Hi Axis2 Dev Mailing List,
I'm needing to remediate the use of xalan v2.7.2 embedded version of Apache
BCEL to a newer version 6.6.0 or newer due to CVE-2022-42920 (CVSS v3.1
score in NVD is *9.8*).
I verified my current build of axis2 1.8.2 builds fine and then updated the
axis2 1.8.2 pom.xml from xalan v2.7.2 to xalan v2.7.3 (as I believe that
addresses the vulnerability) but rebuilt with maven fails in the Java2WSDL
test with NoClassFound exception.
On Sun, Jun 25, 2023 at 6:37 PM Andreas Veithen-Knowles <
andreas.veit...@gmail.com> wrote:
> I did some investigation. The Axis2 build doesn't work with Maven < 3.6.0.
> I've updated the minimum required version at HEAD to 3.6.0. Also, there is
> a problem with the Maven version distributed with RHEL/CentOS (even if it's
> >= 3.6.0, as in RHEL 9). That's fixed at HEAD now too. Building older Axis2
> 1.8.2 should be possible by downloading and manually installing Maven.
>
> Andreas
>
> On Thu, Jun 22, 2023 at 8:38 PM robertlazarski <robertlazar...@gmail.com>
> wrote:
>
>> I suspect you are having some type of JDK issue or an issue with your
>> very old Apache Maven 3.5.4 on CentOS 8.
>>
>> I was able to compile the 1.8.2 source distro on CentOS 7 with OpenJDK 11
>> (not the default) and Maven 3.6.3.
>>
>> Strangely, using Maven 3.6.3 on Ubuntu 20-04 that is the default version,
>> I had to use a more modern Maven version - the latest in my case has some
>> other questionable features but 3.8.8 was ok.
>>
>> So, in the end I was able to use JDK 17 and Maven 3.8.8 on Ubuntu 20-04.
>>
>> I looked more into jettison and unless you are using JSON features that
>> are not enabled by default and will break typical XML SOAP handling, just
>> skip it entirely.
>>
>> The Spring deps are only required if using
>> org.apache.axis2.extensions.spring.receivers.SpringServletContextObjectSupplier
>> in a custom Spring config.
>>
>> On Thu, Jun 22, 2023 at 9:35 AM robertlazarski <robertlazar...@gmail.com>
>> wrote:
>>
>>> I suspect you are having some type of JDK issue or an issue with your
>>> very old Apache Maven 3.5.4.
>>>
>>> I was able to compile the 1.8.2 source distro on CentOS 7 with OpenJDK
>>> 11 and Maven 3.6.3.
>>>
>>> Strangely, using Maven 3.6.3 on Ubuntu 20-04 that is the default, I had
>>> to use a more modern Maven version - the latest in my case has some other
>>> questionable features but 3.8.8 was ok.
>>>
>>> I looked more into jettison and unless you are using JSON features that
>>> are not enabled by default and will break typical XML SOAP handling, just
>>> skip it entirely.
>>>
>>> The Spring deps are only required if using
>>> org.apache.axis2.extensions.spring.receivers.SpringServletContextObjectSupplier
>>> in a Spring config.
>>>
>>>
>>> On Wed, Jun 21, 2023 at 1:54 PM Steven Saunders <sjs...@gmail.com>
>>> wrote:
>>>
>>>> Hi robertlazarski,
>>>>
>>>> I really appreciate the quick response and willingness to help!
>>>> My build image is OS RedHat 8 Linux x86_64 for the platform if that
>>>> helps. I can also build on RedHat 7 or a Ubuntu 20.04 LTS if any of those
>>>> are better or might now have these issues. I have many VMs of other Linux
>>>> distributions too. Please suggest best OS and version to get a clean build
>>>> of latest Axis2 release.
>>>>
>>>> I tried your suggestion of building modules/tool/axis2-aar-maven-plugin
>>>> with -Dmaven.test.skip.exec=true but that didn't work so I tried it with
>>>> -Dmaven.test.skip=true from search internet and that didn't stop the tests
>>>> either. So found another wroundaround to avoid the executions by
>>>> commenting it out of the modules/tool/axis2-aar-maven-plugin/pom.xml
>>>> altogether, e.g.
>>>> axis2-1.8.2/modules/tool/axis2-aar-maven-plugin/pom.xml:
>>>> <plugin>
>>>> <artifactId>maven-invoker-plugin</artifactId>
>>>> *<!--*executions>
>>>> <execution>
>>>> <goals>
>>>> <goal>integration-test</goal>
>>>> <goal>verify</goal>
>>>> </goals>
>>>> <configuration>
>>>>
>>>> <cloneProjectsTo>${project.build.directory}/it</cloneProjectsTo>
>>>>
>>>> <postBuildHookScript>verify</postBuildHookScript>
>>>> </configuration>
>>>> </execution>
>>>> </executions*-->*
>>>> </plugin>
>>>>
>>>>
>>>> After that was resolved and the plugin built I went back to the root
>>>> and ran mvn install and got this error next.
>>>> Seems from the AXIS2-5782 build.log (assume AXIS2-5782 relates to the
>>>> old JIRA of same name) the root exception from
>>>> axis2-1.8.2/modules/tool/axis2-repo-maven-plugin/target/it/AXIS2-5782/build.log
>>>> (attached) is:
>>>> Caused by: java.security.AccessControlException: access denied
>>>> ("java.io.FilePermission" "/usr/share/publicsuffix/effective_tld_names.dat"
>>>> "read")
>>>>
>>>> I checked and the file is there with read permissions for everyone but
>>>> is a link to another file that has read permissions for everyone also:
>>>>
>>>> bash-4.4$ ls -al /usr/share/publicsuffix/effective_tld_names.dat
>>>> lrwxrwxrwx 1 root root 22 Mar 7 2019
>>>> /usr/share/publicsuffix/effective_tld_names.dat -> public_suffix_list.dat
>>>> bash-4.4$ ls -al /usr/share/publicsuffix/public_suffix_list.dat
>>>> -rw-r--r-- 1 root root 208604 Mar 7 2019
>>>> /usr/share/publicsuffix/public_suffix_list.dat
>>>>
>>>>
>>>> bash-4.4$ cat /usr/share/publicsuffix/public_suffix_list.dat
>>>>
>>>> and,
>>>> bash-4.4$ cat /usr/share/publicsuffix/effective_tld_names.dat
>>>> Shows same user as build can read file contents without an issue.
>>>>
>>>> Also, did a move of the link to another name and copied the
>>>> public_suffix_list.dat to an actual file named effective_tld_names.dat
>>>> incase the issue was with using a link and build gave same error.
>>>>
>>>>
>>>>
>>>> I tried to also comment out the executions
>>>> in
>>>> axis2-1.8.2/modules/tool/axis2-repo-maven-plugin/src/it/AXIS2-5782/pom.xml,
>>>> e.g:
>>>> *<!--*executions>
>>>> <execution>
>>>> <goals>
>>>> <goal>create-repository</goal>
>>>> </goals>
>>>> <configuration>
>>>> <modules>
>>>> addressing,
>>>> ping
>>>> </modules>
>>>> </configuration>
>>>> </execution>
>>>> </executions*-->*
>>>> It didn't stop the same error.
>>>>
>>>> I am stuck.
>>>>
>>>> Summary of build error from console:
>>>>
>>>> [INFO] --- maven-invoker-plugin:3.3.0:integration-test (default) @
>>>> axis2-repo-maven-plugin ---
>>>> [INFO] Building: AXIS2-5782/pom.xml
>>>> [INFO] The build exited with code 1. See
>>>> axis2-1.8.2/modules/tool/axis2-repo-maven-plugin/target/it/AXIS2-5782/build.log
>>>> for details.
>>>> [INFO] AXIS2-5782/pom.xml ...............................
>>>> FAILED (3.1 s)
>>>> [INFO]
>>>> ...
>>>> [INFO] Build Summary:
>>>> [INFO] Passed: 0, *Failed: 1,* Errors: 0, Skipped: 0
>>>> [INFO] -------------------------------------------------
>>>> *[ERROR] The following builds failed:*
>>>> *[ERROR] * AXIS2-5782/pom.xml*
>>>> [INFO] -------------------------------------------------
>>>> [INFO]
>>>> ------------------------------------------------------------------------
>>>> [INFO] Reactor Summary:
>>>> [INFO]
>>>> [INFO] Apache Axis2 - Root 1.8.2 .......................... SUCCESS [
>>>> 15.251 s]
>>>> [INFO] Apache Axis2 - Resource bundle ..................... SUCCESS [
>>>> 2.896 s]
>>>> [INFO] Apache Axis2 - Kernel .............................. SUCCESS [
>>>> 21.702 s]
>>>> [INFO] Apache Axis2 - Data Binding ........................ SUCCESS [
>>>> 6.657 s]
>>>> [INFO] Apache Axis2 - Transport - Local ................... SUCCESS [
>>>> 14.591 s]
>>>> [INFO] Apache Axis2 - Addressing .......................... SUCCESS [
>>>> 16.085 s]
>>>> [INFO] Apache Axis2 - Transport - Base .................... SUCCESS [
>>>> 6.679 s]
>>>> [INFO] Apache Axis2 - Ping ................................ SUCCESS [
>>>> 2.082 s]
>>>> [INFO] Apache Axis2 - MEX ................................. SUCCESS [
>>>> 2.237 s]
>>>> *[INFO] axis2-repo-maven-plugin ............................ FAILURE [
>>>> 17.848 s]*
>>>> [INFO] Apache Axis2 - Transport - testkit ................. SKIPPED
>>>> [INFO] Apache Axis2 - Transport - HTTP .................... SKIPPED
>>>> [INFO] Apache Axis2 - Code Generation ..................... SKIPPED
>>>> [INFO] Apache Axis2 - ADB Codegen ......................... SKIPPED
>>>> [INFO] Apache Axis2 - Clustering .......................... SKIPPED
>>>> [INFO] Apache Axis2 - SAAJ ................................ SKIPPED
>>>> ...
>>>>
>>>> (see build.log mentioned above and full log attached with -X option for
>>>> mvn install attached).
>>>>
>>>> Tried it with Open JDK 11 and 1.8 versions.
>>>> Tried it with -Dmaven.test.skip.exec=true and -Dmaven.test.skip=true
>>>> but still didn't work here.
>>>>
>>>> I then commented out the executions in the AXIS2-5792/pom.xml to get
>>>> past that error but still fails with "The following builds failed: *
>>>> AXIS2-5782" but still the same error.
>>>>
>>>> Thanks,
>>>> -Steve
>>>>
>>>> On Wed, Jun 21, 2023 at 4:10 PM robertlazarski <
>>>> robertlazar...@gmail.com> wrote:
>>>>
>>>>> I looked at the attached logs and I suspect that the unit tests are
>>>>> not multi-platform really.
>>>>>
>>>>> I suggest seeing if skipping the tests help via -Dmaven.test.skip.exec.
>>>>>
>>>>>
>>>>> On Wed, Jun 21, 2023 at 10:01 AM Steven Saunders <sjs...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi robertlazarski,
>>>>>>
>>>>>> I am fine with handling upgrading and building locally from maven and
>>>>>> the axis2 1.8.2 src download or trying to remove the jars that have the
>>>>>> vulnerabilities and deploy the WAR and if it starts run my test bed for
>>>>>> our
>>>>>> web services to see if there is a problem.
>>>>>>
>>>>>> As far as building I may need help.
>>>>>> I downloaded the axis2 source zip and followed the README.txt in it
>>>>>> to do mvn install from root and that failed as expected due to the custom
>>>>>> maven plugins used by Axis2. So following the instructions further to
>>>>>> manually build those two modules in their project directories:
>>>>>> modules/tool/axis2-mar-maven-plugin
>>>>>> modules/tool/axis2-aar-maven-plugin
>>>>>> but the second one failed.
>>>>>>
>>>>>> Full maven -X install is attached.
>>>>>>
>>>>>> Is this a known issue? Do I set ignoreFailures = true?
>>>>>> Can you tell me what I am missing as the errors look like failure in
>>>>>> validation tests of a module?
>>>>>>
>>>>>> Error summary was:
>>>>>> [INFO] --- maven-invoker-plugin:3.3.0:verify (default) @
>>>>>> axis2-aar-maven-plugin ---
>>>>>> [DEBUG] Configuring mojo
>>>>>> org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify from plugin
>>>>>> realm
>>>>>> ClassRealm[plugin>org.apache.maven.plugins:maven-invoker-plugin:3.3.0,
>>>>>> parent: sun.misc.Launcher$AppClassLoader@7852e922]
>>>>>> [DEBUG] Configuring mojo
>>>>>> 'org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify' with basic
>>>>>> configurator -->
>>>>>> [DEBUG] (f) ignoreFailures = false
>>>>>> [DEBUG] (f) reportsDirectory =
>>>>>> /scratch/sjsaunde/documaker/axis2-source/axis2-1.8.2/modules/tool/axis2-aar-maven-plugin/target/invoker-reports
>>>>>> [DEBUG] (f) skipInvocation = false
>>>>>> [DEBUG] (f) streamLogsOnFailures = false
>>>>>> [DEBUG] (f) suppressSummaries = false
>>>>>> [DEBUG] -- end configuration --
>>>>>> [INFO] -------------------------------------------------
>>>>>> [INFO] Build Summary:
>>>>>> [INFO] Passed: 0,* Failed: 2*, Errors: 0, Skipped: 0
>>>>>> [INFO] -------------------------------------------------
>>>>>>
>>>>>>
>>>>>> *[ERROR] The following builds failed:[ERROR] * test1/pom.xml[ERROR]
>>>>>> * test2/pom.xml*
>>>>>> [INFO] -------------------------------------------------
>>>>>> [INFO]
>>>>>> ------------------------------------------------------------------------
>>>>>> [INFO] BUILD FAILURE
>>>>>> [INFO]
>>>>>> ------------------------------------------------------------------------
>>>>>> [INFO] Total time: 41.738 s
>>>>>> [INFO] Finished at: 2023-06-21T19:46:30Z
>>>>>> [INFO]
>>>>>> ------------------------------------------------------------------------
>>>>>> [ERROR] Failed to execute goal
>>>>>> org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify (default) on
>>>>>> project axis2-aar-maven-plugin: 2 builds failed. See console output above
>>>>>> for details. -> [Help 1]
>>>>>> org.apache.maven.lifecycle.LifecycleExecutionException: Failed to
>>>>>> execute goal org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify
>>>>>> (default) on project axis2-aar-maven-plugin: 2 builds failed. See console
>>>>>> output above for details.
>>>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>>>>>> (MojoExecutor.java:213)
>>>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>>>>>> (MojoExecutor.java:154)
>>>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>>>>>> (MojoExecutor.java:146)
>>>>>> at
>>>>>> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
>>>>>> (LifecycleModuleBuilder.java:117)
>>>>>> at
>>>>>> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
>>>>>> (LifecycleModuleBuilder.java:81)
>>>>>> at
>>>>>> org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build
>>>>>> (SingleThreadedBuilder.java:56)
>>>>>> at org.apache.maven.lifecycle.internal.LifecycleStarter.execute
>>>>>> (LifecycleStarter.java:128)
>>>>>> at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
>>>>>> at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
>>>>>> at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
>>>>>> at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954)
>>>>>> at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
>>>>>> at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke
>>>>>> (NativeMethodAccessorImpl.java:62)
>>>>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke
>>>>>> (DelegatingMethodAccessorImpl.java:43)
>>>>>> at java.lang.reflect.Method.invoke (Method.java:498)
>>>>>> at
>>>>>> org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced
>>>>>> (Launcher.java:289)
>>>>>> at org.codehaus.plexus.classworlds.launcher.Launcher.launch
>>>>>> (Launcher.java:229)
>>>>>> at
>>>>>> org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode
>>>>>> (Launcher.java:415)
>>>>>> at org.codehaus.plexus.classworlds.launcher.Launcher.main
>>>>>> (Launcher.java:356)
>>>>>> Caused by: org.apache.maven.plugin.MojoFailureException: 2 builds
>>>>>> failed. See console output above for details.
>>>>>> at org.apache.maven.plugins.invoker.InvokerSession.handleFailures
>>>>>> (InvokerSession.java:285)
>>>>>> at org.apache.maven.plugins.invoker.VerifyMojo.execute
>>>>>> (VerifyMojo.java:153)
>>>>>> at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo
>>>>>> (DefaultBuildPluginManager.java:137)
>>>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>>>>>> (MojoExecutor.java:208)
>>>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>>>>>> (MojoExecutor.java:154)
>>>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>>>>>> (MojoExecutor.java:146)
>>>>>> at
>>>>>> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
>>>>>> (LifecycleModuleBuilder.java:117)
>>>>>> at
>>>>>> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
>>>>>> (LifecycleModuleBuilder.java:81)
>>>>>> at
>>>>>> org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build
>>>>>> (SingleThreadedBuilder.java:56)
>>>>>> at org.apache.maven.lifecycle.internal.LifecycleStarter.execute
>>>>>> (LifecycleStarter.java:128)
>>>>>> at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
>>>>>> at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
>>>>>> at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
>>>>>> at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954)
>>>>>> at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
>>>>>> at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke
>>>>>> (NativeMethodAccessorImpl.java:62)
>>>>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke
>>>>>> (DelegatingMethodAccessorImpl.java:43)
>>>>>> at java.lang.reflect.Method.invoke (Method.java:498)
>>>>>> at
>>>>>> org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced
>>>>>> (Launcher.java:289)
>>>>>> at org.codehaus.plexus.classworlds.launcher.Launcher.launch
>>>>>> (Launcher.java:229)
>>>>>> at
>>>>>> org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode
>>>>>> (Launcher.java:415)
>>>>>> at org.codehaus.plexus.classworlds.launcher.Launcher.main
>>>>>> (Launcher.java:356)
>>>>>> [ERROR]
>>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>> -Steve
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, Jun 21, 2023 at 2:26 PM robertlazarski <
>>>>>> robertlazar...@gmail.com> wrote:
>>>>>>
>>>>>>> We are right in the middle of trying to get an Apache Rampart
>>>>>>> release out and cannot always respond to every Axis2 dep with a CVE.
>>>>>>>
>>>>>>> First of all you may not actually need those deps. Not all deps are
>>>>>>> mandatory.
>>>>>>>
>>>>>>> Secondly, the only thing Axis2 will do is update the pom.xml and
>>>>>>> indeed via GitHub Dependabot that happens automatically.
>>>>>>>
>>>>>>> Without building from source, the way I manage these deps is by
>>>>>>> using Maven exclusions in the pom.xml of my day job.
>>>>>>>
>>>>>>> Using "mvn -X" will show the dependency tree, and with the right
>>>>>>> config you can update the jars that way.
>>>>>>>
>>>>>>> On Wed, Jun 21, 2023 at 6:30 AM Steven Saunders <sjs...@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi Axis2 Dev Mailing List,
>>>>>>>>
>>>>>>>> There are some more recent CVEs against Jettison 1.5.0 and Spring
>>>>>>>> Framework 5.3.21 that are in Axis2 v1.8.2 (latest release).
>>>>>>>>
>>>>>>>> Would it be possible to get an Axis2 build with these module
>>>>>>>> components updated to last release versions?
>>>>>>>>
>>>>>>>> Do I need to download Axis2 1.8.2 source and try to maven build it
>>>>>>>> locally with these modules updated to the new release versions instead?
>>>>>>>>
>>>>>>>> Details:
>>>>>>>> Jettison v1.5.4 addresses CVE-2023-1436 (CVSS v3.1 score in NVD is
>>>>>>>> 7.5)
>>>>>>>> Spring Framework v5.3.27 addresses CVE-2023-20863 (CVSS v3.1 score
>>>>>>>> in NVD is 6.5)
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> -Steven Saunder
>>>>>>>>
>>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
>>>>>> For additional commands, e-mail: java-dev-h...@axis.apache.org
>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
>>>> For additional commands, e-mail: java-dev-h...@axis.apache.org
>>>
>>>
