of vulnerabilities
* Performance tests to ensure no degradation
h3. Documentation Updates
* Update configuration documentation
* Update API documentation
* Create migration guide
* Update examples and tutorials
h3. Security Considerations
* Ensure no security vulnerabilities are introduced during migration
* Verify all property resolution is properly sanitized
* Document security best practices for property resolver usage
h3. Migration Guide Requirements
* List of deprecated OGNL features
* Property resolver alternatives for each OGNL feature
* Code examples for migration
* Common pitfalls and how to avoid them
h3. Acceptance Criteria
* All OGNL dependencies removed from pom.xml
* No OGNL references in configuration files
* No OGNL usage in source code
* All tests passing with property resolver
* Documentation updated and migration guide created
* Security review completed
* Performance benchmarks show no degradation
h3. Additional Notes
* This change may require updates to dependent projects
* Consider creating a separate branch for this work
* May need to coordinate with other Apache projects using Unomi
{panel:title=Labels}
* security
* technical-debt
* major-change
* breaking-change
{panel}
{panel:title=Priority}
* High
{panel}
{panel:title=Components}
* Core
* Security
* Documentation
* Testing
{panel}
> Remove OGNL scripting support
> -----------------------------
>
> Key: UNOMI-889
> URL: https://issues.apache.org/jira/browse/UNOMI-889
> Project: Apache Unomi
> Issue Type: Sub-task
> Components: unomi(-core)
> Affects Versions: unomi-3.0.0
> Reporter: Serge Huber
> Priority: Major
> Fix For: unomi-3.0.0
>
>
> h2. Remove OGNL Usage from Unomi
> h3. Description
> Apache Unomi currently uses OGNL (Object Graph Navigation Language) which has
> been deprecated since version 1.5.2. This dependency poses significant
> security risks and has been deactivated by default since its deprecation.
> Additionally, it's causing compatibility issues with Java 17. We need to
> completely remove OGNL usage from the codebase, including all references in
> configuration, documentation, and automated tests.
> h3. Current Situation
> * OGNL version 3.4.3 is currently used in the project (as seen in pom.xml)
> * OGNL is deprecated since version 1.5.2
> * Security vulnerabilities associated with OGNL usage
> * Compatibility issues with Java 17
> * OGNL is deactivated by default since deprecation
> * Project already has a comprehensive hardcoded property resolver
> implementation
> h3. Impact
> * Security vulnerabilities in the application
> * Potential compatibility issues with newer Java versions
> * Maintenance overhead for deprecated technology
> * Risk of security breaches due to OGNL's known vulnerabilities
> h3. Proposed Solution
> 1. Remove OGNL dependency from pom.xml
> 2. Replace OGNL expressions with existing hardcoded property resolver:
> * Use the current comprehensive property resolver implementation
> * Expand the property resolver implementation if additional functionality
> is needed
> * Avoid introducing new scripting languages or expression evaluators to
> prevent new security vulnerabilities
> 3. Update all configuration files that reference OGNL
> 4. Update documentation to remove OGNL references
> 5. Update and modify automated tests that use OGNL
> 6. Add migration guide for users who might be using OGNL expressions
> h3. Technical Tasks
> # Remove OGNL dependency from pom.xml
> # Search and replace OGNL usage in:
> ** Configuration files
> ** Source code
> ** Test files
> ** Documentation
> # Expand existing property resolver implementation if needed
> # Update test cases to use property resolver
> # Create migration guide for users
> h3. Dependencies
> * No new dependencies required
> * Will remove OGNL dependency
> h3. Testing Requirements
> * Unit tests for property resolver functionality
> * Integration tests to ensure functionality
> * Security tests to verify removal of vulnerabilities
> * Performance tests to ensure no degradation
> h3. Documentation Updates
> * Update configuration documentation
> * Update API documentation
> * Create migration guide
> * Update examples and tutorials
> h3. Security Considerations
> * Ensure no security vulnerabilities are introduced during migration
> * Verify all property resolution is properly sanitized
> * Document security best practices for property resolver usage
> h3. Migration Guide Requirements
> * List of deprecated OGNL features
> * Property resolver alternatives for each OGNL feature
> * Code examples for migration
> * Common pitfalls and how to avoid them
> h3. Acceptance Criteria
> * All OGNL dependencies removed from pom.xml
> * No OGNL references in configuration files
> * No OGNL usage in source code
> * All tests passing with property resolver
> * Documentation updated and migration guide created
> * Security review completed
> * Performance benchmarks show no degradation
> h3. Additional Notes
> * This change may require updates to dependent projects
> * Consider creating a separate branch for this work
> * May need to coordinate with other Apache projects using Unomi
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
