unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#55776: maven-core fails to build
@ 2022-06-03  6:05 Dr. Arne Babenhauserheide
  2022-06-04 10:25 ` Remco van 't Veer
  2022-06-07 10:32 ` Steve George
  0 siblings, 2 replies; 8+ messages in thread
From: Dr. Arne Babenhauserheide @ 2022-06-03  6:05 UTC (permalink / raw)
  To: 55776

[-- Attachment #1: Type: text/plain, Size: 3141 bytes --]

Hi,

I currently cannot get maven, because maven-core fails to build. To reproduce:

    guix shell maven

Log:

    [mkdir] Created dir: /tmp/guix-build-maven-core-3.8.5.drv-0/apache-maven-3.8.5/maven-core/build/jar
      [jar] Building jar: /tmp/guix-build-maven-core-3.8.5.drv-0/apache-maven-3.8.5/maven-core/build/jar/maven-core.jar

BUILD SUCCESSFUL
Total time: 1 second
phase `build' succeeded after 2.3 seconds
starting phase `generate-metadata'
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
[INFO] Discovered 58 component descriptors(s)
Problem executing command line.
Error stacktrace:
java.io.IOException: Invalid input descriptor for merge: /tmp/plexus-metadata3957336728290309540xml --> http://xml.org/sax/features/external-general-entities feature http://xml.org/sax/features/external-general-entities not supported for SAX driver org.codehaus.plexus.metadata.merge.Driver
	at org.codehaus.plexus.metadata.merge.AbstractMerger.mergeDescriptors(Unknown Source)
	at org.codehaus.plexus.metadata.DefaultMetadataGenerator.generateDescriptor(Unknown Source)
	at org.codehaus.plexus.metadata.PlexusMetadataGeneratorCli.invokePlexusComponent(Unknown Source)
	at org.codehaus.plexus.tools.cli.AbstractCli.execute(Unknown Source)
	at org.codehaus.plexus.tools.cli.AbstractCli.execute(Unknown Source)
	at org.codehaus.plexus.metadata.PlexusMetadataGeneratorCli.main(Unknown Source)
error: in phase 'generate-metadata': uncaught exception:
system-error "open-file" "~A: ~S" ("No such file or directory" "build/classes/META-INF/plexus/components.t.xml") (2) 
phase `generate-metadata' failed after 0.8 seconds
Backtrace:
          12 (primitive-load "/gnu/store/ndhm39px4lh3jrcqpkaa3ykwgji…")
In guix/build/gnu-build-system.scm:
    906:2 11 (gnu-build #:source _ #:outputs _ #:inputs _ #:phases . #)
In ice-9/boot-9.scm:
  1752:10 10 (with-exception-handler _ _ #:unwind? _ # _)
In srfi/srfi-1.scm:
    634:9  9 (for-each #<procedure 7ffff034be20 at guix/build/gnu-b…> …)
In ice-9/boot-9.scm:
  1752:10  8 (with-exception-handler _ _ #:unwind? _ # _)
In guix/build/gnu-build-system.scm:
   927:23  7 (_)
In ice-9/eval.scm:
    619:8  6 (_ #(#(#(#<directory (guile-user) 7ffff1fd3c80>) (…)) #))
   311:34  5 (_ #(#(#(#<directory (guile-user) 7ffff1fd3c80>) (…)) #))
   293:34  4 (_ #(#(#<directory (guile-user) 7ffff1fd3c80>) "build…"))
In ice-9/ports.scm:
   450:11  3 (call-with-input-file "build/classes/META-INF/plexus/c…" …)
In unknown file:
           2 (open-file "build/classes/META-INF/plexus/components.t…" …)
In ice-9/boot-9.scm:
  1685:16  1 (raise-exception _ #:continuable? _)
  1685:16  0 (raise-exception _ #:continuable? _)

ice-9/boot-9.scm:1685:16: In procedure raise-exception:
In procedure open-file: No such file or directory: "build/classes/META-INF/plexus/components.t.xml"

Best wishes,
Arne
-- 
Unpolitisch sein
heißt politisch sein,
ohne es zu merken.
draketo.de

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1125 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#55776: maven-core fails to build
  2022-06-03  6:05 bug#55776: maven-core fails to build Dr. Arne Babenhauserheide
@ 2022-06-04 10:25 ` Remco van 't Veer
  2022-06-04 13:47   ` Julien Lepiller
  2022-06-07 10:32 ` Steve George
  1 sibling, 1 reply; 8+ messages in thread
From: Remco van 't Veer @ 2022-06-04 10:25 UTC (permalink / raw)
  To: 55776; +Cc: Dr. Arne Babenhauserheide

I did some digging and found this regression is caused by commit:

 6068b83b82475566acd4162467bcf54270f338f9
 "gnu: java-jdom: Update to 2.0.6.1 [fixes CVE-2021-33813]."

Apparently the fix for this issue causes jdom to be very strict;

> java.io.IOException: Invalid input descriptor for merge:
> /tmp/plexus-metadata3957336728290309540xml -->
> http://xml.org/sax/features/external-general-entities feature
> http://xml.org/sax/features/external-general-entities not supported
> for SAX driver org.codehaus.plexus.metadata.merge.Driver

Which sound familiar when looking at that CVE
(https://github.com/advisories/GHSA-2363-cqg2-863c):

> An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to
> cause a denial of service via a crafted HTTP request. At this time
> there is not released fixed version of JDOM. As a workaround, to avoid
> external entities being expanded, one can call
> builder.setExpandEntities(false) and they won't be expanded.

I dunno how to fix this though, I'm just a curious guixer.  Easiest path
seems to be to make a new java-jdom-2.0.6 var and use that as a
native-input for maven.  Would that be an acceptable solution?

Cheers,
Remco




^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#55776: maven-core fails to build
  2022-06-04 10:25 ` Remco van 't Veer
@ 2022-06-04 13:47   ` Julien Lepiller
  2022-06-04 14:25     ` Remco van 't Veer
                       ` (2 more replies)
  0 siblings, 3 replies; 8+ messages in thread
From: Julien Lepiller @ 2022-06-04 13:47 UTC (permalink / raw)
  To: Remco van 't Veer; +Cc: Dr. Arne Babenhauserheide, 55776

[-- Attachment #1: Type: text/plain, Size: 2064 bytes --]

Le Sat, 04 Jun 2022 12:25:21 +0200,
Remco van 't Veer <remco@remworks.net> a écrit :

> I did some digging and found this regression is caused by commit:
> 
>  6068b83b82475566acd4162467bcf54270f338f9
>  "gnu: java-jdom: Update to 2.0.6.1 [fixes CVE-2021-33813]."
> 
> Apparently the fix for this issue causes jdom to be very strict;
> 
> > java.io.IOException: Invalid input descriptor for merge:
> > /tmp/plexus-metadata3957336728290309540xml -->
> > http://xml.org/sax/features/external-general-entities feature
> > http://xml.org/sax/features/external-general-entities not supported
> > for SAX driver org.codehaus.plexus.metadata.merge.Driver  
> 
> Which sound familiar when looking at that CVE
> (https://github.com/advisories/GHSA-2363-cqg2-863c):
> 
> > An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to
> > cause a denial of service via a crafted HTTP request. At this time
> > there is not released fixed version of JDOM. As a workaround, to
> > avoid external entities being expanded, one can call
> > builder.setExpandEntities(false) and they won't be expanded.  
> 
> I dunno how to fix this though, I'm just a curious guixer.  Easiest
> path seems to be to make a new java-jdom-2.0.6 var and use that as a
> native-input for maven.  Would that be an acceptable solution?
> 
> Cheers,
> Remco
> 

Like you say, the issue is with the new jdom. Believe it or not, but
between 2.0.6 and 2.0.6.1 there's some breakage (and > 1 year of
changes, too)!

So I figured I could fix java-plexus-component-metadata that we use to
generate some xml files during the build of maven. jdom is one of its
inputs. Adding another jdom to the native inputs would probably not fix
the issue.

What I did instead is, since jdom wants to set more features than
supported in the driver, to add dummy support for all these additional
features by just not throwing the exception. It's not very satisfying,
but it works and we don't keep a vulnerable jdom around. With the
attached patch, I built up to maven.

[-- Attachment #2: 0001-gnu-java-plexus-component-metadata-Fix-package.patch --]
[-- Type: text/x-patch, Size: 1356 bytes --]

From 2523b6c6b3f81f8a86b7c768dfed9dae97978e93 Mon Sep 17 00:00:00 2001
From: Julien Lepiller <julien@lepiller.eu>
Date: Sat, 4 Jun 2022 15:41:41 +0200
Subject: [PATCH] gnu: java-plexus-component-metadata: Fix package.

* gnu/packages/java.scm (java-plexus-component-metadat): Apply fix for
  newer jdom.
---
 gnu/packages/java.scm | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index 336e84e3e5..f475f7c270 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -4537,6 +4537,14 @@ (define-public java-plexus-component-metadata-1.7
              (copy-recursively "src/main/resources"
                                "build/classes/")
              #t))
+         (add-before 'build 'fix-jdom
+           (lambda _
+             ;; The newer version of jdom now sets multiple features by default
+             ;; that are not supported.
+             ;; Skip these features
+             (substitute* "src/main/java/org/codehaus/plexus/metadata/merge/MXParser.java"
+               (("throw new XmlPullParserException\\(\"unsupporte feature \"\\+name\\);")
+                "// skip"))))
          (add-before 'check 'fix-test-location
            (lambda _
              (substitute* '("src/test/java/org/codehaus/plexus/metadata/DefaultComponentDescriptorWriterTest.java"
-- 
2.35.1


^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#55776: maven-core fails to build
  2022-06-04 13:47   ` Julien Lepiller
@ 2022-06-04 14:25     ` Remco van 't Veer
  2022-06-04 15:00     ` Dr. Arne Babenhauserheide
  2022-06-08 15:35     ` Andrew Tropin
  2 siblings, 0 replies; 8+ messages in thread
From: Remco van 't Veer @ 2022-06-04 14:25 UTC (permalink / raw)
  To: Julien Lepiller; +Cc: Dr. Arne Babenhauserheide, 55776

2022/06/04 15:47, Julien Lepiller:

> So I figured I could fix java-plexus-component-metadata that we use to
> generate some xml files during the build of maven. jdom is one of its
> inputs. Adding another jdom to the native inputs would probably not fix
> the issue.

Reverting the jdom upgrade patch, I did get mave-core to build.  I admit
I did not try running it.  My interest in maven is as a dependency to
clojure-tools, I don't really know how to test maven is actually working
by itself.

> What I did instead is, since jdom wants to set more features than
> supported in the driver, to add dummy support for all these additional
> features by just not throwing the exception. It's not very satisfying,
> but it works and we don't keep a vulnerable jdom around. With the
> attached patch, I built up to maven.

Smart!  I look forward to seeing your patch land in the main branch.

Cheers,
Remco




^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#55776: maven-core fails to build
  2022-06-04 13:47   ` Julien Lepiller
  2022-06-04 14:25     ` Remco van 't Veer
@ 2022-06-04 15:00     ` Dr. Arne Babenhauserheide
  2022-06-08 18:36       ` Julien Lepiller
  2022-06-08 15:35     ` Andrew Tropin
  2 siblings, 1 reply; 8+ messages in thread
From: Dr. Arne Babenhauserheide @ 2022-06-04 15:00 UTC (permalink / raw)
  To: Julien Lepiller; +Cc: Remco van 't Veer, 55776

[-- Attachment #1: Type: text/plain, Size: 543 bytes --]


Julien Lepiller <julien@lepiller.eu> writes:
> What I did instead is, since jdom wants to set more features than
> supported in the driver, to add dummy support for all these additional
> features by just not throwing the exception. It's not very satisfying,
> but it works and we don't keep a vulnerable jdom around. With the
> attached patch, I built up to maven.

Thank you!

The patch looks clear enough — will you push it?

Best wishes,
Arne
-- 
Unpolitisch sein
heißt politisch sein,
ohne es zu merken.
draketo.de

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1125 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#55776: maven-core fails to build
  2022-06-03  6:05 bug#55776: maven-core fails to build Dr. Arne Babenhauserheide
  2022-06-04 10:25 ` Remco van 't Veer
@ 2022-06-07 10:32 ` Steve George
  1 sibling, 0 replies; 8+ messages in thread
From: Steve George @ 2022-06-07 10:32 UTC (permalink / raw)
  To: 55776


Hi,

I was able to build java-plexus-component-metadata using this patch, and 
from there maven to clojure-tools.

Cheers,

Futurile




^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#55776: maven-core fails to build
  2022-06-04 13:47   ` Julien Lepiller
  2022-06-04 14:25     ` Remco van 't Veer
  2022-06-04 15:00     ` Dr. Arne Babenhauserheide
@ 2022-06-08 15:35     ` Andrew Tropin
  2 siblings, 0 replies; 8+ messages in thread
From: Andrew Tropin @ 2022-06-08 15:35 UTC (permalink / raw)
  To: Julien Lepiller, Remco van 't Veer; +Cc: Dr. Arne Babenhauserheide, 55776

[-- Attachment #1: Type: text/plain, Size: 3700 bytes --]

On 2022-06-04 15:47, Julien Lepiller wrote:

> Le Sat, 04 Jun 2022 12:25:21 +0200,
> Remco van 't Veer <remco@remworks.net> a écrit :
>
>> I did some digging and found this regression is caused by commit:
>> 
>>  6068b83b82475566acd4162467bcf54270f338f9
>>  "gnu: java-jdom: Update to 2.0.6.1 [fixes CVE-2021-33813]."
>> 
>> Apparently the fix for this issue causes jdom to be very strict;
>> 
>> > java.io.IOException: Invalid input descriptor for merge:
>> > /tmp/plexus-metadata3957336728290309540xml -->
>> > http://xml.org/sax/features/external-general-entities feature
>> > http://xml.org/sax/features/external-general-entities not supported
>> > for SAX driver org.codehaus.plexus.metadata.merge.Driver  
>> 
>> Which sound familiar when looking at that CVE
>> (https://github.com/advisories/GHSA-2363-cqg2-863c):
>> 
>> > An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to
>> > cause a denial of service via a crafted HTTP request. At this time
>> > there is not released fixed version of JDOM. As a workaround, to
>> > avoid external entities being expanded, one can call
>> > builder.setExpandEntities(false) and they won't be expanded.  
>> 
>> I dunno how to fix this though, I'm just a curious guixer.  Easiest
>> path seems to be to make a new java-jdom-2.0.6 var and use that as a
>> native-input for maven.  Would that be an acceptable solution?
>> 
>> Cheers,
>> Remco
>> 
>
> Like you say, the issue is with the new jdom. Believe it or not, but
> between 2.0.6 and 2.0.6.1 there's some breakage (and > 1 year of
> changes, too)!
>
> So I figured I could fix java-plexus-component-metadata that we use to
> generate some xml files during the build of maven. jdom is one of its
> inputs. Adding another jdom to the native inputs would probably not fix
> the issue.
>
> What I did instead is, since jdom wants to set more features than
> supported in the driver, to add dummy support for all these additional
> features by just not throwing the exception. It's not very satisfying,
> but it works and we don't keep a vulnerable jdom around. With the
> attached patch, I built up to maven.
> From 2523b6c6b3f81f8a86b7c768dfed9dae97978e93 Mon Sep 17 00:00:00 2001
> From: Julien Lepiller <julien@lepiller.eu>
> Date: Sat, 4 Jun 2022 15:41:41 +0200
> Subject: [PATCH] gnu: java-plexus-component-metadata: Fix package.
>
> * gnu/packages/java.scm (java-plexus-component-metadat): Apply fix for
>   newer jdom.
> ---
>  gnu/packages/java.scm | 8 ++++++++
>  1 file changed, 8 insertions(+)
>
> diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
> index 336e84e3e5..f475f7c270 100644
> --- a/gnu/packages/java.scm
> +++ b/gnu/packages/java.scm
> @@ -4537,6 +4537,14 @@ (define-public java-plexus-component-metadata-1.7
>               (copy-recursively "src/main/resources"
>                                 "build/classes/")
>               #t))
> +         (add-before 'build 'fix-jdom
> +           (lambda _
> +             ;; The newer version of jdom now sets multiple features by default
> +             ;; that are not supported.
> +             ;; Skip these features
> +             (substitute* "src/main/java/org/codehaus/plexus/metadata/merge/MXParser.java"
> +               (("throw new XmlPullParserException\\(\"unsupporte feature \"\\+name\\);")
> +                "// skip"))))
>           (add-before 'check 'fix-test-location
>             (lambda _
>               (substitute* '("src/test/java/org/codehaus/plexus/metadata/DefaultComponentDescriptorWriterTest.java"

Work for me as well.  Probably can be merged to master?

-- 
Best regards,
Andrew Tropin

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* bug#55776: maven-core fails to build
  2022-06-04 15:00     ` Dr. Arne Babenhauserheide
@ 2022-06-08 18:36       ` Julien Lepiller
  0 siblings, 0 replies; 8+ messages in thread
From: Julien Lepiller @ 2022-06-08 18:36 UTC (permalink / raw)
  To: Dr. Arne Babenhauserheide; +Cc: Remco van 't Veer, 55776-done

Le Sat, 04 Jun 2022 17:00:15 +0200,
"Dr. Arne Babenhauserheide" <arne_bab@web.de> a écrit :

> Julien Lepiller <julien@lepiller.eu> writes:
> > What I did instead is, since jdom wants to set more features than
> > supported in the driver, to add dummy support for all these
> > additional features by just not throwing the exception. It's not
> > very satisfying, but it works and we don't keep a vulnerable jdom
> > around. With the attached patch, I built up to maven.  
> 
> Thank you!
> 
> The patch looks clear enough — will you push it?
> 
> Best wishes,
> Arne

Pushed to master as f0d9248267dabd2feb5c004d6e4610cbdf3e5b87, thanks
for testing it :)




^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2022-06-08 18:37 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-03  6:05 bug#55776: maven-core fails to build Dr. Arne Babenhauserheide
2022-06-04 10:25 ` Remco van 't Veer
2022-06-04 13:47   ` Julien Lepiller
2022-06-04 14:25     ` Remco van 't Veer
2022-06-04 15:00     ` Dr. Arne Babenhauserheide
2022-06-08 18:36       ` Julien Lepiller
2022-06-08 15:35     ` Andrew Tropin
2022-06-07 10:32 ` Steve George

Code repositories for project(s) associated with this inbox:

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).