That class seems part of Xalan, are you sure you have the right jar installed?
https://xalan.apache.org/xalan-j/apidocs/org/apache/xml/serializer/OutputPropertiesFactory.html On Fri, Sep 29, 2023 at 11:04 AM Steven Saunders <sjs...@gmail.com> wrote: > The exception is below. Do I need other apache classes to go with xalan > 2.7.3? > > Build environment: > > Maven: v3.6.3 > Maven home: /usr/share/maven > Java version: 11.0.20.1, vendor: Ubuntu, runtime: > /usr/lib/jvm/java-11-openjdk-amd64 > Default locale: en_US, platform encoding: UTF-8 > OS name: "linux", version: "5.15.0-83-generic", arch: "amd64", family: > "unix" > > > [INFO] ------------------------------------------------------- > [INFO] T E S T S > [INFO] ------------------------------------------------------- > [INFO] Running org.apache.axis2.description.Java2WSDLTest > [ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: > 0.475 s <<< FAILURE! - in org.apache.axis2.description.Java2WSDLTest > [ERROR] test1(org.apache.axis2.description.Java2WSDLTest) Time elapsed: > 0.46 s <<< ERROR! > java.lang.NoClassDefFoundError: > org/apache/xml/serializer/OutputPropertiesFactory > at > org.apache.xalan.templates.OutputProperties.<init>(OutputProperties.java:84) > at > org.apache.xalan.transformer.TransformerIdentityImpl.<init>(TransformerIdentityImpl.java:93) > at > org.apache.xalan.processor.TransformerFactoryImpl.newTransformer(TransformerFactoryImpl.java:818) > at > org.apache.ws.commons.schema.XmlSchema.serializeInternal(XmlSchema.java:897) > at org.apache.ws.commons.schema.XmlSchema.write(XmlSchema.java:593) > at > org.apache.axis2.description.AxisService2WSDL11.generateTypes(AxisService2WSDL11.java:1467) > at > org.apache.axis2.description.AxisService2WSDL11.generateOM(AxisService2WSDL11.java:187) > at > org.apache.ws.java2wsdl.Java2WSDLBuilder.generateWSDL(Java2WSDLBuilder.java:349) > at org.apache.axis2.description.Java2WSDLTest.test1(Java2WSDLTest.java:39) > at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.base/java.lang.reflect.Method.invoke(Method.java:566) > at junit.framework.TestCase.runTest(TestCase.java:177) > at junit.framework.TestCase.runBare(TestCase.java:142) > at junit.framework.TestResult$1.protect(TestResult.java:122) > at junit.framework.TestResult.runProtected(TestResult.java:142) > at junit.framework.TestResult.run(TestResult.java:125) > at junit.framework.TestCase.run(TestCase.java:130) > at junit.framework.TestSuite.runTest(TestSuite.java:241) > at junit.framework.TestSuite.run(TestSuite.java:236) > at > org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:90) > at > org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:365) > at > org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:273) > at > org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:238) > at > org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:159) > at > org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:384) > at > org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:345) > at > org.apache.maven.surefire.booter.ForkedBooter.execute(ForkedBooter.java:126) > at > org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:418) > Caused by: java.lang.ClassNotFoundException: > org.apache.xml.serializer.OutputPropertiesFactory > at > java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581) > at > java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178) > at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:527) > ... 30 more > > [INFO] Running org.apache.ws.java2wsdl.jaxws.JAXWS2WSDLCodegenEngineTest > [INFO] Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: > 1.259 s - in org.apache.ws.java2wsdl.jaxws.JAXWS2WSDLCodegenEngineTest > [INFO] > [INFO] Results: > [INFO] > [ERROR] Errors: > [ERROR] Java2WSDLTest.test1:39 » NoClassDefFound > org/apache/xml/serializer/OutputPrope... > [INFO] > [ERROR] Tests run: 4, Failures: 0, Errors: 1, Skipped: 0 > > On Fri, Sep 29, 2023 at 4:59 PM Steven Saunders <sjs...@gmail.com> wrote: > >> Hi Axis2 Dev Mailing List, >> >> I'm needing to remediate the use of xalan v2.7.2 embedded version of >> Apache BCEL to a newer version 6.6.0 or newer due to CVE-2022-42920 (CVSS >> v3.1 score in NVD is *9.8*). >> >> I verified my current build of axis2 1.8.2 builds fine and then updated >> the axis2 1.8.2 pom.xml from xalan v2.7.2 to xalan v2.7.3 (as I believe >> that addresses the vulnerability) but rebuilt with maven fails in the >> Java2WSDL test with NoClassFound exception. >> >> >> >> On Sun, Jun 25, 2023 at 6:37 PM Andreas Veithen-Knowles < >> andreas.veit...@gmail.com> wrote: >> >>> I did some investigation. The Axis2 build doesn't work with Maven < >>> 3.6.0. I've updated the minimum required version at HEAD to 3.6.0. Also, >>> there is a problem with the Maven version distributed with RHEL/CentOS >>> (even if it's >= 3.6.0, as in RHEL 9). That's fixed at HEAD now too. >>> Building older Axis2 1.8.2 should be possible by downloading and manually >>> installing Maven. >>> >>> Andreas >>> >>> On Thu, Jun 22, 2023 at 8:38 PM robertlazarski <robertlazar...@gmail.com> >>> wrote: >>> >>>> I suspect you are having some type of JDK issue or an issue with your >>>> very old Apache Maven 3.5.4 on CentOS 8. >>>> >>>> I was able to compile the 1.8.2 source distro on CentOS 7 with OpenJDK >>>> 11 (not the default) and Maven 3.6.3. >>>> >>>> Strangely, using Maven 3.6.3 on Ubuntu 20-04 that is the default >>>> version, I had to use a more modern Maven version - the latest in my case >>>> has some other questionable features but 3.8.8 was ok. >>>> >>>> So, in the end I was able to use JDK 17 and Maven 3.8.8 on Ubuntu >>>> 20-04. >>>> >>>> I looked more into jettison and unless you are using JSON features that >>>> are not enabled by default and will break typical XML SOAP handling, just >>>> skip it entirely. >>>> >>>> The Spring deps are only required if using >>>> org.apache.axis2.extensions.spring.receivers.SpringServletContextObjectSupplier >>>> in a custom Spring config. >>>> >>>> On Thu, Jun 22, 2023 at 9:35 AM robertlazarski < >>>> robertlazar...@gmail.com> wrote: >>>> >>>>> I suspect you are having some type of JDK issue or an issue with your >>>>> very old Apache Maven 3.5.4. >>>>> >>>>> I was able to compile the 1.8.2 source distro on CentOS 7 with OpenJDK >>>>> 11 and Maven 3.6.3. >>>>> >>>>> Strangely, using Maven 3.6.3 on Ubuntu 20-04 that is the default, I >>>>> had to use a more modern Maven version - the latest in my case has some >>>>> other questionable features but 3.8.8 was ok. >>>>> >>>>> I looked more into jettison and unless you are using JSON features >>>>> that are not enabled by default and will break typical XML SOAP handling, >>>>> just skip it entirely. >>>>> >>>>> The Spring deps are only required if using >>>>> org.apache.axis2.extensions.spring.receivers.SpringServletContextObjectSupplier >>>>> in a Spring config. >>>>> >>>>> >>>>> On Wed, Jun 21, 2023 at 1:54 PM Steven Saunders <sjs...@gmail.com> >>>>> wrote: >>>>> >>>>>> Hi robertlazarski, >>>>>> >>>>>> I really appreciate the quick response and willingness to help! >>>>>> My build image is OS RedHat 8 Linux x86_64 for the platform if that >>>>>> helps. I can also build on RedHat 7 or a Ubuntu 20.04 LTS if any of those >>>>>> are better or might now have these issues. I have many VMs of other >>>>>> Linux >>>>>> distributions too. Please suggest best OS and version to get a clean >>>>>> build >>>>>> of latest Axis2 release. >>>>>> >>>>>> I tried your suggestion of building >>>>>> modules/tool/axis2-aar-maven-plugin with -Dmaven.test.skip.exec=true but >>>>>> that didn't work so I tried it with -Dmaven.test.skip=true from search >>>>>> internet and that didn't stop the tests either. So found another >>>>>> wroundaround to avoid the executions by commenting it out of the >>>>>> modules/tool/axis2-aar-maven-plugin/pom.xml altogether, e.g. >>>>>> axis2-1.8.2/modules/tool/axis2-aar-maven-plugin/pom.xml: >>>>>> <plugin> >>>>>> <artifactId>maven-invoker-plugin</artifactId> >>>>>> *<!--*executions> >>>>>> <execution> >>>>>> <goals> >>>>>> <goal>integration-test</goal> >>>>>> <goal>verify</goal> >>>>>> </goals> >>>>>> <configuration> >>>>>> >>>>>> <cloneProjectsTo>${project.build.directory}/it</cloneProjectsTo> >>>>>> >>>>>> <postBuildHookScript>verify</postBuildHookScript> >>>>>> </configuration> >>>>>> </execution> >>>>>> </executions*-->* >>>>>> </plugin> >>>>>> >>>>>> >>>>>> After that was resolved and the plugin built I went back to the root >>>>>> and ran mvn install and got this error next. >>>>>> Seems from the AXIS2-5782 build.log (assume AXIS2-5782 relates to the >>>>>> old JIRA of same name) the root exception from >>>>>> axis2-1.8.2/modules/tool/axis2-repo-maven-plugin/target/it/AXIS2-5782/build.log >>>>>> (attached) is: >>>>>> Caused by: java.security.AccessControlException: access denied >>>>>> ("java.io.FilePermission" >>>>>> "/usr/share/publicsuffix/effective_tld_names.dat" >>>>>> "read") >>>>>> >>>>>> I checked and the file is there with read permissions for everyone >>>>>> but is a link to another file that has read permissions for everyone >>>>>> also: >>>>>> >>>>>> bash-4.4$ ls -al /usr/share/publicsuffix/effective_tld_names.dat >>>>>> lrwxrwxrwx 1 root root 22 Mar 7 2019 >>>>>> /usr/share/publicsuffix/effective_tld_names.dat -> public_suffix_list.dat >>>>>> bash-4.4$ ls -al /usr/share/publicsuffix/public_suffix_list.dat >>>>>> -rw-r--r-- 1 root root 208604 Mar 7 2019 >>>>>> /usr/share/publicsuffix/public_suffix_list.dat >>>>>> >>>>>> >>>>>> bash-4.4$ cat /usr/share/publicsuffix/public_suffix_list.dat >>>>>> >>>>>> and, >>>>>> bash-4.4$ cat /usr/share/publicsuffix/effective_tld_names.dat >>>>>> Shows same user as build can read file contents without an issue. >>>>>> >>>>>> Also, did a move of the link to another name and copied the >>>>>> public_suffix_list.dat to an actual file named effective_tld_names.dat >>>>>> incase the issue was with using a link and build gave same error. >>>>>> >>>>>> >>>>>> >>>>>> I tried to also comment out the executions >>>>>> in >>>>>> axis2-1.8.2/modules/tool/axis2-repo-maven-plugin/src/it/AXIS2-5782/pom.xml, >>>>>> e.g: >>>>>> *<!--*executions> >>>>>> <execution> >>>>>> <goals> >>>>>> <goal>create-repository</goal> >>>>>> </goals> >>>>>> <configuration> >>>>>> <modules> >>>>>> addressing, >>>>>> ping >>>>>> </modules> >>>>>> </configuration> >>>>>> </execution> >>>>>> </executions*-->* >>>>>> It didn't stop the same error. >>>>>> >>>>>> I am stuck. >>>>>> >>>>>> Summary of build error from console: >>>>>> >>>>>> [INFO] --- maven-invoker-plugin:3.3.0:integration-test (default) @ >>>>>> axis2-repo-maven-plugin --- >>>>>> [INFO] Building: AXIS2-5782/pom.xml >>>>>> [INFO] The build exited with code 1. See >>>>>> axis2-1.8.2/modules/tool/axis2-repo-maven-plugin/target/it/AXIS2-5782/build.log >>>>>> for details. >>>>>> [INFO] AXIS2-5782/pom.xml ............................... >>>>>> FAILED (3.1 s) >>>>>> [INFO] >>>>>> ... >>>>>> [INFO] Build Summary: >>>>>> [INFO] Passed: 0, *Failed: 1,* Errors: 0, Skipped: 0 >>>>>> [INFO] ------------------------------------------------- >>>>>> *[ERROR] The following builds failed:* >>>>>> *[ERROR] * AXIS2-5782/pom.xml* >>>>>> [INFO] ------------------------------------------------- >>>>>> [INFO] >>>>>> ------------------------------------------------------------------------ >>>>>> [INFO] Reactor Summary: >>>>>> [INFO] >>>>>> [INFO] Apache Axis2 - Root 1.8.2 .......................... SUCCESS [ >>>>>> 15.251 s] >>>>>> [INFO] Apache Axis2 - Resource bundle ..................... SUCCESS [ >>>>>> 2.896 s] >>>>>> [INFO] Apache Axis2 - Kernel .............................. SUCCESS [ >>>>>> 21.702 s] >>>>>> [INFO] Apache Axis2 - Data Binding ........................ SUCCESS [ >>>>>> 6.657 s] >>>>>> [INFO] Apache Axis2 - Transport - Local ................... SUCCESS [ >>>>>> 14.591 s] >>>>>> [INFO] Apache Axis2 - Addressing .......................... SUCCESS [ >>>>>> 16.085 s] >>>>>> [INFO] Apache Axis2 - Transport - Base .................... SUCCESS [ >>>>>> 6.679 s] >>>>>> [INFO] Apache Axis2 - Ping ................................ SUCCESS [ >>>>>> 2.082 s] >>>>>> [INFO] Apache Axis2 - MEX ................................. SUCCESS [ >>>>>> 2.237 s] >>>>>> *[INFO] axis2-repo-maven-plugin ............................ FAILURE >>>>>> [ 17.848 s]* >>>>>> [INFO] Apache Axis2 - Transport - testkit ................. SKIPPED >>>>>> [INFO] Apache Axis2 - Transport - HTTP .................... SKIPPED >>>>>> [INFO] Apache Axis2 - Code Generation ..................... SKIPPED >>>>>> [INFO] Apache Axis2 - ADB Codegen ......................... SKIPPED >>>>>> [INFO] Apache Axis2 - Clustering .......................... SKIPPED >>>>>> [INFO] Apache Axis2 - SAAJ ................................ SKIPPED >>>>>> ... >>>>>> >>>>>> (see build.log mentioned above and full log attached with -X option >>>>>> for mvn install attached). >>>>>> >>>>>> Tried it with Open JDK 11 and 1.8 versions. >>>>>> Tried it with -Dmaven.test.skip.exec=true and -Dmaven.test.skip=true >>>>>> but still didn't work here. >>>>>> >>>>>> I then commented out the executions in the AXIS2-5792/pom.xml to get >>>>>> past that error but still fails with "The following builds failed: * >>>>>> AXIS2-5782" but still the same error. >>>>>> >>>>>> Thanks, >>>>>> -Steve >>>>>> >>>>>> On Wed, Jun 21, 2023 at 4:10 PM robertlazarski < >>>>>> robertlazar...@gmail.com> wrote: >>>>>> >>>>>>> I looked at the attached logs and I suspect that the unit tests are >>>>>>> not multi-platform really. >>>>>>> >>>>>>> I suggest seeing if skipping the tests help via -Dmaven.test.skip.exec. >>>>>>> >>>>>>> >>>>>>> On Wed, Jun 21, 2023 at 10:01 AM Steven Saunders <sjs...@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi robertlazarski, >>>>>>>> >>>>>>>> I am fine with handling upgrading and building locally from maven >>>>>>>> and the axis2 1.8.2 src download or trying to remove the jars that >>>>>>>> have the >>>>>>>> vulnerabilities and deploy the WAR and if it starts run my test bed >>>>>>>> for our >>>>>>>> web services to see if there is a problem. >>>>>>>> >>>>>>>> As far as building I may need help. >>>>>>>> I downloaded the axis2 source zip and followed the README.txt in it >>>>>>>> to do mvn install from root and that failed as expected due to the >>>>>>>> custom >>>>>>>> maven plugins used by Axis2. So following the instructions further to >>>>>>>> manually build those two modules in their project directories: >>>>>>>> modules/tool/axis2-mar-maven-plugin >>>>>>>> modules/tool/axis2-aar-maven-plugin >>>>>>>> but the second one failed. >>>>>>>> >>>>>>>> Full maven -X install is attached. >>>>>>>> >>>>>>>> Is this a known issue? Do I set ignoreFailures = true? >>>>>>>> Can you tell me what I am missing as the errors look like failure >>>>>>>> in validation tests of a module? >>>>>>>> >>>>>>>> Error summary was: >>>>>>>> [INFO] --- maven-invoker-plugin:3.3.0:verify (default) @ >>>>>>>> axis2-aar-maven-plugin --- >>>>>>>> [DEBUG] Configuring mojo >>>>>>>> org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify from plugin >>>>>>>> realm >>>>>>>> ClassRealm[plugin>org.apache.maven.plugins:maven-invoker-plugin:3.3.0, >>>>>>>> parent: sun.misc.Launcher$AppClassLoader@7852e922] >>>>>>>> [DEBUG] Configuring mojo >>>>>>>> 'org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify' with basic >>>>>>>> configurator --> >>>>>>>> [DEBUG] (f) ignoreFailures = false >>>>>>>> [DEBUG] (f) reportsDirectory = >>>>>>>> /scratch/sjsaunde/documaker/axis2-source/axis2-1.8.2/modules/tool/axis2-aar-maven-plugin/target/invoker-reports >>>>>>>> [DEBUG] (f) skipInvocation = false >>>>>>>> [DEBUG] (f) streamLogsOnFailures = false >>>>>>>> [DEBUG] (f) suppressSummaries = false >>>>>>>> [DEBUG] -- end configuration -- >>>>>>>> [INFO] ------------------------------------------------- >>>>>>>> [INFO] Build Summary: >>>>>>>> [INFO] Passed: 0,* Failed: 2*, Errors: 0, Skipped: 0 >>>>>>>> [INFO] ------------------------------------------------- >>>>>>>> >>>>>>>> >>>>>>>> *[ERROR] The following builds failed:[ERROR] * >>>>>>>> test1/pom.xml[ERROR] * test2/pom.xml* >>>>>>>> [INFO] ------------------------------------------------- >>>>>>>> [INFO] >>>>>>>> ------------------------------------------------------------------------ >>>>>>>> [INFO] BUILD FAILURE >>>>>>>> [INFO] >>>>>>>> ------------------------------------------------------------------------ >>>>>>>> [INFO] Total time: 41.738 s >>>>>>>> [INFO] Finished at: 2023-06-21T19:46:30Z >>>>>>>> [INFO] >>>>>>>> ------------------------------------------------------------------------ >>>>>>>> [ERROR] Failed to execute goal >>>>>>>> org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify (default) on >>>>>>>> project axis2-aar-maven-plugin: 2 builds failed. See console output >>>>>>>> above >>>>>>>> for details. -> [Help 1] >>>>>>>> org.apache.maven.lifecycle.LifecycleExecutionException: Failed to >>>>>>>> execute goal org.apache.maven.plugins:maven-invoker-plugin:3.3.0:verify >>>>>>>> (default) on project axis2-aar-maven-plugin: 2 builds failed. See >>>>>>>> console >>>>>>>> output above for details. >>>>>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute >>>>>>>> (MojoExecutor.java:213) >>>>>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute >>>>>>>> (MojoExecutor.java:154) >>>>>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute >>>>>>>> (MojoExecutor.java:146) >>>>>>>> at >>>>>>>> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject >>>>>>>> (LifecycleModuleBuilder.java:117) >>>>>>>> at >>>>>>>> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject >>>>>>>> (LifecycleModuleBuilder.java:81) >>>>>>>> at >>>>>>>> org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build >>>>>>>> (SingleThreadedBuilder.java:56) >>>>>>>> at org.apache.maven.lifecycle.internal.LifecycleStarter.execute >>>>>>>> (LifecycleStarter.java:128) >>>>>>>> at org.apache.maven.DefaultMaven.doExecute >>>>>>>> (DefaultMaven.java:305) >>>>>>>> at org.apache.maven.DefaultMaven.doExecute >>>>>>>> (DefaultMaven.java:192) >>>>>>>> at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) >>>>>>>> at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954) >>>>>>>> at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288) >>>>>>>> at org.apache.maven.cli.MavenCli.main (MavenCli.java:192) >>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) >>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke >>>>>>>> (NativeMethodAccessorImpl.java:62) >>>>>>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke >>>>>>>> (DelegatingMethodAccessorImpl.java:43) >>>>>>>> at java.lang.reflect.Method.invoke (Method.java:498) >>>>>>>> at >>>>>>>> org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced >>>>>>>> (Launcher.java:289) >>>>>>>> at org.codehaus.plexus.classworlds.launcher.Launcher.launch >>>>>>>> (Launcher.java:229) >>>>>>>> at >>>>>>>> org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode >>>>>>>> (Launcher.java:415) >>>>>>>> at org.codehaus.plexus.classworlds.launcher.Launcher.main >>>>>>>> (Launcher.java:356) >>>>>>>> Caused by: org.apache.maven.plugin.MojoFailureException: 2 builds >>>>>>>> failed. See console output above for details. >>>>>>>> at >>>>>>>> org.apache.maven.plugins.invoker.InvokerSession.handleFailures >>>>>>>> (InvokerSession.java:285) >>>>>>>> at org.apache.maven.plugins.invoker.VerifyMojo.execute >>>>>>>> (VerifyMojo.java:153) >>>>>>>> at >>>>>>>> org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo >>>>>>>> (DefaultBuildPluginManager.java:137) >>>>>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute >>>>>>>> (MojoExecutor.java:208) >>>>>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute >>>>>>>> (MojoExecutor.java:154) >>>>>>>> at org.apache.maven.lifecycle.internal.MojoExecutor.execute >>>>>>>> (MojoExecutor.java:146) >>>>>>>> at >>>>>>>> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject >>>>>>>> (LifecycleModuleBuilder.java:117) >>>>>>>> at >>>>>>>> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject >>>>>>>> (LifecycleModuleBuilder.java:81) >>>>>>>> at >>>>>>>> org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build >>>>>>>> (SingleThreadedBuilder.java:56) >>>>>>>> at org.apache.maven.lifecycle.internal.LifecycleStarter.execute >>>>>>>> (LifecycleStarter.java:128) >>>>>>>> at org.apache.maven.DefaultMaven.doExecute >>>>>>>> (DefaultMaven.java:305) >>>>>>>> at org.apache.maven.DefaultMaven.doExecute >>>>>>>> (DefaultMaven.java:192) >>>>>>>> at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) >>>>>>>> at org.apache.maven.cli.MavenCli.execute (MavenCli.java:954) >>>>>>>> at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288) >>>>>>>> at org.apache.maven.cli.MavenCli.main (MavenCli.java:192) >>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) >>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke >>>>>>>> (NativeMethodAccessorImpl.java:62) >>>>>>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke >>>>>>>> (DelegatingMethodAccessorImpl.java:43) >>>>>>>> at java.lang.reflect.Method.invoke (Method.java:498) >>>>>>>> at >>>>>>>> org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced >>>>>>>> (Launcher.java:289) >>>>>>>> at org.codehaus.plexus.classworlds.launcher.Launcher.launch >>>>>>>> (Launcher.java:229) >>>>>>>> at >>>>>>>> org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode >>>>>>>> (Launcher.java:415) >>>>>>>> at org.codehaus.plexus.classworlds.launcher.Launcher.main >>>>>>>> (Launcher.java:356) >>>>>>>> [ERROR] >>>>>>>> >>>>>>>> >>>>>>>> Thanks, >>>>>>>> -Steve >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Jun 21, 2023 at 2:26 PM robertlazarski < >>>>>>>> robertlazar...@gmail.com> wrote: >>>>>>>> >>>>>>>>> We are right in the middle of trying to get an Apache Rampart >>>>>>>>> release out and cannot always respond to every Axis2 dep with a CVE. >>>>>>>>> >>>>>>>>> First of all you may not actually need those deps. Not all deps >>>>>>>>> are mandatory. >>>>>>>>> >>>>>>>>> Secondly, the only thing Axis2 will do is update the pom.xml and >>>>>>>>> indeed via GitHub Dependabot that happens automatically. >>>>>>>>> >>>>>>>>> Without building from source, the way I manage these deps is by >>>>>>>>> using Maven exclusions in the pom.xml of my day job. >>>>>>>>> >>>>>>>>> Using "mvn -X" will show the dependency tree, and with the right >>>>>>>>> config you can update the jars that way. >>>>>>>>> >>>>>>>>> On Wed, Jun 21, 2023 at 6:30 AM Steven Saunders <sjs...@gmail.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Hi Axis2 Dev Mailing List, >>>>>>>>>> >>>>>>>>>> There are some more recent CVEs against Jettison 1.5.0 and Spring >>>>>>>>>> Framework 5.3.21 that are in Axis2 v1.8.2 (latest release). >>>>>>>>>> >>>>>>>>>> Would it be possible to get an Axis2 build with these module >>>>>>>>>> components updated to last release versions? >>>>>>>>>> >>>>>>>>>> Do I need to download Axis2 1.8.2 source and try to maven build >>>>>>>>>> it locally with these modules updated to the new release versions >>>>>>>>>> instead? >>>>>>>>>> >>>>>>>>>> Details: >>>>>>>>>> Jettison v1.5.4 addresses CVE-2023-1436 (CVSS v3.1 score in NVD >>>>>>>>>> is 7.5) >>>>>>>>>> Spring Framework v5.3.27 addresses CVE-2023-20863 (CVSS v3.1 >>>>>>>>>> score in NVD is 6.5) >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> -Steven Saunder >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> --------------------------------------------------------------------- >>>>>>>> To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org >>>>>>>> For additional commands, e-mail: java-dev-h...@axis.apache.org >>>>>>> >>>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org >>>>>> For additional commands, e-mail: java-dev-h...@axis.apache.org >>>>> >>>>>
