fineract-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [fineract] ptuomola commented on pull request #1259: Excluding commented to prevent data leak FINERACT-1057
Date Thu, 20 Aug 2020 06:33:02 GMT

ptuomola commented on pull request #1259:
URL: https://github.com/apache/fineract/pull/1259#issuecomment-677292194


   So I looked at the dependency tree with and without the excludes - and that clearly shows
the problem caused by removing the exclude:
   
   With excludes, both the API and the runtime are pointing to the same version (2.3.3) -
which sounds good. We are using the Glassfish JAR for the implementation and the Jakarta JAR
for the API - I don't think that's an issue, but of course we could try to switch both to
use the Jakarta JAR and see if that makes any difference. 
   
   However, if we remove the excludes, we seem to have two different versions of API in the
classpath (2.3.1 and 2.3.3) as well as two different versions of the runtime (2.2.3-1 and
2.3.3). Which really does not sound good.
   
   So I don't think this PR - i.e. removing the excludes - is the right solution. Instead
would be good to understand what is this data leak and why is it caused by the JAXB version.
Is there a JAXB bug that you've been able to trace this to? Or any other insights? I still
don't know how to reproduce this so not sure I can help much here...
   
   For reference, here are the dependencies
   
   With exclude: 
   
   compile:
   +--- jakarta.xml.bind:jakarta.xml.bind-api -> 2.3.3
   
   runtime:
   
   +--- org.ehcache:ehcache -> 3.8.1
   |    \--- org.glassfish.jaxb:jaxb-runtime:2.3.1 -> 2.3.3
   |         +--- jakarta.xml.bind:jakarta.xml.bind-api:2.3.3 (*)
   
   +--- jakarta.xml.bind:jakarta.xml.bind-api -> 2.3.3
   
   Without exclude:
   
   compile
   +--- com.sun.jersey:jersey-json -> 1.19.4
   |    +--- com.sun.xml.bind:jaxb-impl:2.2.3-1
   |    |    \--- javax.xml.bind:jaxb-api:2.2.2 -> 2.3.1
   
   +--- jakarta.xml.bind:jakarta.xml.bind-api -> 2.3.3
   
   runtime
   
   +--- com.sun.jersey:jersey-json -> 1.19.4
   |    +--- com.sun.xml.bind:jaxb-impl:2.2.3-1
   |    |    \--- javax.xml.bind:jaxb-api:2.2.2 -> 2.3.1
   
   
   +--- org.dom4j:dom4j -> 2.1.3
   |    \--- javax.xml.bind:jaxb-api:2.2.12 -> 2.3.1 (*)
   
   +--- org.ehcache:ehcache -> 3.8.1
   |    \--- org.glassfish.jaxb:jaxb-runtime:2.3.1 -> 2.3.3
   |         +--- jakarta.xml.bind:jakarta.xml.bind-api:2.3.3 (*)
   
   
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



Mime
View raw message