I did some investigation. The Axis2 build doesn't work with Maven < 3.6.0.
I've updated the minimum required version at HEAD to 3.6.0. Also, there is
a problem with the Maven version distributed with RHEL/CentOS (even if it's
>= 3.6.0, as in RHEL 9). That's fixed at HEAD now too. Building older Axis2
1.8.2 should be possible by downloading and manually installing Maven.
Andreas
On Thu, Jun 22, 2023 at 8:38 PM robertlazarski <robertlazar...@gmail.com>
wrote:
> I suspect you are having some type of JDK issue or an issue with your very
> old Apache Maven 3.5.4 on CentOS 8.
>
> I was able to compile the 1.8.2 source distro on CentOS 7 with OpenJDK 11
> (not the default) and Maven 3.6.3.
>
> Strangely, using Maven 3.6.3 on Ubuntu 20-04 that is the default version,
> I had to use a more modern Maven version - the latest in my case has some
> other questionable features but 3.8.8 was ok.
>
> So, in the end I was able to use JDK 17 and Maven 3.8.8 on Ubuntu 20-04.
>
> I looked more into jettison and unless you are using JSON features that
> are not enabled by default and will break typical XML SOAP handling, just
> skip it entirely.
>
> The Spring deps are only required if using
> org.apache.axis2.extensions.spring.receivers.SpringServletContextObjectSupplier
> in a custom Spring config.
>
> On Thu, Jun 22, 2023 at 9:35 AM robertlazarski <robertlazar...@gmail.com>
> wrote:
>
>> I suspect you are having some type of JDK issue or an issue with your
>> very old Apache Maven 3.5.4.
>>
>> I was able to compile the 1.8.2 source distro on CentOS 7 with OpenJDK 11
>> and Maven 3.6.3.
>>
>> Strangely, using Maven 3.6.3 on Ubuntu 20-04 that is the default, I had
>> to use a more modern Maven version - the latest in my case has some other
>> questionable features but 3.8.8 was ok.
>>
>> I looked more into jettison and unless you are using JSON features that
>> are not enabled by default and will break typical XML SOAP handling, just
>> skip it entirely.
>>
>> The Spring deps are only required if using
>> org.apache.axis2.extensions.spring.receivers.SpringServletContextObjectSupplier
>> in a Spring config.
>>
>>
>> On Wed, Jun 21, 2023 at 1:54 PM Steven Saunders <sjs...@gmail.com> wrote:
>>
>>> Hi robertlazarski,
>>>
>>> I really appreciate the quick response and willingness to help!
>>> My build image is OS RedHat 8 Linux x86_64 for the platform if that
>>> helps. I can also build on RedHat 7 or a Ubuntu 20.04 LTS if any of those
>>> are better or might now have these issues. I have many VMs of other Linux
>>> distributions too. Please suggest best OS and version to get a clean build
>>> of latest Axis2 release.
>>>
>>> I tried your suggestion of building modules/tool/axis2-aar-maven-plugin
>>> with -Dmaven.test.skip.exec=true but that didn't work so I tried it with
>>> -Dmaven.test.skip=true from search internet and that didn't stop the tests
>>> either. So found another wroundaround to avoid the executions by
>>> commenting it out of the modules/tool/axis2-aar-maven-plugin/pom.xml
>>> altogether, e.g.
>>> axis2-1.8.2/modules/tool/axis2-aar-maven-plugin/pom.xml:
>>> <plugin>
>>> <artifactId>maven-invoker-plugin</artifactId>
>>> *<!--*executions>
>>> <execution>
>>> <goals>
>>> <goal>integration-test</goal>
>>> <goal>verify</goal>
>>> </goals>
>>> <configuration>
>>>
>>> <cloneProjectsTo>${project.build.directory}/it</cloneProjectsTo>
>>>
>>> <postBuildHookScript>verify</postBuildHookScript>
>>> </configuration>
>>> </execution>
>>> </executions*-->*
>>> </plugin>
>>>
>>>
>>> After that was resolved and the plugin built I went back to the root and
>>> ran mvn install and got this error next.
>>> Seems from the AXIS2-5782 build.log (assume AXIS2-5782 relates to the
>>> old JIRA of same name) the root exception from
>>> axis2-1.8.2/modules/tool/axis2-repo-maven-plugin/target/it/AXIS2-5782/build.log
>>> (attached) is:
>>> Caused by: java.security.AccessControlException: access denied
>>> ("java.io.FilePermission" "/usr/share/publicsuffix/effective_tld_names.dat"
>>> "read")
>>>
>>> I checked and the file is there with read permissions for everyone but
>>> is a link to another file that has read permissions for everyone also:
>>>
>>> bash-4.4$ ls -al /usr/share/publicsuffix/effective_tld_names.dat
>>> lrwxrwxrwx 1 root root 22 Mar 7 2019
>>> /usr/share/publicsuffix/effective_tld_names.dat -> public_suffix_list.dat
>>> bash-4.4$ ls -al /usr/share/publicsuffix/public_suffix_list.dat
>>> -rw-r--r-- 1 root root 208604 Mar 7 2019
>>> /usr/share/publicsuffix/public_suffix_list.dat
>>>
>>>
>>> bash-4.4$ cat /usr/share/publicsuffix/public_suffix_list.dat
>>>
>>> and,
>>> bash-4.4$ cat /usr/share/publicsuffix/effective_tld_names.dat
>>> Shows same user as build can read file contents without an issue.
>>>
>>> Also, did a move of the link to another name and copied the
>>> public_suffix_list.dat to an actual file named effective_tld_names.dat
>>> incase the issue was with using a link and build gave same error.
>>>
>>>
>>>
>>> I tried to also comment out the executions
>>> in
>>> axis2-1.8.2/modules/tool/axis2-repo-maven-plugin/src/it/AXIS2-5782/pom.xml,
>>> e.g:
>>> *<!--*executions>
>>> <execution>
>>> <goals>
>>> <goal>create-repository</goal>
>>> </goals>
>>> <configuration>
>>> <modules>
>>> addressing,
>>> ping
>>> </modules>
>>> </configuration>
>>> </execution>
>>> </executions*-->*
>>> It didn't stop the same error.
>>>
>>> I am stuck.
>>>
>>> Summary of build error from console:
>>>
>>> [INFO] --- maven-invoker-plugin:3.3.0:integration-test (default) @
>>> axis2-repo-maven-plugin ---
>>> [INFO] Building: AXIS2-5782/pom.xml
>>> [INFO] The build exited with code 1. See
>>> axis2-1.8.2/modules/tool/axis2-repo-maven-plugin/target/it/AXIS2-5782/build.log
>>> for details.
>>> [INFO] AXIS2-5782/pom.xml ...............................
>>> FAILED (3.1 s)
>>> [INFO]
>>> ...
>>> [INFO] Build Summary:
>>> [INFO] Passed: 0, *Failed: 1,* Errors: 0, Skipped: 0
>>> [INFO] -------------------------------------------------
>>> *[ERROR] The following builds failed:*
>>> *[ERROR] * AXIS2-5782/pom.xml*
>>> [INFO] -------------------------------------------------
>>> [INFO]
>>> ------------------------------------------------------------------------
>>> [INFO] Reactor Summary:
>>> [INFO]
>>> [INFO] Apache Axis2 - Root 1.8.2 .......................... SUCCESS [
>>> 15.251 s]
>>> [INFO] Apache Axis2 - Resource bundle ..................... SUCCESS [
>>> 2.896 s]
>>> [INFO] Apache Axis2 - Kernel .............................. SUCCESS [
>>> 21.702 s]
>>> [INFO] Apache Axis2 - Data Binding ........................ SUCCESS [
>>> 6.657 s]
>>> [INFO] Apache Axis2 - Transport - Local ................... SUCCESS [
>>> 14.591 s]
>>> [INFO] Apache Axis2 - Addressing .......................... SUCCESS [
>>> 16.085 s]
>>> [INFO] Apache Axis2 - Transport - Base .................... SUCCESS [
>>> 6.679 s]
>>> [INFO] Apache Axis2 - Ping ................................ SUCCESS [
>>> 2.082 s]
>>> [INFO] Apache Axis2 - MEX ................................. SUCCESS [
>>> 2.237 s]
>>> *[INFO] axis2-repo-maven-plugin ............................ FAILURE [
>>> 17.848 s]*
>>> [INFO] Apache Axis2 - Transport - testkit ................. SKIPPED
>>> [INFO] Apache Axis2 - Transport - HTTP .................... SKIPPED
>>> [INFO] Apache Axis2 - Code Generation ..................... SKIPPED
>>> [INFO] Apache Axis2 - ADB Codegen ......................... SKIPPED
>>> [INFO] Apache Axis2 - Clustering .......................... SKIPPED
>>> [INFO] Apache Axis2 - SAAJ ................................ SKIPPED
>>> ...
>>>
>>> (see build.log mentioned above and full log attached with -X option for
>>> mvn install attached).
>>>
>>> Tried it with Open JDK 11 and 1.8 versions.
>>> Tried it with -Dmaven.test.skip.exec=true and -Dmaven.test.skip=true but
>>> still didn't work here.
>>>
>>> I then commented out the executions in the AXIS2-5792/pom.xml to get
>>> past that error but still fails with "The following builds failed: *
>>> AXIS2-5782" but still the same error.
>>>
>>> Thanks,
>>> -Steve
>>>
>>> On Wed, Jun 21, 2023 at 4:10 PM robertlazarski <robertlazar...@gmail.com>
>>> wrote:
>>>
>>>> I looked at the attached logs and I suspect that the unit tests are not
>>>> multi-platform really.
>>>>
>>>> I suggest seeing if skipping the tests help via -Dmaven.test.skip.exec.
>>>>
>>>>
>>>> On Wed, Jun 21, 2023 at 10:01 AM Steven Saunders <sjs...@gmail.com>
>>>> wrote:
>>>>
>>>>> Hi robertlazarski,
>>>>>
>>>>> I am fine with handling upgrading and building locally from maven and
>>>>> the axis2 1.8.2 src download or trying to remove the jars that have the
>>>>> vulnerabilities and deploy the WAR and if it starts run my test bed for
>>>>> our
>>>>> web services to see if there is a problem.
>>>>>
>>>>> As far as building I may need help.
>>>>> I downloaded the axis2 source zip and followed the README.txt in it to
>>>>> do mvn install from root and that failed as expected due to the custom
>>>>> maven plugins used by Axis2. So following the instructions further to
>>>>> manually build those two modules in their project directories:
>>>>> modules/tool/axis2-mar-maven-plugin
>>>>> modules/tool/axis2-aar-maven-plugin
>>>>> but the second one failed.
>>>>>
>>>>> Full maven -X install is attached.
>>>>>
>>>>> Is this a known issue? Do I set ignoreFailures = true?
>>>>> Can you tell me what I am missing as the errors look like failure in
>>>>> validation tests of a module?
>>>>>
>>>>> Error summary was:
>>>>> [INFO] --- maven-invoker-plugin:3.3.0:verify (default) @
>>>>> axis2-aar-maven-plugin ---
>>>>> [DEBUG] Configuring mojo
>>>>> org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify from plugin
>>>>> realm
>>>>> ClassRealm[plugin>org.apache.maven.plugins:maven-invoker-plugin:3.3.0,
>>>>> parent: sun.misc.Launcher$AppClassLoader@7852e922]
>>>>> [DEBUG] Configuring mojo
>>>>> 'org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify' with basic
>>>>> configurator -->
>>>>> [DEBUG] (f) ignoreFailures = false
>>>>> [DEBUG] (f) reportsDirectory =
>>>>> /scratch/sjsaunde/documaker/axis2-source/axis2-1.8.2/modules/tool/axis2-aar-maven-plugin/target/invoker-reports
>>>>> [DEBUG] (f) skipInvocation = false
>>>>> [DEBUG] (f) streamLogsOnFailures = false
>>>>> [DEBUG] (f) suppressSummaries = false
>>>>> [DEBUG] -- end configuration --
>>>>> [INFO] -------------------------------------------------
>>>>> [INFO] Build Summary:
>>>>> [INFO] Passed: 0,* Failed: 2*, Errors: 0, Skipped: 0
>>>>> [INFO] -------------------------------------------------
>>>>>
>>>>>
>>>>> *[ERROR] The following builds failed:[ERROR] * test1/pom.xml[ERROR] *
>>>>> test2/pom.xml*
>>>>> [INFO] -------------------------------------------------
>>>>> [INFO]
>>>>> ------------------------------------------------------------------------
>>>>> [INFO] BUILD FAILURE
>>>>> [INFO]
>>>>> ------------------------------------------------------------------------
>>>>> [INFO] Total time: 41.738 s
>>>>> [INFO] Finished at: 2023-06-21T19:46:30Z
>>>>> [INFO]
>>>>> ------------------------------------------------------------------------
>>>>> [ERROR] Failed to execute goal
>>>>> org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify (default) on
>>>>> project axis2-aar-maven-plugin: 2 builds failed. See console output above
>>>>> for details. -> [Help 1]
>>>>> org.apache.maven.lifecycle.LifecycleExecutionException: Failed to
>>>>> execute goal org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify
>>>>> (default) on project axis2-aar-maven-plugin: 2 builds failed. See console
>>>>> output above for details.
>>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>>>>> (MojoExecutor.java:213)
>>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>>>>> (MojoExecutor.java:154)
>>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>>>>> (MojoExecutor.java:146)
>>>>> at
>>>>> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
>>>>> (LifecycleModuleBuilder.java:117)
>>>>> at
>>>>> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
>>>>> (LifecycleModuleBuilder.java:81)
>>>>> at
>>>>> org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build
>>>>> (SingleThreadedBuilder.java:56)
>>>>> at org.apache.maven.lifecycle.internal.LifecycleStarter.execute
>>>>> (LifecycleStarter.java:128)
>>>>> at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
>>>>> at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
>>>>> at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
>>>>> at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954)
>>>>> at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
>>>>> at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke
>>>>> (NativeMethodAccessorImpl.java:62)
>>>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke
>>>>> (DelegatingMethodAccessorImpl.java:43)
>>>>> at java.lang.reflect.Method.invoke (Method.java:498)
>>>>> at
>>>>> org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced
>>>>> (Launcher.java:289)
>>>>> at org.codehaus.plexus.classworlds.launcher.Launcher.launch
>>>>> (Launcher.java:229)
>>>>> at
>>>>> org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode
>>>>> (Launcher.java:415)
>>>>> at org.codehaus.plexus.classworlds.launcher.Launcher.main
>>>>> (Launcher.java:356)
>>>>> Caused by: org.apache.maven.plugin.MojoFailureException: 2 builds
>>>>> failed. See console output above for details.
>>>>> at org.apache.maven.plugins.invoker.InvokerSession.handleFailures
>>>>> (InvokerSession.java:285)
>>>>> at org.apache.maven.plugins.invoker.VerifyMojo.execute
>>>>> (VerifyMojo.java:153)
>>>>> at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo
>>>>> (DefaultBuildPluginManager.java:137)
>>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>>>>> (MojoExecutor.java:208)
>>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>>>>> (MojoExecutor.java:154)
>>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>>>>> (MojoExecutor.java:146)
>>>>> at
>>>>> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
>>>>> (LifecycleModuleBuilder.java:117)
>>>>> at
>>>>> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
>>>>> (LifecycleModuleBuilder.java:81)
>>>>> at
>>>>> org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build
>>>>> (SingleThreadedBuilder.java:56)
>>>>> at org.apache.maven.lifecycle.internal.LifecycleStarter.execute
>>>>> (LifecycleStarter.java:128)
>>>>> at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
>>>>> at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
>>>>> at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
>>>>> at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954)
>>>>> at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
>>>>> at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke
>>>>> (NativeMethodAccessorImpl.java:62)
>>>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke
>>>>> (DelegatingMethodAccessorImpl.java:43)
>>>>> at java.lang.reflect.Method.invoke (Method.java:498)
>>>>> at
>>>>> org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced
>>>>> (Launcher.java:289)
>>>>> at org.codehaus.plexus.classworlds.launcher.Launcher.launch
>>>>> (Launcher.java:229)
>>>>> at
>>>>> org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode
>>>>> (Launcher.java:415)
>>>>> at org.codehaus.plexus.classworlds.launcher.Launcher.main
>>>>> (Launcher.java:356)
>>>>> [ERROR]
>>>>>
>>>>>
>>>>> Thanks,
>>>>> -Steve
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Jun 21, 2023 at 2:26 PM robertlazarski <
>>>>> robertlazar...@gmail.com> wrote:
>>>>>
>>>>>> We are right in the middle of trying to get an Apache Rampart release
>>>>>> out and cannot always respond to every Axis2 dep with a CVE.
>>>>>>
>>>>>> First of all you may not actually need those deps. Not all deps are
>>>>>> mandatory.
>>>>>>
>>>>>> Secondly, the only thing Axis2 will do is update the pom.xml and
>>>>>> indeed via GitHub Dependabot that happens automatically.
>>>>>>
>>>>>> Without building from source, the way I manage these deps is by using
>>>>>> Maven exclusions in the pom.xml of my day job.
>>>>>>
>>>>>> Using "mvn -X" will show the dependency tree, and with the right
>>>>>> config you can update the jars that way.
>>>>>>
>>>>>> On Wed, Jun 21, 2023 at 6:30 AM Steven Saunders <sjs...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Axis2 Dev Mailing List,
>>>>>>>
>>>>>>> There are some more recent CVEs against Jettison 1.5.0 and Spring
>>>>>>> Framework 5.3.21 that are in Axis2 v1.8.2 (latest release).
>>>>>>>
>>>>>>> Would it be possible to get an Axis2 build with these module
>>>>>>> components updated to last release versions?
>>>>>>>
>>>>>>> Do I need to download Axis2 1.8.2 source and try to maven build it
>>>>>>> locally with these modules updated to the new release versions instead?
>>>>>>>
>>>>>>> Details:
>>>>>>> Jettison v1.5.4 addresses CVE-2023-1436 (CVSS v3.1 score in NVD is
>>>>>>> 7.5)
>>>>>>> Spring Framework v5.3.27 addresses CVE-2023-20863 (CVSS v3.1 score
>>>>>>> in NVD is 6.5)
>>>>>>>
>>>>>>> Thanks,
>>>>>>> -Steven Saunder
>>>>>>>
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
>>>>> For additional commands, e-mail: java-dev-h...@axis.apache.org
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
>>> For additional commands, e-mail: java-dev-h...@axis.apache.org
>>
>>
