Iam having one open vulnerability wen i scan my dependencies in blackduck for dozer version with 5.5.1. I tried to update the maven version but in maven central it is the latest version updated in 2014 . Could you please help me how to overcome the above vulnerability(CVE-2014-9515 Dozer 5.5.1).
Please find the POM :
<dependency>
<groupId>net.sf.dozer</groupId>
<artifactId>dozer</artifactId>
<version>5.5.1</version>
</dependency>
On the dozer webpage: https://github.com/DozerMapper/dozer
you will find the snippet for your pom file.
<dependency>
<groupId>com.github.dozermapper</groupId>
<artifactId>dozer-core</artifactId>
<version>6.5.2</version>
</dependency>
But it will not fix the issue CVE-2014-9515.
The dozer project is currently not active and will more than likely be deprecated in the future. If you are looking to use Dozer on a greenfield project, we would discourage that. If you have been using Dozer for a while, we would suggest you start to think about migrating onto another library, such as:
mapstruct
modelmapper
Related
I'm trying to migrate from Jersey 1.x (1.2) to 2.x (2.6), I have trouble identifying the exact maven dependencies, jersey documentation is not comprehensive enough, it doesn't mention what maven dependencies are needed for the new version.
Does anyone have comprehensive list of maven dependencies needed for Jersey 2.x (2.6)?
Jersey doc
https://jersey.java.net/documentation/latest/migration.html#mig-1.x
For a servlet environment, the only dependency you need is
<dependency>
<groupId>org.glassfish.jersey.containers</groupId>
<artifactId>jersey-container-servlet</artifactId>
<version>2.6</version>
</dependency>
This will pull in all you need. If you are in a servlet 2.5 environment, then you would use this instead
<dependency>
<groupId>org.glassfish.jersey.containers</groupId>
<artifactId>jersey-container-servlet-core</artifactId>
<version>2.6</version>
</dependency>
Further information about 2.5 servlet, can be seen here
Alternatively, you could create a project from a Maven archetype, as seen here
UPDATE
Just as a note, the significance of using Jersey 2.6 is that it is the last version to support Java 6. If this is not a requirement for you, I would recommend using the latest version.
I had tried adding Repository by using this blog post.
But Still Not able to get the dependency http://ebr.springsource.com/repository/app/bundle/version/detail?name=com.springsource.org.aopalliance&version=1.0.0&searchType=bundlesBySymbolicName&searchQuery=com.springsource.org.aopalliance
Then I read ebr.springsource.com/repository/app/faq Which says that "The repository is frozen "
So Which repository should I configure to Nexus Server to get the mentioned jar and get the data.
I didn't find "com.springsource.org.aopalliance" either.
So I check the Spring's dependencies (its pom.xml, version 4.1) And I found the following:
<dependency>
<groupId>aopalliance</groupId>
<artifactId>aopalliance</artifactId>
<version>1.0</version>
<scope>compile</scope>
</dependency>
I almost sure Spring uses the same version of aopalliance for a while.
We have recently upgraded from Drools 5 to Drools 6 and have run into disturbing conflict issues.
We have kie-ci imported into out project. kie-ci brings in sisu-guava. sisu-guava changes the accessibility of some of the classes from google's guava. Unfortunately, it uses the same package name as google's guava.
Since we're working with google's guava in our project, we are running into conflicts of classes.
An attempt to remove sisu-guava from the project (using a maven exclusion) results in accessibility exceptions, as the kie-ci code attempt to access classes which are public in sisu-guava but are private in google's guava.
Any idea how to get round this.
This may not be correct solution for all situation, but I was able to resolve this issue by excluding the susi-guava jar in my pom:
<dependency>
<groupId>org.jbpm</groupId>
<artifactId>jbpm-kie-services</artifactId>
<version>${jbpm.version}</version>
<exclusions>
<exclusion>
<groupId>org.sonatype.sisu</groupId>
<artifactId>sisu-guava</artifactId>
</exclusion>
</exclusions>
</dependency>
I seem to have the same problem using drools 6.2. Drools is dependent on guava 10.0.1, where as my project had a dependency on guava 16 and maven was picking the version 16 (correctly).
On inspecting the dependency tree, I find that the drools dependency on guava is dictated by "org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.0.0.M5:runtime".
There is a newer version of org.eclipse.sisu.plexus, so I added the following to my project's pom to pick up the latest version, which is:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.eclipse.sisu</groupId>
<artifactId>org.eclipse.sisu.plexus</artifactId>
<version>0.3.1</version>
</dependency>
</dependencies>
</dependencyManagement>
Now, there does not seem to be a dependency on guava, for drools and the problem is solved and my project can use version 16 of guava.
java.lang.ClassNotFoundException: org.hibernate.cache.EhCacheProvider
In my pom.xml dependency for ecahce is like below
<dependency>
<groupId>net.sf.ehcache</groupId>
<artifactId>ehcache</artifactId>
<version>1.5.0</version>
</dependency>
but still i am facing the problem classNotFound Exception
Please help me out iam trying this out from past 2 days
The dependency you're looking for is the following I think (Perhaps a different version)
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-ehcache</artifactId>
<version>3.6.2.Final</version>
</dependency>
I searched for the missing class using Maven Central's search site:
http://search.maven.org/#search|ga|1|fc%3A%22org.hibernate.cache.EhCacheProvider%22
When I ran into this problem, it was because I was trying to update the version of hibernate. When moving from hibernate 3.2 to 3.3, the packages split. I had tried to replace hibernate with hibernate-core. Reverting back to the full hibernate package (at 3.2 level) fixed my problem.
During my next round of updates, I will probably need to replace the full hibernate package with hibernate-core and hibernate-ehcache as referenced above.
I have a maven plugin which is using hsqldb 1.8.0.10. In my pom.xml from the plugin, it is declared like this:
<dependency>
<groupId>hsqldb</groupId>
<artifactId>hsqldb</artifactId>
<version>1.8.0.10</version>
</dependency>
But if I run that plugin from another maven project, and that project has a newer version of hsqldb (for instance 1.9.0), how can I configure my plugin that he will use the newest version of hsqldb, without changing it's pom.xml?
And is it possible to do this the other way around as well? If my other maven project uses hsqldb 1.7.0 (for instance), that he will use the 1.8.0.10 version which is specified in the maven plugin itself?
I hope someone can answer my question.
Kind regards,
Walle
Your main question is possible, but it might not work properly if the plugin doesn't work with the newer code for any reason.
A plugin can have it's own personal dependencies section, and will use standard Maven dependency resolution, choosing the highest version requested. So, you can do
<plugin>
<groupId>some.group.id</groupId>
<artifactId>some.artifact.id</artifactId>
<version>someversion</version>
<dependencies>
<dependency>
<groupId>hsqldb</groupId>
<artifactId>hsqldb</artifactId>
<version>1.9.0</version>
</dependency>
</dependencies>
</plugin>
I don't think going the other way around is possible, though.
use properties place holder for the version, say ${hsqldb.version} then declare in different project pom the version you want to put in it