The tool isn't smart enough to detect these. Sorry, I wish it was.
That original list that I sent you is my biggest concern.
commons-fileupload.jar (No CQ found)
derby.jar
jsflibrary-api-1.1.3.*.jar (No CQ found)
org.antlr.runtime_v31_3.1.0.*.jar (No CQ found)
I'm pretty sure that we don't have any CQ (Piggyback or otherwise)
for jsflibrary-api-1.1.3.*.jar and it represents a real exposure.
I'm also not entirely sure about the ANTLR version (we have a CQ for
3.1B1; is this the same content?) I have no idea what derby.jar even
is or what version.
There are a lot of legitmate JARs in the list. Many are for testing.
Some are just hard for the tool to sort out. It seems as though Web
Tools used to build a lot of plug-ins as directories with the code
packed up into JARs inside the directory. The tool doesn't account
for this pattern.
I've gone through the list and have been able to resolve some to
CQs. But there's a bunch that I just can't. Fortunately, I think
most of them are from the same presentation directory. Here's my
full worry list:
antlr.jar (No CQ found)
commons-beanutils.jar (No CQ found)
commons-digester.jar (No CQ found)
commons-fileupload.jar (No CQ found)
commons-logging.jar (No CQ found)
commons-validator.jar (No CQ found)
derby.jar (No CQ found)
jakarta-oro.jar (No CQ found)
jstl.jar (No CQ found)
org.antlr.runtime_v31_3.1.0.*.jar (No CQ found)
standard.jar (No CQ found)
struts.jar (No CQ found)
uddi4j.jar (No CQ found) - It looks like this is version 2.0.3 and
we don't have any CQ for that version.
jsflibrary-api-1.1.3.*.jar (No CQ found)
Side note: what project owns the org.eclipse.jsr220orm namespace?
Wayne
On 05/31/2012 10:54 AM, Chuck Bridgham wrote:
Hi Wayne,
I'm investigating some of these, and
I'm not sure why it isn't finding CQ's in some instances...
jaxrpc.jar
CQ 1378
saaj.jar
CQ 1379
axis-ant.jar
CQ 1375
These are just a few examples...
we still have some pruning to do with our samples and demos, but
maybe
we do have many of these covered?
Thanks - Chuck
Senior Architect, RAD Java EE Tools, WTP PMC Lead
IBM Software Lab - Research Triangle Park, NC
From:
Wayne Beaton <wayne@xxxxxxxxxxx>
To:
wtp-pmc@xxxxxxxxxxx
Date:
05/30/2012 12:28 PM
Subject:
Re: [wtp-pmc]
Issues with missing CQ entries...
Sent by:
wtp-pmc-bounces@xxxxxxxxxxx
I made a small change that now groups JARs that might
be for testing separately. I think it prunes down the list quite
nicely.
There's still more work to do.
Wayne
On 05/30/2012 12:12 AM, David M Williams wrote:
Thanks Neil ... Trying the URL with Opera worked fine,
so ... not sure what's up with Firefox "sessions". But,
I opened bug
380981 and hope that bug report is helpful.
So, looking at the list, there are a few that do have CQ's ...
somewhere
... so not sure if the scanning tool doesn't "recognize" them,
or if the tool is saying a certain sub-project doesn't have one
... if
the later, for the generic "webtools" URL, it would not be able
to distinguish between subprojects, such as there are some
"incubator"
things in there (which is where, for example, the antlr jar
"comes
from" and fairly sure they have a cq for it).
An example of one that seems not mapped correctly to their
corresponding
CQs (by the scanning tool), I assume is.
saaj.jar (No CQ found) -->
2089
Other than that, don't think I have anything to add that's not
obvious
or been said. Just the first time the whole site has been
"audited".
Previously, just "releasing code" was.
Well, that, plus the tools seems to pick up a lot of noise from
test plugins.
A great great many in the list, are very plain and simply
obvious jars
inside of normal (directory-form) bundles, such as
snippetstests.jar (No CQ found)
/home/data/httpd/download.eclipse.org/webtools/downloads/drops/R3.3.1/R-3.3.1-20110915193224/wtp-tests-R-3.3.1-20110915193224.zip/eclipse/plugins/org.eclipse.wst.common.snippets.tests_1.0.300.v201004110600
It appears the tool lists any jar file? Regardless of about.html
files
or if in a bundle with an about.html file? (And, I am not being
critical,
I am sympathetic ... I know it is hard to make these type of
scanning tools
work perfectly, but that they are very important ... I hope
feature enhancements
or bugs are tracked somewhere since some of these false-positive
cases
could be fixed).
Others, such as "derby.jar" in the "presentations"
directory would have to be examined in detail to see if its
really something
to do with derby third party code, or if its code that just part
of a presentation
on "how to use Eclipse with Derby DB". Whew.
Good luck!
From: Neil Hauge
<neil.hauge@xxxxxxxxxx>
To: wtp-pmc@xxxxxxxxxxx ,
Date: 05/29/2012 08:46 PM
Subject: Re: [wtp-pmc] Issues with missing
CQ entries...
Sent by:
wtp-pmc-bounces@xxxxxxxxxxx
This appears to be a bug of some sort. The same thing started
happening
to me recently with various Eclipse reporting tools. Wasn't sure
if I was the only one. I've only had this issue in Firefox, but
it
might just be a problem with the browser cache. I've hopped over
to Chrome to work around the issue a couple of times and have had
success.
Neil
On 5/29/2012 8:41 PM, David M Williams wrote:
I can access that page, itself, and I can "see" some subsets
of "webtools", like "webtools.incubator" "webtools.releng"
(the few I tried), but if I select "webtools" itself in the long
list of projects, I am asked to login again. That's what made me
think
it was related to committer rights. And, I'm guessing it is the
"webtools"
"container" project that has the interesting long list of
oddities.
Thanks,
From: Wayne Beaton <wayne@xxxxxxxxxxx>
To: wtp-pmc@xxxxxxxxxxx ,
Date: 05/29/2012 08:25 PM
Subject: Re: [wtp-pmc] Issues with missing
CQ entries...
Sent by:
wtp-pmc-bounces@xxxxxxxxxxx
Any committer should be able to access this page. You should be
able to
access it.
http://www.eclipse.org/projects/tools/downloads.php?id=webtools
Please confirm: can you access this page?
Wayne
On 05/29/2012 06:47 PM, David M Williams wrote:
I can't "see" that report ... my guess it my committer ID was
removed from the "umbrella" group, as well as the more specific
groups?
But in researching it, I discovered that we, webtools, have the
first 8
CQs ever put in the IPZilla database ... how's that for a
dubious honor?
:)
While I can't see the report, I see that "webtools area" is
defined
as
/home/data/httpd/download.eclipse.org/webtools/
I think in the past we've only focused on "what we release"
which
would be what's under
/home/data/httpd/download.eclipse.org/webtools/downloads/drops
So, it wouldn't surprise me if there was stuff up there that we
never really
'released' and was put up there before "we" knew what we were
doing [such as for the tutorials, tests, build tools, etc.] But,
agree
with Wayne (Wayne is always right, correct? :) that "anything on
downloads"
should be IP Clean ... and we've just never scrubed it
ourselves, but sounds
like Wayne is now.
Without seeing the list, hard to know what to recommend ... if
to "get
rid" of some of the old stuff (leaving a polite webpage in its
place,
explaining it was removed due to age) or to push ahead and get
CQ clearance
(eventually) even though its not stuff we "release".I'd lean
toward the former, but ... without seeing the list, I would not
follow
my advice :/
Naci might know about some of the tutorials/education material
and if any
of that is still useful/valid?
From: Chuck Bridgham/Raleigh/IBM@IBMUS
To: wtp-pmc@xxxxxxxxxxx ,
Date: 05/29/2012 02:29 PM
Subject: [wtp-pmc] Issues with missing CQ entries...
Sent by:
wtp-pmc-bounces@xxxxxxxxxxx
Hi everyone,
Wayne emailed me earlier today as he was browsing through our IP
log submission,
and discovered potentially a large amount of
third party libraries that are not tied to CQ's.
If you follow this link:
http://www.eclipse.org/projects/tools/downloads.php?id=webtools
Along with the large amount of test or sample files that are
included in
our junits or documentation, we also have many files that may need
attention
(axis, ant, commons, derby, jsr*, wsdl, etc...)
I'm going to send a note today for everyone to take a second look
at this
particular report.
David - Since most of these "problems" are ancient file
references,
Is this a case of missing CQ entries? do we simply need to map
them
somehow?
Thanks - Chuck
Senior Architect, RAD Java EE Tools, WTP PMC Lead
IBM Software Lab - Research Triangle Park, NC
_______________________________________________
wtp-pmc mailing list
wtp-pmc@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/wtp-pmc
_______________________________________________
wtp-pmc mailing list
wtp-pmc@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/wtp-pmc
--
Wayne Beaton
The Eclipse Foundation
Twitter: @waynebeaton
Explore Eclipse
Projects
_______________________________________________
wtp-pmc mailing list
wtp-pmc@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/wtp-pmc
_______________________________________________
wtp-pmc mailing list
wtp-pmc@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/wtp-pmc
_______________________________________________
wtp-pmc mailing list
wtp-pmc@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/wtp-pmc
_______________________________________________
wtp-pmc mailing list
wtp-pmc@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/wtp-pmc
--
Wayne Beaton
The Eclipse Foundation
Twitter: @waynebeaton
Explore Eclipse
Projects
_______________________________________________
wtp-pmc mailing list
wtp-pmc@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/wtp-pmc
--
Wayne Beaton
The Eclipse Foundation
Twitter: @waynebeaton
Explore Eclipse
Projects
|