I suspect you are having some type of JDK issue or an issue with your very
old Apache Maven 3.5.4 on CentOS 8.
I was able to compile the 1.8.2 source distro on CentOS 7 with OpenJDK 11
(not the default) and Maven 3.6.3.
Strangely, using Maven 3.6.3 on Ubuntu 20-04 that is the default version, I
had to use a more modern Maven version - the latest in my case has some
other questionable features but 3.8.8 was ok.
So, in the end I was able to use JDK 17 and Maven 3.8.8 on Ubuntu 20-04.
I looked more into jettison and unless you are using JSON features that are
not enabled by default and will break typical XML SOAP handling, just skip
it entirely.
The Spring deps are only required if using
org.apache.axis2.extensions.spring.receivers.SpringServletContextObjectSupplier
in a custom Spring config.
On Thu, Jun 22, 2023 at 9:35 AM robertlazarski <robertlazar...@gmail.com>
wrote:
> I suspect you are having some type of JDK issue or an issue with your very
> old Apache Maven 3.5.4.
>
> I was able to compile the 1.8.2 source distro on CentOS 7 with OpenJDK 11
> and Maven 3.6.3.
>
> Strangely, using Maven 3.6.3 on Ubuntu 20-04 that is the default, I had to
> use a more modern Maven version - the latest in my case has some other
> questionable features but 3.8.8 was ok.
>
> I looked more into jettison and unless you are using JSON features that
> are not enabled by default and will break typical XML SOAP handling, just
> skip it entirely.
>
> The Spring deps are only required if using
> org.apache.axis2.extensions.spring.receivers.SpringServletContextObjectSupplier
> in a Spring config.
>
>
> On Wed, Jun 21, 2023 at 1:54 PM Steven Saunders <sjs...@gmail.com> wrote:
>
>> Hi robertlazarski,
>>
>> I really appreciate the quick response and willingness to help!
>> My build image is OS RedHat 8 Linux x86_64 for the platform if that
>> helps. I can also build on RedHat 7 or a Ubuntu 20.04 LTS if any of those
>> are better or might now have these issues. I have many VMs of other Linux
>> distributions too. Please suggest best OS and version to get a clean build
>> of latest Axis2 release.
>>
>> I tried your suggestion of building modules/tool/axis2-aar-maven-plugin
>> with -Dmaven.test.skip.exec=true but that didn't work so I tried it with
>> -Dmaven.test.skip=true from search internet and that didn't stop the tests
>> either. So found another wroundaround to avoid the executions by
>> commenting it out of the modules/tool/axis2-aar-maven-plugin/pom.xml
>> altogether, e.g.
>> axis2-1.8.2/modules/tool/axis2-aar-maven-plugin/pom.xml:
>> <plugin>
>> <artifactId>maven-invoker-plugin</artifactId>
>> *<!--*executions>
>> <execution>
>> <goals>
>> <goal>integration-test</goal>
>> <goal>verify</goal>
>> </goals>
>> <configuration>
>>
>> <cloneProjectsTo>${project.build.directory}/it</cloneProjectsTo>
>>
>> <postBuildHookScript>verify</postBuildHookScript>
>> </configuration>
>> </execution>
>> </executions*-->*
>> </plugin>
>>
>>
>> After that was resolved and the plugin built I went back to the root and
>> ran mvn install and got this error next.
>> Seems from the AXIS2-5782 build.log (assume AXIS2-5782 relates to the old
>> JIRA of same name) the root exception from
>> axis2-1.8.2/modules/tool/axis2-repo-maven-plugin/target/it/AXIS2-5782/build.log
>> (attached) is:
>> Caused by: java.security.AccessControlException: access denied
>> ("java.io.FilePermission" "/usr/share/publicsuffix/effective_tld_names.dat"
>> "read")
>>
>> I checked and the file is there with read permissions for everyone but is
>> a link to another file that has read permissions for everyone also:
>>
>> bash-4.4$ ls -al /usr/share/publicsuffix/effective_tld_names.dat
>> lrwxrwxrwx 1 root root 22 Mar 7 2019
>> /usr/share/publicsuffix/effective_tld_names.dat -> public_suffix_list.dat
>> bash-4.4$ ls -al /usr/share/publicsuffix/public_suffix_list.dat
>> -rw-r--r-- 1 root root 208604 Mar 7 2019
>> /usr/share/publicsuffix/public_suffix_list.dat
>>
>>
>> bash-4.4$ cat /usr/share/publicsuffix/public_suffix_list.dat
>>
>> and,
>> bash-4.4$ cat /usr/share/publicsuffix/effective_tld_names.dat
>> Shows same user as build can read file contents without an issue.
>>
>> Also, did a move of the link to another name and copied the
>> public_suffix_list.dat to an actual file named effective_tld_names.dat
>> incase the issue was with using a link and build gave same error.
>>
>>
>>
>> I tried to also comment out the executions
>> in
>> axis2-1.8.2/modules/tool/axis2-repo-maven-plugin/src/it/AXIS2-5782/pom.xml,
>> e.g:
>> *<!--*executions>
>> <execution>
>> <goals>
>> <goal>create-repository</goal>
>> </goals>
>> <configuration>
>> <modules>
>> addressing,
>> ping
>> </modules>
>> </configuration>
>> </execution>
>> </executions*-->*
>> It didn't stop the same error.
>>
>> I am stuck.
>>
>> Summary of build error from console:
>>
>> [INFO] --- maven-invoker-plugin:3.3.0:integration-test (default) @
>> axis2-repo-maven-plugin ---
>> [INFO] Building: AXIS2-5782/pom.xml
>> [INFO] The build exited with code 1. See
>> axis2-1.8.2/modules/tool/axis2-repo-maven-plugin/target/it/AXIS2-5782/build.log
>> for details.
>> [INFO] AXIS2-5782/pom.xml ...............................
>> FAILED (3.1 s)
>> [INFO]
>> ...
>> [INFO] Build Summary:
>> [INFO] Passed: 0, *Failed: 1,* Errors: 0, Skipped: 0
>> [INFO] -------------------------------------------------
>> *[ERROR] The following builds failed:*
>> *[ERROR] * AXIS2-5782/pom.xml*
>> [INFO] -------------------------------------------------
>> [INFO]
>> ------------------------------------------------------------------------
>> [INFO] Reactor Summary:
>> [INFO]
>> [INFO] Apache Axis2 - Root 1.8.2 .......................... SUCCESS [
>> 15.251 s]
>> [INFO] Apache Axis2 - Resource bundle ..................... SUCCESS [
>> 2.896 s]
>> [INFO] Apache Axis2 - Kernel .............................. SUCCESS [
>> 21.702 s]
>> [INFO] Apache Axis2 - Data Binding ........................ SUCCESS [
>> 6.657 s]
>> [INFO] Apache Axis2 - Transport - Local ................... SUCCESS [
>> 14.591 s]
>> [INFO] Apache Axis2 - Addressing .......................... SUCCESS [
>> 16.085 s]
>> [INFO] Apache Axis2 - Transport - Base .................... SUCCESS [
>> 6.679 s]
>> [INFO] Apache Axis2 - Ping ................................ SUCCESS [
>> 2.082 s]
>> [INFO] Apache Axis2 - MEX ................................. SUCCESS [
>> 2.237 s]
>> *[INFO] axis2-repo-maven-plugin ............................ FAILURE [
>> 17.848 s]*
>> [INFO] Apache Axis2 - Transport - testkit ................. SKIPPED
>> [INFO] Apache Axis2 - Transport - HTTP .................... SKIPPED
>> [INFO] Apache Axis2 - Code Generation ..................... SKIPPED
>> [INFO] Apache Axis2 - ADB Codegen ......................... SKIPPED
>> [INFO] Apache Axis2 - Clustering .......................... SKIPPED
>> [INFO] Apache Axis2 - SAAJ ................................ SKIPPED
>> ...
>>
>> (see build.log mentioned above and full log attached with -X option for
>> mvn install attached).
>>
>> Tried it with Open JDK 11 and 1.8 versions.
>> Tried it with -Dmaven.test.skip.exec=true and -Dmaven.test.skip=true but
>> still didn't work here.
>>
>> I then commented out the executions in the AXIS2-5792/pom.xml to get past
>> that error but still fails with "The following builds failed: *
>> AXIS2-5782" but still the same error.
>>
>> Thanks,
>> -Steve
>>
>> On Wed, Jun 21, 2023 at 4:10 PM robertlazarski <robertlazar...@gmail.com>
>> wrote:
>>
>>> I looked at the attached logs and I suspect that the unit tests are not
>>> multi-platform really.
>>>
>>> I suggest seeing if skipping the tests help via -Dmaven.test.skip.exec.
>>>
>>> On Wed, Jun 21, 2023 at 10:01 AM Steven Saunders <sjs...@gmail.com>
>>> wrote:
>>>
>>>> Hi robertlazarski,
>>>>
>>>> I am fine with handling upgrading and building locally from maven and
>>>> the axis2 1.8.2 src download or trying to remove the jars that have the
>>>> vulnerabilities and deploy the WAR and if it starts run my test bed for our
>>>> web services to see if there is a problem.
>>>>
>>>> As far as building I may need help.
>>>> I downloaded the axis2 source zip and followed the README.txt in it to
>>>> do mvn install from root and that failed as expected due to the custom
>>>> maven plugins used by Axis2. So following the instructions further to
>>>> manually build those two modules in their project directories:
>>>> modules/tool/axis2-mar-maven-plugin
>>>> modules/tool/axis2-aar-maven-plugin
>>>> but the second one failed.
>>>>
>>>> Full maven -X install is attached.
>>>>
>>>> Is this a known issue? Do I set ignoreFailures = true?
>>>> Can you tell me what I am missing as the errors look like failure in
>>>> validation tests of a module?
>>>>
>>>> Error summary was:
>>>> [INFO] --- maven-invoker-plugin:3.3.0:verify (default) @
>>>> axis2-aar-maven-plugin ---
>>>> [DEBUG] Configuring mojo
>>>> org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify from plugin
>>>> realm
>>>> ClassRealm[plugin>org.apache.maven.plugins:maven-invoker-plugin:3.3.0,
>>>> parent: sun.misc.Launcher$AppClassLoader@7852e922]
>>>> [DEBUG] Configuring mojo
>>>> 'org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify' with basic
>>>> configurator -->
>>>> [DEBUG] (f) ignoreFailures = false
>>>> [DEBUG] (f) reportsDirectory =
>>>> /scratch/sjsaunde/documaker/axis2-source/axis2-1.8.2/modules/tool/axis2-aar-maven-plugin/target/invoker-reports
>>>> [DEBUG] (f) skipInvocation = false
>>>> [DEBUG] (f) streamLogsOnFailures = false
>>>> [DEBUG] (f) suppressSummaries = false
>>>> [DEBUG] -- end configuration --
>>>> [INFO] -------------------------------------------------
>>>> [INFO] Build Summary:
>>>> [INFO] Passed: 0,* Failed: 2*, Errors: 0, Skipped: 0
>>>> [INFO] -------------------------------------------------
>>>>
>>>>
>>>> *[ERROR] The following builds failed:[ERROR] * test1/pom.xml[ERROR] *
>>>> test2/pom.xml*
>>>> [INFO] -------------------------------------------------
>>>> [INFO]
>>>> ------------------------------------------------------------------------
>>>> [INFO] BUILD FAILURE
>>>> [INFO]
>>>> ------------------------------------------------------------------------
>>>> [INFO] Total time: 41.738 s
>>>> [INFO] Finished at: 2023-06-21T19:46:30Z
>>>> [INFO]
>>>> ------------------------------------------------------------------------
>>>> [ERROR] Failed to execute goal
>>>> org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify (default) on
>>>> project axis2-aar-maven-plugin: 2 builds failed. See console output above
>>>> for details. -> [Help 1]
>>>> org.apache.maven.lifecycle.LifecycleExecutionException: Failed to
>>>> execute goal org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify
>>>> (default) on project axis2-aar-maven-plugin: 2 builds failed. See console
>>>> output above for details.
>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>>>> (MojoExecutor.java:213)
>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>>>> (MojoExecutor.java:154)
>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>>>> (MojoExecutor.java:146)
>>>> at
>>>> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
>>>> (LifecycleModuleBuilder.java:117)
>>>> at
>>>> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
>>>> (LifecycleModuleBuilder.java:81)
>>>> at
>>>> org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build
>>>> (SingleThreadedBuilder.java:56)
>>>> at org.apache.maven.lifecycle.internal.LifecycleStarter.execute
>>>> (LifecycleStarter.java:128)
>>>> at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
>>>> at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
>>>> at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
>>>> at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954)
>>>> at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
>>>> at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
>>>> at sun.reflect.NativeMethodAccessorImpl.invoke
>>>> (NativeMethodAccessorImpl.java:62)
>>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke
>>>> (DelegatingMethodAccessorImpl.java:43)
>>>> at java.lang.reflect.Method.invoke (Method.java:498)
>>>> at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced
>>>> (Launcher.java:289)
>>>> at org.codehaus.plexus.classworlds.launcher.Launcher.launch
>>>> (Launcher.java:229)
>>>> at
>>>> org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode
>>>> (Launcher.java:415)
>>>> at org.codehaus.plexus.classworlds.launcher.Launcher.main
>>>> (Launcher.java:356)
>>>> Caused by: org.apache.maven.plugin.MojoFailureException: 2 builds
>>>> failed. See console output above for details.
>>>> at org.apache.maven.plugins.invoker.InvokerSession.handleFailures
>>>> (InvokerSession.java:285)
>>>> at org.apache.maven.plugins.invoker.VerifyMojo.execute
>>>> (VerifyMojo.java:153)
>>>> at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo
>>>> (DefaultBuildPluginManager.java:137)
>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>>>> (MojoExecutor.java:208)
>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>>>> (MojoExecutor.java:154)
>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>>>> (MojoExecutor.java:146)
>>>> at
>>>> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
>>>> (LifecycleModuleBuilder.java:117)
>>>> at
>>>> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
>>>> (LifecycleModuleBuilder.java:81)
>>>> at
>>>> org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build
>>>> (SingleThreadedBuilder.java:56)
>>>> at org.apache.maven.lifecycle.internal.LifecycleStarter.execute
>>>> (LifecycleStarter.java:128)
>>>> at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
>>>> at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
>>>> at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
>>>> at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954)
>>>> at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
>>>> at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
>>>> at sun.reflect.NativeMethodAccessorImpl.invoke
>>>> (NativeMethodAccessorImpl.java:62)
>>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke
>>>> (DelegatingMethodAccessorImpl.java:43)
>>>> at java.lang.reflect.Method.invoke (Method.java:498)
>>>> at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced
>>>> (Launcher.java:289)
>>>> at org.codehaus.plexus.classworlds.launcher.Launcher.launch
>>>> (Launcher.java:229)
>>>> at
>>>> org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode
>>>> (Launcher.java:415)
>>>> at org.codehaus.plexus.classworlds.launcher.Launcher.main
>>>> (Launcher.java:356)
>>>> [ERROR]
>>>>
>>>>
>>>> Thanks,
>>>> -Steve
>>>>
>>>>
>>>>
>>>> On Wed, Jun 21, 2023 at 2:26 PM robertlazarski <
>>>> robertlazar...@gmail.com> wrote:
>>>>
>>>>> We are right in the middle of trying to get an Apache Rampart release
>>>>> out and cannot always respond to every Axis2 dep with a CVE.
>>>>>
>>>>> First of all you may not actually need those deps. Not all deps are
>>>>> mandatory.
>>>>>
>>>>> Secondly, the only thing Axis2 will do is update the pom.xml and
>>>>> indeed via GitHub Dependabot that happens automatically.
>>>>>
>>>>> Without building from source, the way I manage these deps is by using
>>>>> Maven exclusions in the pom.xml of my day job.
>>>>>
>>>>> Using "mvn -X" will show the dependency tree, and with the right
>>>>> config you can update the jars that way.
>>>>>
>>>>> On Wed, Jun 21, 2023 at 6:30 AM Steven Saunders <sjs...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Axis2 Dev Mailing List,
>>>>>>
>>>>>> There are some more recent CVEs against Jettison 1.5.0 and Spring
>>>>>> Framework 5.3.21 that are in Axis2 v1.8.2 (latest release).
>>>>>>
>>>>>> Would it be possible to get an Axis2 build with these module
>>>>>> components updated to last release versions?
>>>>>>
>>>>>> Do I need to download Axis2 1.8.2 source and try to maven build it
>>>>>> locally with these modules updated to the new release versions instead?
>>>>>>
>>>>>> Details:
>>>>>> Jettison v1.5.4 addresses CVE-2023-1436 (CVSS v3.1 score in NVD is
>>>>>> 7.5)
>>>>>> Spring Framework v5.3.27 addresses CVE-2023-20863 (CVSS v3.1 score in
>>>>>> NVD is 6.5)
>>>>>>
>>>>>> Thanks,
>>>>>> -Steven Saunder
>>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
>>>> For additional commands, e-mail: java-dev-h...@axis.apache.org
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
>> For additional commands, e-mail: java-dev-h...@axis.apache.org
>
>
