Arturo Zambrano added a comment - 22/Apr/20 2:56 PM r53179: ICE-11468 Removed old libraries with vulnerabilities, as specified by JIRA description (except JSTL); added updated libraries; added new libraries that are dependencies of updated libraries; updated build scripts and licenses documentation

Arturo Zambrano added a comment - 22/Apr/20 3:07 PM - edited These are the libraries that were updated and the jars that were removed: -------------------------------------------------------------------------------- NAME VERSION FILENAME -------------------------------------------------------------------------------- Mojarra 2.3.5 javax.faces-2.3.5.jar Myfaces 2.3.1 myfaces-bundle-2.3.1.jar Commons BeanUtils 1.9.3 commons-beanutils-1.9.3.jar dom4j 1.6.1 dom4j-1.6.1.jar Apache POI 3.9 poi-3.9.jar poi-ooxml-3.9.jar poi-ooxml-schemas-3.9.jar XML Beans 2.6.0 xmlbeans-2.6.0 -------------------------------------------------------------------------------- These are the updated jars: -------------------------------------------------------------------------------- NAME VERSION FILENAME -------------------------------------------------------------------------------- Mojarra 2.3.8 javax.faces-2.3.8.jar Myfaces 2.3.6 myfaces-bundle-2.3.6.jar Commons BeanUtils 1.9.4 commons-beanutils-1.9.4.jar dom4j 2.1.3 dom4j-2.1.3.jar Apache POI 4.1.2 poi-4.1.2.jar poi-ooxml-4.1.2.jar poi-ooxml-schemas-4.1.2.jar XML Beans 3.1.0 xmlbeans-3.1.0.jar -------------------------------------------------------------------------------- These new jars were added as dependencies of the new version of POI: -------------------------------------------------------------------------------- NAME VERSION FILENAME -------------------------------------------------------------------------------- Apache Commons Math 3.6.1 commons-math3-3.6.1.jar Apache Commons Collections4 4.4 commons-collections4-4.4.jar Apache Commons Compress 1.2 commons-compress-1.20.jar -------------------------------------------------------------------------------- Other observations: JSTL (1.2) wasn't updated, because the report refers to the Apache Standard Taglib version (1.2.3 and under). In any case, this library is only used with sample apps and tutorials, and it doesn't affect the framework itself. The new Mojarra 2.3 (2.3.8) version that we use now was released by the Eclipse Foundation. The commons collections jar used by Myfaces and the new collections4 jar are independent of each other and do not cause conflicts. The collections4 jar contains packages with collections4 in their names. The XML Beans library update wasn't part of the security update, but it was necessary to update it, because the new POI library version required it. The Apache Commons Math library was added for XLS and XLSX exporting, while the Apache Commons Collections4 and Apache Commons Compress were added for XLSX exporting only.

Ken Fyten added a comment - 23/Apr/20 11:27 AM Re-opened. The relevant .pom files need to be updated to indicate the correct versions of these updated libraries.

Arturo Zambrano added a comment - 27/Apr/20 9:51 AM r53185: ICE-11468 updated maven pom.xml files to build using new library versions and dependencies; removed dom4j, which is no longer necessary by new POI version; also updated to Mojarra 2.3.14, which is actually the newest version; also updated commons logging to 1.2 and commons bean utils to 1.9.4 in the Myfaces 2.2 library folder

Arturo Zambrano added a comment - 29/Apr/20 3:56 PM r57788: updated maven pom.xml files to use https in dependency repository URLs r57789: updated ant maven build script to use https in dependency repository URLs

Arturo Zambrano added a comment - 30/Apr/20 9:54 AM r57784: updated maven pom.xml files to use https in URLs, including URLs in namespaces

Arturo Zambrano added a comment - 19/May/20 6:34 PM r53218, r53219: removed the krysalis jCharts library from the showcase pom file, since this library is no longer used by the components or by the showcase application (committed to the trunk and the P02 tag)

Arturo Zambrano added a comment - 20/May/20 2:54 PM - edited r53222, r53223: Added JAXB API jar to avoid build-time errors with JDK 11 (committed to trunk and P02 tag) Starting from Java 9, the JAXB API were moved out of Java SE, because they are considered part of Java EE. So, we're adding this jar, specifically for the mobi codebase, to be able to compile correctly on Java 9 and above. This doesn't affect anything when compiling with Java 8. https://stackoverflow.com/questions/43574426/how-to-resolve-java-lang-noclassdeffounderror-javax-xml-bind-jaxbexception-in-j