I looked at the attached logs and I suspect that the unit tests are not multi-platform really.
I suggest seeing if skipping the tests help via -Dmaven.test.skip.exec. On Wed, Jun 21, 2023 at 10:01 AM Steven Saunders <sjs...@gmail.com> wrote: > Hi robertlazarski, > > I am fine with handling upgrading and building locally from maven and the > axis2 1.8.2 src download or trying to remove the jars that have the > vulnerabilities and deploy the WAR and if it starts run my test bed for our > web services to see if there is a problem. > > As far as building I may need help. > I downloaded the axis2 source zip and followed the README.txt in it to do > mvn install from root and that failed as expected due to the custom maven > plugins used by Axis2. So following the instructions further to manually > build those two modules in their project directories: > modules/tool/axis2-mar-maven-plugin > modules/tool/axis2-aar-maven-plugin > but the second one failed. > > Full maven -X install is attached. > > Is this a known issue? Do I set ignoreFailures = true? > Can you tell me what I am missing as the errors look like failure in > validation tests of a module? > > Error summary was: > [INFO] --- maven-invoker-plugin:3.3.0:verify (default) @ > axis2-aar-maven-plugin --- > [DEBUG] Configuring mojo > org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify from plugin > realm > ClassRealm[plugin>org.apache.maven.plugins:maven-invoker-plugin:3.3.0, > parent: sun.misc.Launcher$AppClassLoader@7852e922] > [DEBUG] Configuring mojo > 'org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify' with basic > configurator --> > [DEBUG] (f) ignoreFailures = false > [DEBUG] (f) reportsDirectory = > /scratch/sjsaunde/documaker/axis2-source/axis2-1.8.2/modules/tool/axis2-aar-maven-plugin/target/invoker-reports > [DEBUG] (f) skipInvocation = false > [DEBUG] (f) streamLogsOnFailures = false > [DEBUG] (f) suppressSummaries = false > [DEBUG] -- end configuration -- > [INFO] ------------------------------------------------- > [INFO] Build Summary: > [INFO] Passed: 0,* Failed: 2*, Errors: 0, Skipped: 0 > [INFO] ------------------------------------------------- > > > *[ERROR] The following builds failed:[ERROR] * test1/pom.xml[ERROR] * > test2/pom.xml* > [INFO] ------------------------------------------------- > [INFO] > ------------------------------------------------------------------------ > [INFO] BUILD FAILURE > [INFO] > ------------------------------------------------------------------------ > [INFO] Total time: 41.738 s > [INFO] Finished at: 2023-06-21T19:46:30Z > [INFO] > ------------------------------------------------------------------------ > [ERROR] Failed to execute goal > org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify (default) on > project axis2-aar-maven-plugin: 2 builds failed. See console output above > for details. -> [Help 1] > org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute > goal org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify (default) > on project axis2-aar-maven-plugin: 2 builds failed. See console output > above for details. > at org.apache.maven.lifecycle.internal.MojoExecutor.execute > (MojoExecutor.java:213) > at org.apache.maven.lifecycle.internal.MojoExecutor.execute > (MojoExecutor.java:154) > at org.apache.maven.lifecycle.internal.MojoExecutor.execute > (MojoExecutor.java:146) > at > org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject > (LifecycleModuleBuilder.java:117) > at > org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject > (LifecycleModuleBuilder.java:81) > at > org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build > (SingleThreadedBuilder.java:56) > at org.apache.maven.lifecycle.internal.LifecycleStarter.execute > (LifecycleStarter.java:128) > at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) > at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) > at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) > at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954) > at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288) > at org.apache.maven.cli.MavenCli.main (MavenCli.java:192) > at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke > (NativeMethodAccessorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke > (DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke (Method.java:498) > at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced > (Launcher.java:289) > at org.codehaus.plexus.classworlds.launcher.Launcher.launch > (Launcher.java:229) > at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode > (Launcher.java:415) > at org.codehaus.plexus.classworlds.launcher.Launcher.main > (Launcher.java:356) > Caused by: org.apache.maven.plugin.MojoFailureException: 2 builds failed. > See console output above for details. > at org.apache.maven.plugins.invoker.InvokerSession.handleFailures > (InvokerSession.java:285) > at org.apache.maven.plugins.invoker.VerifyMojo.execute > (VerifyMojo.java:153) > at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo > (DefaultBuildPluginManager.java:137) > at org.apache.maven.lifecycle.internal.MojoExecutor.execute > (MojoExecutor.java:208) > at org.apache.maven.lifecycle.internal.MojoExecutor.execute > (MojoExecutor.java:154) > at org.apache.maven.lifecycle.internal.MojoExecutor.execute > (MojoExecutor.java:146) > at > org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject > (LifecycleModuleBuilder.java:117) > at > org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject > (LifecycleModuleBuilder.java:81) > at > org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build > (SingleThreadedBuilder.java:56) > at org.apache.maven.lifecycle.internal.LifecycleStarter.execute > (LifecycleStarter.java:128) > at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) > at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) > at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) > at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954) > at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288) > at org.apache.maven.cli.MavenCli.main (MavenCli.java:192) > at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke > (NativeMethodAccessorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke > (DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke (Method.java:498) > at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced > (Launcher.java:289) > at org.codehaus.plexus.classworlds.launcher.Launcher.launch > (Launcher.java:229) > at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode > (Launcher.java:415) > at org.codehaus.plexus.classworlds.launcher.Launcher.main > (Launcher.java:356) > [ERROR] > > > Thanks, > -Steve > > > > On Wed, Jun 21, 2023 at 2:26 PM robertlazarski <robertlazar...@gmail.com> > wrote: > >> We are right in the middle of trying to get an Apache Rampart release out >> and cannot always respond to every Axis2 dep with a CVE. >> >> First of all you may not actually need those deps. Not all deps are >> mandatory. >> >> Secondly, the only thing Axis2 will do is update the pom.xml and indeed >> via GitHub Dependabot that happens automatically. >> >> Without building from source, the way I manage these deps is by using >> Maven exclusions in the pom.xml of my day job. >> >> Using "mvn -X" will show the dependency tree, and with the right config >> you can update the jars that way. >> >> On Wed, Jun 21, 2023 at 6:30 AM Steven Saunders <sjs...@gmail.com> wrote: >> >>> Hi Axis2 Dev Mailing List, >>> >>> There are some more recent CVEs against Jettison 1.5.0 and Spring >>> Framework 5.3.21 that are in Axis2 v1.8.2 (latest release). >>> >>> Would it be possible to get an Axis2 build with these module components >>> updated to last release versions? >>> >>> Do I need to download Axis2 1.8.2 source and try to maven build it >>> locally with these modules updated to the new release versions instead? >>> >>> Details: >>> Jettison v1.5.4 addresses CVE-2023-1436 (CVSS v3.1 score in NVD is 7.5) >>> Spring Framework v5.3.27 addresses CVE-2023-20863 (CVSS v3.1 score in >>> NVD is 6.5) >>> >>> Thanks, >>> -Steven Saunder >>> >> > --------------------------------------------------------------------- > To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org > For additional commands, e-mail: java-dev-h...@axis.apache.org
