[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [wtp-pmc] Issues with missing CQ entries...

The tool isn't smart enough to detect these. Sorry, I wish it was.

That original list that I sent you is my biggest concern.

commons-fileupload.jar (No CQ found)
derby.jar
jsflibrary-api-1.1.3.*.jar (No CQ found)
org.antlr.runtime_v31_3.1.0.*.jar (No CQ found)

I'm pretty sure that we don't have any CQ (Piggyback or otherwise) for jsflibrary-api-1.1.3.*.jar and it represents a real exposure. I'm also not entirely sure about the ANTLR version (we have a CQ for 3.1B1; is this the same content?) I have no idea what derby.jar even is or what version.

There are a lot of legitmate JARs in the list. Many are for testing. Some are just hard for the tool to sort out. It seems as though Web Tools used to build a lot of plug-ins as directories with the code packed up into JARs inside the directory. The tool doesn't account for this pattern.

I've gone through the list and have been able to resolve some to CQs. But there's a bunch that I just can't. Fortunately, I think most of them are from the same presentation directory. Here's my full worry list:

antlr.jar (No CQ found)
commons-beanutils.jar (No CQ found)
commons-digester.jar (No CQ found)
commons-fileupload.jar (No CQ found)
commons-logging.jar (No CQ found)
commons-validator.jar (No CQ found)
derby.jar (No CQ found)
jakarta-oro.jar (No CQ found)
jstl.jar (No CQ found)
org.antlr.runtime_v31_3.1.0.*.jar (No CQ found)
standard.jar (No CQ found)
struts.jar (No CQ found)
uddi4j.jar (No CQ found) - It looks like this is version 2.0.3 and we don't have any CQ for that version.
jsflibrary-api-1.1.3.*.jar (No CQ found)

Side note: what project owns the org.eclipse.jsr220orm namespace?

Wayne

On 05/31/2012 10:54 AM, Chuck Bridgham wrote:
Hi Wayne,

I'm investigating some of these, and I'm not sure why it isn't finding CQ's in some instances...

jaxrpc.jar                    CQ 1378
saaj.jar                      CQ 1379
axis-ant.jar                 CQ 1375

These are just a few examples...   we still have some pruning to do with our samples and demos, but maybe we do have many of these covered?

Thanks - Chuck

Senior Architect, RAD Java EE Tools, WTP PMC Lead
IBM Software Lab - Research Triangle Park, NC



From:         Wayne Beaton <wayne@xxxxxxxxxxx>
To:         wtp-pmc@xxxxxxxxxxx
Date:         05/30/2012 12:28 PM
Subject:         Re: [wtp-pmc] Issues with missing CQ entries...
Sent by:         wtp-pmc-bounces@xxxxxxxxxxx



I made a small change that now groups JARs that might be for testing separately. I think it prunes down the list quite nicely. There's still more work to do.

Wayne

On 05/30/2012 12:12 AM, David M Williams wrote:
Thanks Neil ... Trying the URL with Opera worked fine, so ... not sure what's up with Firefox "sessions".  But, I opened bug 380981 and hope that bug report is helpful.

So, looking at the list, there are a few that do have CQ's ... somewhere ... so not sure if the scanning tool doesn't "recognize" them, or if the tool is saying a certain sub-project doesn't have one ... if the later, for the generic "webtools" URL, it would not be able to distinguish between subprojects, such as there are some "incubator" things in there (which is where, for example, the antlr jar "comes from" and fairly sure they have a cq for it).


An example of one that seems not mapped correctly to their corresponding CQs (by the scanning tool), I assume is.
saaj.jar (No CQ found) -->
2089

Other than that, don't think I have anything to add that's not obvious or been said. Just the first time the whole site has been "audited". Previously, just "releasing code" was.


Well, that, plus the tools seems to pick up a lot of noise from test plugins. A great great many in the list, are very plain and simply obvious jars inside of normal (directory-form) bundles, such as


snippetstests.jar (No CQ found)
/home/data/httpd/download.eclipse.org/webtools/downloads/drops/R3.3.1/R-3.3.1-20110915193224/wtp-tests-R-3.3.1-20110915193224.zip/eclipse/plugins/org.eclipse.wst.common.snippets.tests_1.0.300.v201004110600


It appears the tool lists any jar file? Regardless of about.html files or if in a bundle with an about.html file? (And, I am not being critical, I am sympathetic ... I know it is hard to make these type of scanning tools work perfectly, but that they are very important ... I hope feature enhancements or bugs are tracked somewhere since some of these false-positive cases could be fixed).


Others, such as "derby.jar" in the "presentations" directory would have to be examined in detail to see if its really something to do with derby third party code, or if its code that just part of a presentation on "how to use Eclipse with Derby DB". Whew.


Good luck!


 




From:         Neil Hauge <neil.hauge@xxxxxxxxxx>
To:         wtp-pmc@xxxxxxxxxxx ,
Date:         05/29/2012 08:46 PM
Subject:         Re: [wtp-pmc] Issues with missing CQ entries...
Sent by:         wtp-pmc-bounces@xxxxxxxxxxx



This appears to be a bug of some sort.   The same thing started happening to me recently with various Eclipse reporting tools.  Wasn't sure if I was the only one.  I've only had this issue in Firefox, but it might just be a problem with the browser cache.  I've hopped over to Chrome to work around the issue a couple of times and have had success.

Neil

On 5/29/2012 8:41 PM, David M Williams wrote:
I can access that page, itself, and I can "see" some subsets of "webtools", like "webtools.incubator" "webtools.releng" (the few I tried), but if I select "webtools" itself in the long list of projects, I am asked to login again. That's what made me think it was related to committer rights. And, I'm guessing it is the "webtools" "container" project that has the interesting long list of oddities.
Thanks,





From:         Wayne Beaton <wayne@xxxxxxxxxxx>
To:         wtp-pmc@xxxxxxxxxxx ,
Date:         05/29/2012 08:25 PM
Subject:         Re: [wtp-pmc] Issues with missing CQ entries...
Sent by:         wtp-pmc-bounces@xxxxxxxxxxx



Any committer should be able to access this page. You should be able to access it.

http://www.eclipse.org/projects/tools/downloads.php?id=webtools

Please confirm: can you access this page?

Wayne

On 05/29/2012 06:47 PM, David M Williams wrote:
I can't "see" that report ... my guess it my committer ID was removed from the "umbrella" group, as well as the more specific groups?

But in researching it, I discovered that we, webtools, have the first 8 CQs ever put in the IPZilla database ... how's that for a dubious honor? :)

While I can't see the report, I see that "webtools area" is defined as
/home/data/httpd/download.eclipse.org/webtools/

I think in the past we've only focused on "what we release" which would be what's under
/home/data/httpd/download.eclipse.org/webtools/downloads/drops

So, it wouldn't surprise me if there was stuff up there that we never really 'released' and was put up there before "we" knew what we were doing [such as for the tutorials, tests, build tools, etc.] But, agree with Wayne (Wayne is always right, correct? :) that "anything on downloads" should be IP Clean ... and we've just never scrubed it ourselves, but sounds like Wayne is now.

Without seeing the list, hard to know what to recommend ... if to "get rid" of some of the old stuff (leaving a polite webpage in its place, explaining it was removed due to age) or to push ahead and get CQ clearance (eventually) even though its not stuff we "release".I'd lean toward the former, but ... without seeing the list, I would not follow my advice :/

Naci might know about some of the tutorials/education material and if any of that is still useful/valid?









From:         Chuck Bridgham/Raleigh/IBM@IBMUS
To:         wtp-pmc@xxxxxxxxxxx ,
Date:         05/29/2012 02:29 PM
Subject:         [wtp-pmc] Issues with missing CQ entries...
Sent by:         wtp-pmc-bounces@xxxxxxxxxxx



Hi everyone,

Wayne emailed me earlier today as he was browsing through our IP log submission, and discovered potentially a large amount of
third party libraries that are not tied to CQ's.

If you follow this link:   http://www.eclipse.org/projects/tools/downloads.php?id=webtools

Along with the large amount of test or sample files that are included in our junits or documentation, we also have many files that may need attention  (axis, ant, commons, derby, jsr*, wsdl,  etc...)

I'm going to send a note today for everyone to take a second look at this particular report.

David - Since most of these "problems" are ancient file references, Is this a case of missing CQ entries?   do we simply need to map them somehow?


Thanks - Chuck

Senior Architect, RAD Java EE Tools, WTP PMC Lead
IBM Software Lab - Research Triangle Park, NC _______________________________________________
wtp-pmc mailing list

wtp-pmc@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/wtp-pmc



_______________________________________________
wtp-pmc mailing list

wtp-pmc@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/wtp-pmc


--
Wayne Beaton
The Eclipse Foundation
Twitter: @waynebeaton
Explore Eclipse Projects _______________________________________________
wtp-pmc mailing list

wtp-pmc@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/wtp-pmc



_______________________________________________
wtp-pmc mailing list

wtp-pmc@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/wtp-pmc
_______________________________________________
wtp-pmc mailing list

wtp-pmc@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/wtp-pmc



_______________________________________________
wtp-pmc mailing list
wtp-pmc@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/wtp-pmc


--
Wayne Beaton
The Eclipse Foundation
Twitter: @waynebeaton
Explore Eclipse Projects _______________________________________________
wtp-pmc mailing list
wtp-pmc@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/wtp-pmc


--
Wayne Beaton
The Eclipse Foundation
Twitter: @waynebeaton
Explore Eclipse Projects