Opened 3 years ago
Closed 3 years ago
#21667 closed defect (fixed)
[PATCH] Add `ivy-checkdepsupdate` for plugins
| Reported by: | taylor.smock | Owned by: | team |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Plugin | Version: | |
| Keywords: | Cc: |
Description (last modified by )
It appears that most vulnerability scanners depend upon pom.xml files for the version numbers of dependencies.
The attached patch does the following:
KeepMETA-INF/maven/*- Add
ivy-checkdepsupdateso we can get the newest dependency versions faster
Attachments (2)
Change History (8)
by , 3 years ago
| Attachment: | 21667.patch added |
|---|
follow-up: 2 comment:1 by , 3 years ago
follow-up: 3 comment:2 by , 3 years ago
Replying to stoecker:
I don't think keeping useless files in the released executable file is a good idea.
I would argue that they aren't entirely useless. It should allow us (and users) to look for vulnerable packages, and fix them faster.
The files are literally text files containing dependency information. The important bit is dependency version information. Since most security analyzers look for those (why? I would have assumed checksums would be used for the specific vulnerable files if the pom.xml wasn't available).
I don't mind going through everything that I maintain or is in JOSM svn and checking for updates, but not everything is in JOSM svn (or JOSM git). Example: 3rd party plugins. Which may use ant or gradle. And we haven't moved everything to in JOSM svn to ivy yet (for example, geotools). Which means I'll be trying to move non-ivy dependencies into ivy, if only to make finding updates slightly easier (for i in *; do if [ -f "${i}/ivy.xml" ]; then cd ${i}; updates_available=$(ant ivy-checkdepsupdate|grep "All dependencies are up to date"|wc -l); if [ ${updates_available} -ne 1 ]; then echo "Needs update"; break; fi; fi; done). Assuming the patch is partially rejected (specifically, the bit about keeping pom files around) and partially accepted (specifically ivy-checkdepsupdate).
With that being said, if we do want to remove useless files in released executables, we might want to look at implementing some kind of task to remove unused code (i.e., proguard) in non-library plugins.
follow-up: 4 comment:3 by , 3 years ago
Replying to taylor.smock:
I would argue that they aren't entirely useless. It should allow us (and users) to look for vulnerable packages, and fix them faster.
No, not entirely useless, but:
- They depend on the build process.
- They are ugly.
We had already discussion why we keep the README inside which contain a lot of stuff no longer relevant in the running program, so keeping completely useless files is worse :-)
With that being said, if we do want to remove useless files in released executables, we might want to look at implementing some kind of task to remove unused code (i.e., proguard) in non-library plugins.
+1
comment:4 by , 3 years ago
| Summary: | [PATCH] Keep maven dependency information for vulnerability scanners → [PATCH] Add `ivy-checkdepsupdate` for plugins |
|---|
Replying to stoecker:
No, not entirely useless, but:
- They depend on the build process.
- They are ugly.
They do depend upon the build process :( .
I cannot argue with ugly (beauty, or the lack thereof, is in the eye of the beholder).
We had already discussion why we keep the README inside which contain a lot of stuff no longer relevant in the running program, so keeping completely useless files is worse :-)
Anyway, I'll modify the patch so it only has the ivy-checkdepsupdate.
comment:5 by , 3 years ago
| Description: | modified (diff) |
|---|
I don't think keeping useless files in the released executable file is a good idea.