Community
Participate
Working Groups
MAT 2023-09 & 2023-12 is throwing CVE-2021-28170 https://security.snyk.io/vuln/SNYK-JAVA-ORGGLASSFISH-2841368. This appears to be coming from com.sun.el.javax.el_3.0.0.jar, which is included in Eclipse 4.27+. 1. Can you help me confirm if we are susceptible to this? Is `git grep ELParserTokenManager` sufficient in this case? 2. Should I also submit a bug for Eclipse IDE to confirm if the CVE is valid? Thank you.
Yes, please do raise another bug. As Eclipse IDE ships it that would be a starting point, but perhaps it will get routed to Eclipse help or Jetty. There is a reference here: https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/jetty-osgi/jetty-osgi-boot-jsp/pom.xml MAT doesn't directly use that plugin, and when I took a heap dump the plugin was only resolved not activated. Perhaps MAT could exclude the bundle. E.g. https://git.eclipse.org/c/mat/org.eclipse.mat.git/tree/parent/pom.xml?id=21b2345397bc774023be3a8008b5f12c3f6297ab#n343
Thanks Andrew! I submitted https://github.com/eclipse-platform/.github/issues/155 for this on eclipse-platform. I tried filtering out this library, but was hit with a dependency error; perhaps I misunderstood you. [ERROR] Missing requirement: org.eclipse.help.feature.group 2.3.1600.v20230927-0600 requires 'org.eclipse.equinox.p2.iu; com.sun.el.javax.el [3.0.0,3.0.0]' but it could not be found [ERROR] Cannot satisfy dependency: org.eclipse.mat.ui.rcp.MemoryAnalyzer 1.15.0.qualifier depends on: org.eclipse.equinox.p2.iu; org.eclipse.help.feature.group 0.0.0 <filter> <type>eclipse-plugin</type> <id>com.sun.el.javax.el</id> <removeAll /> </filter>
It looks like com.sun.el.javax.el is a required plugin from those features, so MAT will have to wait for a fix.
It looks like we will need to build stand-alone MAT against Eclipse 4.30 to pick up the fix. Currently the target platform points to https://download.eclipse.org/eclipse/updates/4.30-I-builds/ as the final version won't be available until around the time of Eclipse SimRel 2023-12. The problem then is how to do the builds. So, normal plan: do builds, decide on a build to deliver to SimRel, use a build job to copy the update site to a particular place, probably somewhere like: https://download.eclipse.org/mat/2023-12/M3/ Update mat.aggrcon in SimRel to point to this. When SimRel is release, do a stand-alone package build which takes the previously built update site (rather than do a full build frame scratch) and the the second half of the build to make the stand-alone zips. Ideally that build should be against the final Eclipse 4.30, and the I-builds directory does go away. https://download.eclipse.org/eclipse/updates/4.29-I-builds/ has gone. We don't really want to update the source between the two steps (not sure if it is possible to tag the last SimRel version of MAT and build the stand-alone version at that Git level), so we can't really update mat-2023-12.target. Perhaps we create two targets: mat-2023-12i.target - for latest the Eclipse 4.30 I-builds mat-2023-12.target - for the final version with Eclipse 4.30 then set up the CI build to use mat-2023-12i.target, then run stand-alone against mat-2023-12.target. We might instead be able to build against the SimRel update site: https://download.eclipse.org/releases/2023-12/ which is updated for M1,M2,M3,RC1,RC2? with each component's contribution. (Perhaps not RC2 as that would effectively be an early release of SimRel as RC2 should be the same as the final). We won't get Eclipse 4.30 updates as quickly that way, but 2023-12 M1 should have the fix by then. See https://wiki.eclipse.org/Category:SimRel-2023-12 for dates. That could allow MAT to pick up other components from SimRel - we don't particularly need or want this since BIRT stopped being part of SimRel. I think the latest Eclipse 4.30 I-build has the fix: https://download.eclipse.org/eclipse/updates/4.30-I-builds/I20230929-0600/plugins/
https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/pull/1406 is merged. I built MAT on 4.30-I-builds/I20230929-0600 and confirmed that it passed the CVE scan.
I've changed the CI build to build against target: 2023-12i product: 2023-12 The CI builds should now be clean. The default pom target is still 2023-09, as that is a final release. We might change it nearer to the release of 2023-12.
https://git.eclipse.org/r/c/mat/org.eclipse.mat/+/204700 https://git.eclipse.org/c/mat/org.eclipse.mat.git/commit/?id=6c58d81236635a1ac8a8854ad18beba4c75fcd9c
MAT Build problems now with Eclipse 4.30 https://github.com/eclipse-platform/eclipse.platform/issues/821 Eclipse MAT fails to run its tests with 4.30-I-builds/I20231104-0830/ https://github.com/eclipse-platform/eclipse.platform/issues/821#issuecomment-1793689437 >> tycho-surefire-plugin:2.7.5 >The current active supported Tycho version is Tycho 4.0.3, you should really upgrade your toolchain if you want to keep up with latest Eclipse development. Possible solutions 1. go to a specific previous version of Eclipse 4.30 2. upgrade Tycho
Set mat-2023-12 as default target - will only work after Eclipse 4.30 is released, so CI build still uses mat-2023-12i for the moment. https://git.eclipse.org/r/c/mat/org.eclipse.mat/+/205518 https://git.eclipse.org/c/mat/org.eclipse.mat.git/commit/?id=3e1e914c53a0b62498890854ef18809742691be3
