The exception is below. Do I need other apache classes to go with xalan
2.7.3?
Build environment:
Maven: v3.6.3
Maven home: /usr/share/maven
Java version: 11.0.20.1, vendor: Ubuntu, runtime:
/usr/lib/jvm/java-11-openjdk-amd64
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "5.15.0-83-generic", arch: "amd64", family:
"unix"
[INFO] -------------------------------------------------------
[INFO] T E S T S
[INFO] -------------------------------------------------------
[INFO] Running org.apache.axis2.description.Java2WSDLTest
[ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed:
0.475 s <<< FAILURE! - in org.apache.axis2.description.Java2WSDLTest
[ERROR] test1(org.apache.axis2.description.Java2WSDLTest) Time elapsed:
0.46 s <<< ERROR!
java.lang.NoClassDefFoundError:
org/apache/xml/serializer/OutputPropertiesFactory
at
org.apache.xalan.templates.OutputProperties.<init>(OutputProperties.java:84)
at
org.apache.xalan.transformer.TransformerIdentityImpl.<init>(TransformerIdentityImpl.java:93)
at
org.apache.xalan.processor.TransformerFactoryImpl.newTransformer(TransformerFactoryImpl.java:818)
at
org.apache.ws.commons.schema.XmlSchema.serializeInternal(XmlSchema.java:897)
at org.apache.ws.commons.schema.XmlSchema.write(XmlSchema.java:593)
at
org.apache.axis2.description.AxisService2WSDL11.generateTypes(AxisService2WSDL11.java:1467)
at
org.apache.axis2.description.AxisService2WSDL11.generateOM(AxisService2WSDL11.java:187)
at
org.apache.ws.java2wsdl.Java2WSDLBuilder.generateWSDL(Java2WSDLBuilder.java:349)
at org.apache.axis2.description.Java2WSDLTest.test1(Java2WSDLTest.java:39)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at junit.framework.TestCase.runTest(TestCase.java:177)
at junit.framework.TestCase.runBare(TestCase.java:142)
at junit.framework.TestResult$1.protect(TestResult.java:122)
at junit.framework.TestResult.runProtected(TestResult.java:142)
at junit.framework.TestResult.run(TestResult.java:125)
at junit.framework.TestCase.run(TestCase.java:130)
at junit.framework.TestSuite.runTest(TestSuite.java:241)
at junit.framework.TestSuite.run(TestSuite.java:236)
at
org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:90)
at
org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:365)
at
org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:273)
at
org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:238)
at
org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:159)
at
org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:384)
at
org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:345)
at
org.apache.maven.surefire.booter.ForkedBooter.execute(ForkedBooter.java:126)
at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:418)
Caused by: java.lang.ClassNotFoundException:
org.apache.xml.serializer.OutputPropertiesFactory
at
java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581)
at
java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:527)
... 30 more
[INFO] Running org.apache.ws.java2wsdl.jaxws.JAXWS2WSDLCodegenEngineTest
[INFO] Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed:
1.259 s - in org.apache.ws.java2wsdl.jaxws.JAXWS2WSDLCodegenEngineTest
[INFO]
[INFO] Results:
[INFO]
[ERROR] Errors:
[ERROR] Java2WSDLTest.test1:39 » NoClassDefFound
org/apache/xml/serializer/OutputPrope...
[INFO]
[ERROR] Tests run: 4, Failures: 0, Errors: 1, Skipped: 0
On Fri, Sep 29, 2023 at 4:59 PM Steven Saunders <sjs...@gmail.com> wrote:
> Hi Axis2 Dev Mailing List,
>
> I'm needing to remediate the use of xalan v2.7.2 embedded version of
> Apache BCEL to a newer version 6.6.0 or newer due to CVE-2022-42920 (CVSS
> v3.1 score in NVD is *9.8*).
>
> I verified my current build of axis2 1.8.2 builds fine and then updated
> the axis2 1.8.2 pom.xml from xalan v2.7.2 to xalan v2.7.3 (as I believe
> that addresses the vulnerability) but rebuilt with maven fails in the
> Java2WSDL test with NoClassFound exception.
>
>
>
> On Sun, Jun 25, 2023 at 6:37 PM Andreas Veithen-Knowles <
> andreas.veit...@gmail.com> wrote:
>
>> I did some investigation. The Axis2 build doesn't work with Maven <
>> 3.6.0. I've updated the minimum required version at HEAD to 3.6.0. Also,
>> there is a problem with the Maven version distributed with RHEL/CentOS
>> (even if it's >= 3.6.0, as in RHEL 9). That's fixed at HEAD now too.
>> Building older Axis2 1.8.2 should be possible by downloading and manually
>> installing Maven.
>>
>> Andreas
>>
>> On Thu, Jun 22, 2023 at 8:38 PM robertlazarski <robertlazar...@gmail.com>
>> wrote:
>>
>>> I suspect you are having some type of JDK issue or an issue with your
>>> very old Apache Maven 3.5.4 on CentOS 8.
>>>
>>> I was able to compile the 1.8.2 source distro on CentOS 7 with OpenJDK
>>> 11 (not the default) and Maven 3.6.3.
>>>
>>> Strangely, using Maven 3.6.3 on Ubuntu 20-04 that is the default
>>> version, I had to use a more modern Maven version - the latest in my case
>>> has some other questionable features but 3.8.8 was ok.
>>>
>>> So, in the end I was able to use JDK 17 and Maven 3.8.8 on Ubuntu
>>> 20-04.
>>>
>>> I looked more into jettison and unless you are using JSON features that
>>> are not enabled by default and will break typical XML SOAP handling, just
>>> skip it entirely.
>>>
>>> The Spring deps are only required if using
>>> org.apache.axis2.extensions.spring.receivers.SpringServletContextObjectSupplier
>>> in a custom Spring config.
>>>
>>> On Thu, Jun 22, 2023 at 9:35 AM robertlazarski <robertlazar...@gmail.com>
>>> wrote:
>>>
>>>> I suspect you are having some type of JDK issue or an issue with your
>>>> very old Apache Maven 3.5.4.
>>>>
>>>> I was able to compile the 1.8.2 source distro on CentOS 7 with OpenJDK
>>>> 11 and Maven 3.6.3.
>>>>
>>>> Strangely, using Maven 3.6.3 on Ubuntu 20-04 that is the default, I had
>>>> to use a more modern Maven version - the latest in my case has some other
>>>> questionable features but 3.8.8 was ok.
>>>>
>>>> I looked more into jettison and unless you are using JSON features that
>>>> are not enabled by default and will break typical XML SOAP handling, just
>>>> skip it entirely.
>>>>
>>>> The Spring deps are only required if using
>>>> org.apache.axis2.extensions.spring.receivers.SpringServletContextObjectSupplier
>>>> in a Spring config.
>>>>
>>>>
>>>> On Wed, Jun 21, 2023 at 1:54 PM Steven Saunders <sjs...@gmail.com>
>>>> wrote:
>>>>
>>>>> Hi robertlazarski,
>>>>>
>>>>> I really appreciate the quick response and willingness to help!
>>>>> My build image is OS RedHat 8 Linux x86_64 for the platform if that
>>>>> helps. I can also build on RedHat 7 or a Ubuntu 20.04 LTS if any of those
>>>>> are better or might now have these issues. I have many VMs of other Linux
>>>>> distributions too. Please suggest best OS and version to get a clean
>>>>> build
>>>>> of latest Axis2 release.
>>>>>
>>>>> I tried your suggestion of building
>>>>> modules/tool/axis2-aar-maven-plugin with -Dmaven.test.skip.exec=true but
>>>>> that didn't work so I tried it with -Dmaven.test.skip=true from search
>>>>> internet and that didn't stop the tests either. So found another
>>>>> wroundaround to avoid the executions by commenting it out of the
>>>>> modules/tool/axis2-aar-maven-plugin/pom.xml altogether, e.g.
>>>>> axis2-1.8.2/modules/tool/axis2-aar-maven-plugin/pom.xml:
>>>>> <plugin>
>>>>> <artifactId>maven-invoker-plugin</artifactId>
>>>>> *<!--*executions>
>>>>> <execution>
>>>>> <goals>
>>>>> <goal>integration-test</goal>
>>>>> <goal>verify</goal>
>>>>> </goals>
>>>>> <configuration>
>>>>>
>>>>> <cloneProjectsTo>${project.build.directory}/it</cloneProjectsTo>
>>>>>
>>>>> <postBuildHookScript>verify</postBuildHookScript>
>>>>> </configuration>
>>>>> </execution>
>>>>> </executions*-->*
>>>>> </plugin>
>>>>>
>>>>>
>>>>> After that was resolved and the plugin built I went back to the root
>>>>> and ran mvn install and got this error next.
>>>>> Seems from the AXIS2-5782 build.log (assume AXIS2-5782 relates to the
>>>>> old JIRA of same name) the root exception from
>>>>> axis2-1.8.2/modules/tool/axis2-repo-maven-plugin/target/it/AXIS2-5782/build.log
>>>>> (attached) is:
>>>>> Caused by: java.security.AccessControlException: access denied
>>>>> ("java.io.FilePermission"
>>>>> "/usr/share/publicsuffix/effective_tld_names.dat"
>>>>> "read")
>>>>>
>>>>> I checked and the file is there with read permissions for everyone but
>>>>> is a link to another file that has read permissions for everyone also:
>>>>>
>>>>> bash-4.4$ ls -al /usr/share/publicsuffix/effective_tld_names.dat
>>>>> lrwxrwxrwx 1 root root 22 Mar 7 2019
>>>>> /usr/share/publicsuffix/effective_tld_names.dat -> public_suffix_list.dat
>>>>> bash-4.4$ ls -al /usr/share/publicsuffix/public_suffix_list.dat
>>>>> -rw-r--r-- 1 root root 208604 Mar 7 2019
>>>>> /usr/share/publicsuffix/public_suffix_list.dat
>>>>>
>>>>>
>>>>> bash-4.4$ cat /usr/share/publicsuffix/public_suffix_list.dat
>>>>>
>>>>> and,
>>>>> bash-4.4$ cat /usr/share/publicsuffix/effective_tld_names.dat
>>>>> Shows same user as build can read file contents without an issue.
>>>>>
>>>>> Also, did a move of the link to another name and copied the
>>>>> public_suffix_list.dat to an actual file named effective_tld_names.dat
>>>>> incase the issue was with using a link and build gave same error.
>>>>>
>>>>>
>>>>>
>>>>> I tried to also comment out the executions
>>>>> in
>>>>> axis2-1.8.2/modules/tool/axis2-repo-maven-plugin/src/it/AXIS2-5782/pom.xml,
>>>>> e.g:
>>>>> *<!--*executions>
>>>>> <execution>
>>>>> <goals>
>>>>> <goal>create-repository</goal>
>>>>> </goals>
>>>>> <configuration>
>>>>> <modules>
>>>>> addressing,
>>>>> ping
>>>>> </modules>
>>>>> </configuration>
>>>>> </execution>
>>>>> </executions*-->*
>>>>> It didn't stop the same error.
>>>>>
>>>>> I am stuck.
>>>>>
>>>>> Summary of build error from console:
>>>>>
>>>>> [INFO] --- maven-invoker-plugin:3.3.0:integration-test (default) @
>>>>> axis2-repo-maven-plugin ---
>>>>> [INFO] Building: AXIS2-5782/pom.xml
>>>>> [INFO] The build exited with code 1. See
>>>>> axis2-1.8.2/modules/tool/axis2-repo-maven-plugin/target/it/AXIS2-5782/build.log
>>>>> for details.
>>>>> [INFO] AXIS2-5782/pom.xml ...............................
>>>>> FAILED (3.1 s)
>>>>> [INFO]
>>>>> ...
>>>>> [INFO] Build Summary:
>>>>> [INFO] Passed: 0, *Failed: 1,* Errors: 0, Skipped: 0
>>>>> [INFO] -------------------------------------------------
>>>>> *[ERROR] The following builds failed:*
>>>>> *[ERROR] * AXIS2-5782/pom.xml*
>>>>> [INFO] -------------------------------------------------
>>>>> [INFO]
>>>>> ------------------------------------------------------------------------
>>>>> [INFO] Reactor Summary:
>>>>> [INFO]
>>>>> [INFO] Apache Axis2 - Root 1.8.2 .......................... SUCCESS [
>>>>> 15.251 s]
>>>>> [INFO] Apache Axis2 - Resource bundle ..................... SUCCESS [
>>>>> 2.896 s]
>>>>> [INFO] Apache Axis2 - Kernel .............................. SUCCESS [
>>>>> 21.702 s]
>>>>> [INFO] Apache Axis2 - Data Binding ........................ SUCCESS [
>>>>> 6.657 s]
>>>>> [INFO] Apache Axis2 - Transport - Local ................... SUCCESS [
>>>>> 14.591 s]
>>>>> [INFO] Apache Axis2 - Addressing .......................... SUCCESS [
>>>>> 16.085 s]
>>>>> [INFO] Apache Axis2 - Transport - Base .................... SUCCESS [
>>>>> 6.679 s]
>>>>> [INFO] Apache Axis2 - Ping ................................ SUCCESS [
>>>>> 2.082 s]
>>>>> [INFO] Apache Axis2 - MEX ................................. SUCCESS [
>>>>> 2.237 s]
>>>>> *[INFO] axis2-repo-maven-plugin ............................ FAILURE [
>>>>> 17.848 s]*
>>>>> [INFO] Apache Axis2 - Transport - testkit ................. SKIPPED
>>>>> [INFO] Apache Axis2 - Transport - HTTP .................... SKIPPED
>>>>> [INFO] Apache Axis2 - Code Generation ..................... SKIPPED
>>>>> [INFO] Apache Axis2 - ADB Codegen ......................... SKIPPED
>>>>> [INFO] Apache Axis2 - Clustering .......................... SKIPPED
>>>>> [INFO] Apache Axis2 - SAAJ ................................ SKIPPED
>>>>> ...
>>>>>
>>>>> (see build.log mentioned above and full log attached with -X option
>>>>> for mvn install attached).
>>>>>
>>>>> Tried it with Open JDK 11 and 1.8 versions.
>>>>> Tried it with -Dmaven.test.skip.exec=true and -Dmaven.test.skip=true
>>>>> but still didn't work here.
>>>>>
>>>>> I then commented out the executions in the AXIS2-5792/pom.xml to get
>>>>> past that error but still fails with "The following builds failed: *
>>>>> AXIS2-5782" but still the same error.
>>>>>
>>>>> Thanks,
>>>>> -Steve
>>>>>
>>>>> On Wed, Jun 21, 2023 at 4:10 PM robertlazarski <
>>>>> robertlazar...@gmail.com> wrote:
>>>>>
>>>>>> I looked at the attached logs and I suspect that the unit tests are
>>>>>> not multi-platform really.
>>>>>>
>>>>>> I suggest seeing if skipping the tests help via -Dmaven.test.skip.exec.
>>>>>>
>>>>>>
>>>>>> On Wed, Jun 21, 2023 at 10:01 AM Steven Saunders <sjs...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi robertlazarski,
>>>>>>>
>>>>>>> I am fine with handling upgrading and building locally from maven
>>>>>>> and the axis2 1.8.2 src download or trying to remove the jars that have
>>>>>>> the
>>>>>>> vulnerabilities and deploy the WAR and if it starts run my test bed for
>>>>>>> our
>>>>>>> web services to see if there is a problem.
>>>>>>>
>>>>>>> As far as building I may need help.
>>>>>>> I downloaded the axis2 source zip and followed the README.txt in it
>>>>>>> to do mvn install from root and that failed as expected due to the
>>>>>>> custom
>>>>>>> maven plugins used by Axis2. So following the instructions further to
>>>>>>> manually build those two modules in their project directories:
>>>>>>> modules/tool/axis2-mar-maven-plugin
>>>>>>> modules/tool/axis2-aar-maven-plugin
>>>>>>> but the second one failed.
>>>>>>>
>>>>>>> Full maven -X install is attached.
>>>>>>>
>>>>>>> Is this a known issue? Do I set ignoreFailures = true?
>>>>>>> Can you tell me what I am missing as the errors look like failure in
>>>>>>> validation tests of a module?
>>>>>>>
>>>>>>> Error summary was:
>>>>>>> [INFO] --- maven-invoker-plugin:3.3.0:verify (default) @
>>>>>>> axis2-aar-maven-plugin ---
>>>>>>> [DEBUG] Configuring mojo
>>>>>>> org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify from plugin
>>>>>>> realm
>>>>>>> ClassRealm[plugin>org.apache.maven.plugins:maven-invoker-plugin:3.3.0,
>>>>>>> parent: sun.misc.Launcher$AppClassLoader@7852e922]
>>>>>>> [DEBUG] Configuring mojo
>>>>>>> 'org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify' with basic
>>>>>>> configurator -->
>>>>>>> [DEBUG] (f) ignoreFailures = false
>>>>>>> [DEBUG] (f) reportsDirectory =
>>>>>>> /scratch/sjsaunde/documaker/axis2-source/axis2-1.8.2/modules/tool/axis2-aar-maven-plugin/target/invoker-reports
>>>>>>> [DEBUG] (f) skipInvocation = false
>>>>>>> [DEBUG] (f) streamLogsOnFailures = false
>>>>>>> [DEBUG] (f) suppressSummaries = false
>>>>>>> [DEBUG] -- end configuration --
>>>>>>> [INFO] -------------------------------------------------
>>>>>>> [INFO] Build Summary:
>>>>>>> [INFO] Passed: 0,* Failed: 2*, Errors: 0, Skipped: 0
>>>>>>> [INFO] -------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>> *[ERROR] The following builds failed:[ERROR] * test1/pom.xml[ERROR]
>>>>>>> * test2/pom.xml*
>>>>>>> [INFO] -------------------------------------------------
>>>>>>> [INFO]
>>>>>>> ------------------------------------------------------------------------
>>>>>>> [INFO] BUILD FAILURE
>>>>>>> [INFO]
>>>>>>> ------------------------------------------------------------------------
>>>>>>> [INFO] Total time: 41.738 s
>>>>>>> [INFO] Finished at: 2023-06-21T19:46:30Z
>>>>>>> [INFO]
>>>>>>> ------------------------------------------------------------------------
>>>>>>> [ERROR] Failed to execute goal
>>>>>>> org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify (default) on
>>>>>>> project axis2-aar-maven-plugin: 2 builds failed. See console output
>>>>>>> above
>>>>>>> for details. -> [Help 1]
>>>>>>> org.apache.maven.lifecycle.LifecycleExecutionException: Failed to
>>>>>>> execute goal org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify
>>>>>>> (default) on project axis2-aar-maven-plugin: 2 builds failed. See
>>>>>>> console
>>>>>>> output above for details.
>>>>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>>>>>>> (MojoExecutor.java:213)
>>>>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>>>>>>> (MojoExecutor.java:154)
>>>>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>>>>>>> (MojoExecutor.java:146)
>>>>>>> at
>>>>>>> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
>>>>>>> (LifecycleModuleBuilder.java:117)
>>>>>>> at
>>>>>>> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
>>>>>>> (LifecycleModuleBuilder.java:81)
>>>>>>> at
>>>>>>> org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build
>>>>>>> (SingleThreadedBuilder.java:56)
>>>>>>> at org.apache.maven.lifecycle.internal.LifecycleStarter.execute
>>>>>>> (LifecycleStarter.java:128)
>>>>>>> at org.apache.maven.DefaultMaven.doExecute
>>>>>>> (DefaultMaven.java:305)
>>>>>>> at org.apache.maven.DefaultMaven.doExecute
>>>>>>> (DefaultMaven.java:192)
>>>>>>> at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
>>>>>>> at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954)
>>>>>>> at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
>>>>>>> at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke
>>>>>>> (NativeMethodAccessorImpl.java:62)
>>>>>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke
>>>>>>> (DelegatingMethodAccessorImpl.java:43)
>>>>>>> at java.lang.reflect.Method.invoke (Method.java:498)
>>>>>>> at
>>>>>>> org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced
>>>>>>> (Launcher.java:289)
>>>>>>> at org.codehaus.plexus.classworlds.launcher.Launcher.launch
>>>>>>> (Launcher.java:229)
>>>>>>> at
>>>>>>> org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode
>>>>>>> (Launcher.java:415)
>>>>>>> at org.codehaus.plexus.classworlds.launcher.Launcher.main
>>>>>>> (Launcher.java:356)
>>>>>>> Caused by: org.apache.maven.plugin.MojoFailureException: 2 builds
>>>>>>> failed. See console output above for details.
>>>>>>> at
>>>>>>> org.apache.maven.plugins.invoker.InvokerSession.handleFailures
>>>>>>> (InvokerSession.java:285)
>>>>>>> at org.apache.maven.plugins.invoker.VerifyMojo.execute
>>>>>>> (VerifyMojo.java:153)
>>>>>>> at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo
>>>>>>> (DefaultBuildPluginManager.java:137)
>>>>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>>>>>>> (MojoExecutor.java:208)
>>>>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>>>>>>> (MojoExecutor.java:154)
>>>>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute
>>>>>>> (MojoExecutor.java:146)
>>>>>>> at
>>>>>>> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
>>>>>>> (LifecycleModuleBuilder.java:117)
>>>>>>> at
>>>>>>> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject
>>>>>>> (LifecycleModuleBuilder.java:81)
>>>>>>> at
>>>>>>> org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build
>>>>>>> (SingleThreadedBuilder.java:56)
>>>>>>> at org.apache.maven.lifecycle.internal.LifecycleStarter.execute
>>>>>>> (LifecycleStarter.java:128)
>>>>>>> at org.apache.maven.DefaultMaven.doExecute
>>>>>>> (DefaultMaven.java:305)
>>>>>>> at org.apache.maven.DefaultMaven.doExecute
>>>>>>> (DefaultMaven.java:192)
>>>>>>> at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
>>>>>>> at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954)
>>>>>>> at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
>>>>>>> at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke
>>>>>>> (NativeMethodAccessorImpl.java:62)
>>>>>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke
>>>>>>> (DelegatingMethodAccessorImpl.java:43)
>>>>>>> at java.lang.reflect.Method.invoke (Method.java:498)
>>>>>>> at
>>>>>>> org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced
>>>>>>> (Launcher.java:289)
>>>>>>> at org.codehaus.plexus.classworlds.launcher.Launcher.launch
>>>>>>> (Launcher.java:229)
>>>>>>> at
>>>>>>> org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode
>>>>>>> (Launcher.java:415)
>>>>>>> at org.codehaus.plexus.classworlds.launcher.Launcher.main
>>>>>>> (Launcher.java:356)
>>>>>>> [ERROR]
>>>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>> -Steve
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Jun 21, 2023 at 2:26 PM robertlazarski <
>>>>>>> robertlazar...@gmail.com> wrote:
>>>>>>>
>>>>>>>> We are right in the middle of trying to get an Apache Rampart
>>>>>>>> release out and cannot always respond to every Axis2 dep with a CVE.
>>>>>>>>
>>>>>>>> First of all you may not actually need those deps. Not all deps are
>>>>>>>> mandatory.
>>>>>>>>
>>>>>>>> Secondly, the only thing Axis2 will do is update the pom.xml and
>>>>>>>> indeed via GitHub Dependabot that happens automatically.
>>>>>>>>
>>>>>>>> Without building from source, the way I manage these deps is by
>>>>>>>> using Maven exclusions in the pom.xml of my day job.
>>>>>>>>
>>>>>>>> Using "mvn -X" will show the dependency tree, and with the right
>>>>>>>> config you can update the jars that way.
>>>>>>>>
>>>>>>>> On Wed, Jun 21, 2023 at 6:30 AM Steven Saunders <sjs...@gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hi Axis2 Dev Mailing List,
>>>>>>>>>
>>>>>>>>> There are some more recent CVEs against Jettison 1.5.0 and Spring
>>>>>>>>> Framework 5.3.21 that are in Axis2 v1.8.2 (latest release).
>>>>>>>>>
>>>>>>>>> Would it be possible to get an Axis2 build with these module
>>>>>>>>> components updated to last release versions?
>>>>>>>>>
>>>>>>>>> Do I need to download Axis2 1.8.2 source and try to maven build it
>>>>>>>>> locally with these modules updated to the new release versions
>>>>>>>>> instead?
>>>>>>>>>
>>>>>>>>> Details:
>>>>>>>>> Jettison v1.5.4 addresses CVE-2023-1436 (CVSS v3.1 score in NVD is
>>>>>>>>> 7.5)
>>>>>>>>> Spring Framework v5.3.27 addresses CVE-2023-20863 (CVSS v3.1 score
>>>>>>>>> in NVD is 6.5)
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> -Steven Saunder
>>>>>>>>>
>>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
>>>>>>> For additional commands, e-mail: java-dev-h...@axis.apache.org
>>>>>>
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
>>>>> For additional commands, e-mail: java-dev-h...@axis.apache.org
>>>>
>>>>
