Community
Participate
Working Groups
The GitHub Dependabot is reporting some discovered vulnerabilities in the Mylyn Docs repository mirror in the Eclipse GitHub organization: -- eclipse / mylyn.docs Known security vulnerabilities detected Dependency org.apache.tika:tika-core Version >= 0.1 < 1.19.1 Upgrade to ~> 1.19.1 Defined in pom.xml Vulnerabilities CVE-2016-6809 High severity CVE-2018-11761 High severity CVE-2018-11796 Moderate severity CVE-2018-1339 Moderate severity CVE-2015-3271 Moderate severity Dependency com.google.guava:guava Version > 11.0 < 24.1.1 Upgrade to ~> 24.1.1 Defined in pom.xml Vulnerabilities CVE-2020-8908 Low severity CVE-2020-8908 Low severity CVE-2018-10237 Moderate severity CVE-2018-10237 Moderate severity Dependency org.apache.ant:ant Version >= 1.1 < 1.9.15 Upgrade to ~> 1.9.15 Defined in pom.xml Vulnerabilities CVE-2020-11979 High severity CVE-2020-11979 High severity CVE-2020-11979 High severity CVE-2020-1945 Moderate severity CVE-2020-1945 Moderate severity Dependency junit:junit Version >= 4.7 < 4.13.1 Upgrade to ~> 4.13.1 Defined in pom.xml Vulnerabilities CVE-2020-15250 Low severity CVE-2020-15250 Low severity CVE-2020-15250 Low severity CVE-2020-15250 Low severity CVE-2020-15250 Low severity --
Most of these dependencies have been addressed for 3.0.40, with poms updated: * com.google.guava -> 30.1.0 * org.apache.ant -> 1.10.11 * unit -> 4.13.2 The only thing outstanding is org.apache.tika which doesn't have an updated entry in Orbit. If we update the Maven dependencies to build with 1.19.1, Eclipse installs will still be stuck with 1.3. Torkild, is there any plan to update Epub with an updated Tika dependency? There's no upper bound on the Epub manifests, but I'm not familiar with Tika's API stability - if we update the poms to 1.19.1, will Eclipse users with 1.3 break?
(In reply to Leo Dos Santos from comment #1) > Most of these dependencies have been addressed for 3.0.40, with poms updated: > * com.google.guava -> 30.1.0 > * org.apache.ant -> 1.10.11 > * unit -> 4.13.2 > > The only thing outstanding is org.apache.tika which doesn't have an updated > entry in Orbit. If we update the Maven dependencies to build with 1.19.1, > Eclipse installs will still be stuck with 1.3. Torkild, is there any plan to > update Epub with an updated Tika dependency? There's no upper bound on the > Epub manifests, but I'm not familiar with Tika's API stability - if we > update the poms to 1.19.1, will Eclipse users with 1.3 break? I have no immediate plans to update the Tika dependency, but my guess is that the API is fairly stable. Since we only use Tika to determine the MIME type of content, my guess is that an update will work just fine. I'll have a look.
I've tested with Apache Tika 1.27, which is the last release in the 1.x series and can confirm that there is no API breakage and that the EPUB tests that uses Apache Tika are passing. I'm looking into putting this version of Tika in Orbit using Orbit Bundle Recipes.
(In reply to Torkild Resheim from comment #3) > I've tested with Apache Tika 1.27, which is the last release in the 1.x > series and can confirm that there is no API breakage and that the EPUB tests > that uses Apache Tika are passing. > > I'm looking into putting this version of Tika in Orbit using Orbit Bundle > Recipes. Decided to go for Apache Tika 1.19.1 which already has an approved CQ.
The three month confidentiality window has passed, so I've removed the Committer-only flag. Are we done here?
We should be able to get a release out with the updated Tika in the next few days.
(In reply to Leo Dos Santos from comment #6) > We should be able to get a release out with the updated Tika in the next few > days. I'm waiting for someone to review my merge request for Eclipse Orbit[1], and some changes have to be done in Mylyn Docs also. So we're not quite done. [1] https://git.eclipse.org/r/c/orbit/orbit-recipes/+/186549
(In reply to Torkild Resheim from comment #7) > (In reply to Leo Dos Santos from comment #6) > > We should be able to get a release out with the updated Tika in the next few > > days. > > I'm waiting for someone to review my merge request for Eclipse Orbit[1], and > some changes have to be done in Mylyn Docs also. So we're not quite done. > > [1] https://git.eclipse.org/r/c/orbit/orbit-recipes/+/186549 I'm not to confidant with Orbit recipes, Alexander would this be something you could +2?
New Gerrit change created: https://git.eclipse.org/r/c/mylyn/org.eclipse.mylyn.docs/+/187430
Gerrit change https://git.eclipse.org/r/c/mylyn/org.eclipse.mylyn.docs/+/187430 was merged to [master]. Commit: http://git.eclipse.org/c/mylyn/org.eclipse.mylyn.docs.git/commit/?id=a365ee489f65bbe50c5ae492a8a598f902273678
Leo, everything should be ready for a release now. Hopefully you can do it for M3.
Great! I'll push out a release this week.
Thank you Torkild and Alexander for the work on finishing this.