Hi Axis2 Dev Mailing List, I have switched from RedHat 8 Linux based distribution to Ubuntu 20.04 LTS based distribution and got much further, enough to get the Axis2 war built and then upgrade the pom.xml files to get it to use the latest release of Spring Framework 5.3.x (v5.3.28) and Jettison 1.5.x (v1.5.4). I will test with these now.
Can anyone please provide me with what type of OS and version and environment successfully builds all the components for reference. For good measure, besides the issue with getting axis2 1.8.2 source to build with RedHat 8 and OpenJDK 11, here are the additional issues with building on Ubuntu 20.04 LTS based distribution with OpenJDK 11: - Using OpenJDK Java 11 it later failed in "Apache Axis2 - tool - Eclipse Codegen Plugin" Error: [INFO] Apache Axis2 - tool - Eclipse Codegen Plugin ....... FAILURE [ 0.017 s] Exception: Failed to execute goal on project axis2.eclipse.codegen.plugin Could not resolve dependencies for project org.apache.axis2:axis2.eclipse.codegen.plugin:bundle:1.8.2: Failed to collect dependencies at osgi.bundle:org.eclipse.core.jobs:jar:3.10.800.v20200421-0950: Failed to read artifact descriptor for osgi.bundle:org.eclipse.core.jobs:jar:3.10.800.v20200421-0950: Could not transfer artifact osgi.bundle:org.eclipse.core.jobs:pom:3.10.800.v20200421-0950 from/to eclipse_4_16 ( http://download.eclipse.org/eclipse/updates/4.16/R-4.16-202006040540): Cannot access http://download.eclipse.org/eclipse/updates/4.16/R-4.16-202006040540 with type p2 using the available connector factories: BasicRepositoryConnectorFactory: *Cannot access http://download.eclipse.org/eclipse/updates/4.16/R-4.16-202006040540 <http://download.eclipse.org/eclipse/updates/4.16/R-4.16-202006040540> with type p2 using the available layout factories: Maven2RepositoryLayoutFactory: Unsupported repository layout p2* -> [Help 1] org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal on project axis2.eclipse.codegen.plugin: Could not resolve dependencies for project org.apache.axis2:axis2.eclipse.codegen.plugin:bundle:1.8.2: Failed to collect dependencies at osgi.bundle:org.eclipse.core.jobs: jar:3.10.800.v20200421-0950 - Using OpenJDK Java 8 64-bit it failed before the WAR was built in "Apache Axis2 - Transport - testkit" due to requiring Java 11 or newer Error: [INFO] Apache Axis2 - Transport - testkit ................. FAILURE [ 0.401 s] Exception: class file has wrong version 55.0, should be 52.0 Note: Last mention of minimal requirement for Java version in Axis2 v1.8.x release notes was for Java 8 in 1.8.0 release note: "The minimum required Java version for Axis2 has been changed to Java 8" . I don't see any mention of Java 11 in 1.8.1 or 1.8.2 release notes. Thanks, -Steve On Wed, Jun 21, 2023 at 7:53 PM Steven Saunders <sjs...@gmail.com> wrote: > Hi robertlazarski, > > I really appreciate the quick response and willingness to help! > My build image is OS RedHat 8 Linux x86_64 for the platform if that helps. > I can also build on RedHat 7 or a Ubuntu 20.04 LTS if any of those are > better or might now have these issues. I have many VMs of other Linux > distributions too. Please suggest best OS and version to get a clean build > of latest Axis2 release. > > I tried your suggestion of building modules/tool/axis2-aar-maven-plugin > with -Dmaven.test.skip.exec=true but that didn't work so I tried it with > -Dmaven.test.skip=true from search internet and that didn't stop the tests > either. So found another wroundaround to avoid the executions by > commenting it out of the modules/tool/axis2-aar-maven-plugin/pom.xml > altogether, e.g. > axis2-1.8.2/modules/tool/axis2-aar-maven-plugin/pom.xml: > <plugin> > <artifactId>maven-invoker-plugin</artifactId> > *<!--*executions> > <execution> > <goals> > <goal>integration-test</goal> > <goal>verify</goal> > </goals> > <configuration> > > <cloneProjectsTo>${project.build.directory}/it</cloneProjectsTo> > > <postBuildHookScript>verify</postBuildHookScript> > </configuration> > </execution> > </executions*-->* > </plugin> > > > After that was resolved and the plugin built I went back to the root and > ran mvn install and got this error next. > Seems from the AXIS2-5782 build.log (assume AXIS2-5782 relates to the old > JIRA of same name) the root exception from > axis2-1.8.2/modules/tool/axis2-repo-maven-plugin/target/it/AXIS2-5782/build.log > (attached) is: > Caused by: java.security.AccessControlException: access denied > ("java.io.FilePermission" "/usr/share/publicsuffix/effective_tld_names.dat" > "read") > > I checked and the file is there with read permissions for everyone but is > a link to another file that has read permissions for everyone also: > > bash-4.4$ ls -al /usr/share/publicsuffix/effective_tld_names.dat > lrwxrwxrwx 1 root root 22 Mar 7 2019 > /usr/share/publicsuffix/effective_tld_names.dat -> public_suffix_list.dat > bash-4.4$ ls -al /usr/share/publicsuffix/public_suffix_list.dat > -rw-r--r-- 1 root root 208604 Mar 7 2019 > /usr/share/publicsuffix/public_suffix_list.dat > > > bash-4.4$ cat /usr/share/publicsuffix/public_suffix_list.dat > > and, > bash-4.4$ cat /usr/share/publicsuffix/effective_tld_names.dat > Shows same user as build can read file contents without an issue. > > Also, did a move of the link to another name and copied the > public_suffix_list.dat to an actual file named effective_tld_names.dat > incase the issue was with using a link and build gave same error. > > > > I tried to also comment out the executions > in axis2-1.8.2/modules/tool/axis2-repo-maven-plugin/src/it/AXIS2-5782/pom.xml, > e.g: > *<!--*executions> > <execution> > <goals> > <goal>create-repository</goal> > </goals> > <configuration> > <modules> > addressing, > ping > </modules> > </configuration> > </execution> > </executions*-->* > It didn't stop the same error. > > I am stuck. > > Summary of build error from console: > > [INFO] --- maven-invoker-plugin:3.3.0:integration-test (default) @ > axis2-repo-maven-plugin --- > [INFO] Building: AXIS2-5782/pom.xml > [INFO] The build exited with code 1. See > axis2-1.8.2/modules/tool/axis2-repo-maven-plugin/target/it/AXIS2-5782/build.log > for details. > [INFO] AXIS2-5782/pom.xml ............................... > FAILED (3.1 s) > [INFO] > ... > [INFO] Build Summary: > [INFO] Passed: 0, *Failed: 1,* Errors: 0, Skipped: 0 > [INFO] ------------------------------------------------- > *[ERROR] The following builds failed:* > *[ERROR] * AXIS2-5782/pom.xml* > [INFO] ------------------------------------------------- > [INFO] > ------------------------------------------------------------------------ > [INFO] Reactor Summary: > [INFO] > [INFO] Apache Axis2 - Root 1.8.2 .......................... SUCCESS [ > 15.251 s] > [INFO] Apache Axis2 - Resource bundle ..................... SUCCESS [ > 2.896 s] > [INFO] Apache Axis2 - Kernel .............................. SUCCESS [ > 21.702 s] > [INFO] Apache Axis2 - Data Binding ........................ SUCCESS [ > 6.657 s] > [INFO] Apache Axis2 - Transport - Local ................... SUCCESS [ > 14.591 s] > [INFO] Apache Axis2 - Addressing .......................... SUCCESS [ > 16.085 s] > [INFO] Apache Axis2 - Transport - Base .................... SUCCESS [ > 6.679 s] > [INFO] Apache Axis2 - Ping ................................ SUCCESS [ > 2.082 s] > [INFO] Apache Axis2 - MEX ................................. SUCCESS [ > 2.237 s] > *[INFO] axis2-repo-maven-plugin ............................ FAILURE [ > 17.848 s]* > [INFO] Apache Axis2 - Transport - testkit ................. SKIPPED > [INFO] Apache Axis2 - Transport - HTTP .................... SKIPPED > [INFO] Apache Axis2 - Code Generation ..................... SKIPPED > [INFO] Apache Axis2 - ADB Codegen ......................... SKIPPED > [INFO] Apache Axis2 - Clustering .......................... SKIPPED > [INFO] Apache Axis2 - SAAJ ................................ SKIPPED > ... > > (see build.log mentioned above and full log attached with -X option for > mvn install attached). > > Tried it with Open JDK 11 and 1.8 versions. > Tried it with -Dmaven.test.skip.exec=true and -Dmaven.test.skip=true but > still didn't work here. > > I then commented out the executions in the AXIS2-5792/pom.xml to get past > that error but still fails with "The following builds failed: * > AXIS2-5782" but still the same error. > > Thanks, > -Steve > > On Wed, Jun 21, 2023 at 4:10 PM robertlazarski <robertlazar...@gmail.com> > wrote: > >> I looked at the attached logs and I suspect that the unit tests are not >> multi-platform really. >> >> I suggest seeing if skipping the tests help via -Dmaven.test.skip.exec. >> >> On Wed, Jun 21, 2023 at 10:01 AM Steven Saunders <sjs...@gmail.com> >> wrote: >> >>> Hi robertlazarski, >>> >>> I am fine with handling upgrading and building locally from maven and >>> the axis2 1.8.2 src download or trying to remove the jars that have the >>> vulnerabilities and deploy the WAR and if it starts run my test bed for our >>> web services to see if there is a problem. >>> >>> As far as building I may need help. >>> I downloaded the axis2 source zip and followed the README.txt in it to >>> do mvn install from root and that failed as expected due to the custom >>> maven plugins used by Axis2. So following the instructions further to >>> manually build those two modules in their project directories: >>> modules/tool/axis2-mar-maven-plugin >>> modules/tool/axis2-aar-maven-plugin >>> but the second one failed. >>> >>> Full maven -X install is attached. >>> >>> Is this a known issue? Do I set ignoreFailures = true? >>> Can you tell me what I am missing as the errors look like failure in >>> validation tests of a module? >>> >>> Error summary was: >>> [INFO] --- maven-invoker-plugin:3.3.0:verify (default) @ >>> axis2-aar-maven-plugin --- >>> [DEBUG] Configuring mojo >>> org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify from plugin >>> realm >>> ClassRealm[plugin>org.apache.maven.plugins:maven-invoker-plugin:3.3.0, >>> parent: sun.misc.Launcher$AppClassLoader@7852e922] >>> [DEBUG] Configuring mojo >>> 'org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify' with basic >>> configurator --> >>> [DEBUG] (f) ignoreFailures = false >>> [DEBUG] (f) reportsDirectory = >>> /scratch/sjsaunde/documaker/axis2-source/axis2-1.8.2/modules/tool/axis2-aar-maven-plugin/target/invoker-reports >>> [DEBUG] (f) skipInvocation = false >>> [DEBUG] (f) streamLogsOnFailures = false >>> [DEBUG] (f) suppressSummaries = false >>> [DEBUG] -- end configuration -- >>> [INFO] ------------------------------------------------- >>> [INFO] Build Summary: >>> [INFO] Passed: 0,* Failed: 2*, Errors: 0, Skipped: 0 >>> [INFO] ------------------------------------------------- >>> >>> >>> *[ERROR] The following builds failed:[ERROR] * test1/pom.xml[ERROR] * >>> test2/pom.xml* >>> [INFO] ------------------------------------------------- >>> [INFO] >>> ------------------------------------------------------------------------ >>> [INFO] BUILD FAILURE >>> [INFO] >>> ------------------------------------------------------------------------ >>> [INFO] Total time: 41.738 s >>> [INFO] Finished at: 2023-06-21T19:46:30Z >>> [INFO] >>> ------------------------------------------------------------------------ >>> [ERROR] Failed to execute goal >>> org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify (default) on >>> project axis2-aar-maven-plugin: 2 builds failed. See console output above >>> for details. -> [Help 1] >>> org.apache.maven.lifecycle.LifecycleExecutionException: Failed to >>> execute goal org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify >>> (default) on project axis2-aar-maven-plugin: 2 builds failed. See console >>> output above for details. >>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute >>> (MojoExecutor.java:213) >>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute >>> (MojoExecutor.java:154) >>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute >>> (MojoExecutor.java:146) >>> at >>> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject >>> (LifecycleModuleBuilder.java:117) >>> at >>> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject >>> (LifecycleModuleBuilder.java:81) >>> at >>> org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build >>> (SingleThreadedBuilder.java:56) >>> at org.apache.maven.lifecycle.internal.LifecycleStarter.execute >>> (LifecycleStarter.java:128) >>> at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) >>> at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) >>> at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) >>> at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954) >>> at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288) >>> at org.apache.maven.cli.MavenCli.main (MavenCli.java:192) >>> at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) >>> at sun.reflect.NativeMethodAccessorImpl.invoke >>> (NativeMethodAccessorImpl.java:62) >>> at sun.reflect.DelegatingMethodAccessorImpl.invoke >>> (DelegatingMethodAccessorImpl.java:43) >>> at java.lang.reflect.Method.invoke (Method.java:498) >>> at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced >>> (Launcher.java:289) >>> at org.codehaus.plexus.classworlds.launcher.Launcher.launch >>> (Launcher.java:229) >>> at >>> org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode >>> (Launcher.java:415) >>> at org.codehaus.plexus.classworlds.launcher.Launcher.main >>> (Launcher.java:356) >>> Caused by: org.apache.maven.plugin.MojoFailureException: 2 builds >>> failed. See console output above for details. >>> at org.apache.maven.plugins.invoker.InvokerSession.handleFailures >>> (InvokerSession.java:285) >>> at org.apache.maven.plugins.invoker.VerifyMojo.execute >>> (VerifyMojo.java:153) >>> at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo >>> (DefaultBuildPluginManager.java:137) >>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute >>> (MojoExecutor.java:208) >>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute >>> (MojoExecutor.java:154) >>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute >>> (MojoExecutor.java:146) >>> at >>> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject >>> (LifecycleModuleBuilder.java:117) >>> at >>> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject >>> (LifecycleModuleBuilder.java:81) >>> at >>> org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build >>> (SingleThreadedBuilder.java:56) >>> at org.apache.maven.lifecycle.internal.LifecycleStarter.execute >>> (LifecycleStarter.java:128) >>> at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) >>> at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) >>> at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) >>> at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954) >>> at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288) >>> at org.apache.maven.cli.MavenCli.main (MavenCli.java:192) >>> at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) >>> at sun.reflect.NativeMethodAccessorImpl.invoke >>> (NativeMethodAccessorImpl.java:62) >>> at sun.reflect.DelegatingMethodAccessorImpl.invoke >>> (DelegatingMethodAccessorImpl.java:43) >>> at java.lang.reflect.Method.invoke (Method.java:498) >>> at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced >>> (Launcher.java:289) >>> at org.codehaus.plexus.classworlds.launcher.Launcher.launch >>> (Launcher.java:229) >>> at >>> org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode >>> (Launcher.java:415) >>> at org.codehaus.plexus.classworlds.launcher.Launcher.main >>> (Launcher.java:356) >>> [ERROR] >>> >>> >>> Thanks, >>> -Steve >>> >>> >>> >>> On Wed, Jun 21, 2023 at 2:26 PM robertlazarski <robertlazar...@gmail.com> >>> wrote: >>> >>>> We are right in the middle of trying to get an Apache Rampart release >>>> out and cannot always respond to every Axis2 dep with a CVE. >>>> >>>> First of all you may not actually need those deps. Not all deps are >>>> mandatory. >>>> >>>> Secondly, the only thing Axis2 will do is update the pom.xml and indeed >>>> via GitHub Dependabot that happens automatically. >>>> >>>> Without building from source, the way I manage these deps is by using >>>> Maven exclusions in the pom.xml of my day job. >>>> >>>> Using "mvn -X" will show the dependency tree, and with the right config >>>> you can update the jars that way. >>>> >>>> On Wed, Jun 21, 2023 at 6:30 AM Steven Saunders <sjs...@gmail.com> >>>> wrote: >>>> >>>>> Hi Axis2 Dev Mailing List, >>>>> >>>>> There are some more recent CVEs against Jettison 1.5.0 and Spring >>>>> Framework 5.3.21 that are in Axis2 v1.8.2 (latest release). >>>>> >>>>> Would it be possible to get an Axis2 build with these module >>>>> components updated to last release versions? >>>>> >>>>> Do I need to download Axis2 1.8.2 source and try to maven build it >>>>> locally with these modules updated to the new release versions instead? >>>>> >>>>> Details: >>>>> Jettison v1.5.4 addresses CVE-2023-1436 (CVSS v3.1 score in NVD is 7.5) >>>>> Spring Framework v5.3.27 addresses CVE-2023-20863 (CVSS v3.1 score in >>>>> NVD is 6.5) >>>>> >>>>> Thanks, >>>>> -Steven Saunder >>>>> >>>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org >>> For additional commands, e-mail: java-dev-h...@axis.apache.org >> >>
