Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add OSGI metadata #661

Open
zspitzer opened this issue Feb 23, 2022 · 23 comments
Open

add OSGI metadata #661

zspitzer opened this issue Feb 23, 2022 · 23 comments

Comments

@zspitzer
Copy link
Contributor

zspitzer commented Feb 23, 2022

there's a maven plugin which adds OSGI metadata

because it's missing, there are quite a few projects which wrap the library to add headers, this causes security scanners to miss flagging outdated versions

https://felix.apache.org/documentation/subprojects/apache-felix-maven-bundle-plugin-bnd.html

@kwwall
Copy link
Contributor

kwwall commented Feb 23, 2022

I am preparing a release that, among other updates, will add an SBOM via Steve Springett's cyclonedx-maven-plugin that produces a SBOM in XML and JSON formats that is compatible with OWASP Dependency Track. Examples (renamed to .txt so I could attach them) from that plug-in is attached.

Would this SBOM not serve the same purpose.?The ESAPI pom is already way more complicated that I'd like it to be and it seems like I spend 1/4 of my life trying to keep all the plugins updated.
bom.xml.txt
bom.json.txt

@xeno6696
Copy link
Collaborator

I would think the OWASP Dependency-Track covers this. I was taking a peek into this one in particular, and the OSGi framework is bloated IMHO.

I can see the value-add, but OSGi has been around since '99 and you'd think this would have bubbled up in importance if this was something that was under heavy adoption.

I would think that the OWASP Dependency Track would be sufficient. I poked around in this, and to implement OSGi metadata requires adding a custom class to ESAPI to instruct the build operations. I only looked into it for a few minutes, but this seems like overkill if all you need is a manifest file listing dependencies.

@xeno6696
Copy link
Collaborator

Nevermind @kwwall this is easy. I figured out that you can leave your build package alone and just generate the metadata file.

mvn org.apache.felix:maven-bundle-plugin:manifest

Before a standard "mvn package" command will generate the file, package will automatically scoop it up into META-INF/

@xeno6696
Copy link
Collaborator

I think this is too easy and simple not to just include it. The only thing I have to figure out is how to make sure it gets executed as part of the standard build command process. (It's been a long separation... maven configurations and me...)

@kwwall
Copy link
Contributor

kwwall commented Feb 23, 2022

@xeno6696 - Easy, perhaps. That wasn't so much of my concern. But is it necessary if we are creating an SBOM? It complicates the pom which I don't really like. The SBOM contains all the same info as near as I can tell, along with hashes and I've made changes suggested by Dave Wichers to introduce reproducible builds as well.

@xeno6696
Copy link
Collaborator

I have a distinct feeling that the Eclipse foundations OSGI people aren't aware of or care about the SBOM. I think SBOM is the way of the future, but I doubt their parsers would be looking for us anytime soon.

@kwwall
Copy link
Contributor

kwwall commented Feb 23, 2022

So, in other words, Eclipse is still using technology from 1999 even though Java now includes the concepts of Java Modules in Java 9 which should address most of those concerns in a much simpler way. Okay, got it.

Are you going to make a PR for that? If so, might as well include the bump to AntiSamy 1.6.5 (which I've already done a while back in the PR I am prepping) so I can deal with one less merge conflict.

@xeno6696
Copy link
Collaborator

I have to figure out forcing it to trigger, then I'll generate a PR.

My thinking is more that the auto industry relies heavily on OSGI (I know from a friend) and that this is a small win... for those not abandoning technology that's 23yrs old. ROFL

Hey, at least its not COBOL!

@xeno6696
Copy link
Collaborator

I'll include the antisamy update on it as well

@kwwall
Copy link
Contributor

kwwall commented Feb 23, 2022

I have to figure out forcing it to trigger, then I'll generate a PR.

As long as it automatically runs as part of 'mvn package' that should be sufficient. If it doesn't usually all you need to do is add something like this:

                <!-- Create SBOM -->
            <plugin>
                <groupId>org.cyclonedx</groupId>
                <artifactId>cyclonedx-maven-plugin</artifactId>
                <version>2.5.3</version>
                <executions>
                  <execution>
                    <phase>package</phase>
                    <goals><goal>makeBom</goal></goals>
                  </execution>
                </executions>
            </plugin>

Like I have for the cyclonedx-maven-plugin. They usually support something like that. Running it 'package' phase should be sufficient since we do that as standard part of the deployment instructions.

@xeno6696
Copy link
Collaborator

@zspitzer can you confirm that the only thing necessary would be the manifest dependency data?

I'm digging down a rabbit hole: http://www.pnambic.com/home/2015/11/21/using-maven-to-bundle-non-osgi-third-party-libraries/

And I'm getting the picture that to enable the dependency-checking feature you're talking about would require more than JUST an OSGI manifest file. As I'm understanding this, to be fully integrated into that environment ESAPI needs to convert to be fully OSGI-compliant, and that is simply too-specific an ask for what is supposed to be a lowest-common-denominator security library.

I don't have test harness to be able to tell whether or not the changes I'm currently looking at will work, and to be frank, I'm fine with setting up a manifest file, but I'm not fine with advertising a feature that I can't test myself. This sounds like a task for the framework maintainers who are packaging ESAPI in OSGI applications.

Yeah, to become OSGI compliant is its own bear:

https://felix.apache.org/documentation/development/using-the-osgi-compliance-tests.html

The general process is to send a request to the [email protected] mailing requesting access. Since redistributing the OSGi CTs is not allowed, you will need to submit an NDA to be granted access to the SVN repo containing the binaries.

^^I don't have time for all that.

@xeno6696
Copy link
Collaborator

META-INF.zip

@kwwall --> Before I revert these changes, I THINK that for us to be OSGI compliant we'd have to accept their version of MANIFEST.MF. I've enclosed the differences in actual file version.

What OSGI frameworks are probably picking up on is the Export-Package directive.

However, I don't know enough to determine if THAT is sufficient for OSGI frameworks to check against, and it appears that the only way to be sure is to go through the hassle of full OSGI compliance testing, which as I said above, I don't think we should be doing. I think if someone needs an OSGI-compliant ESAPI library they fork us and do their own project.

I'm assuming that what you're getting ready to do with the BOM already covers this requirement.

So @zspitzer I'll give you a week to reply before I close this out. You seem to be the only one who could answer if the BOM we'll be producing is sufficient, or if a simple OSGI-Manifest would be sufficient.

kwwall pushed a commit that referenced this issue Feb 26, 2022
…663)

* Signed key history for MATT SEIL begins here.

* Signed key history for MATT SEIL begins here.  Fixed email typo.

* Revert "Signed key history for MATT SEIL begins here.  Fixed email typo."

This reverts commit 87c4c4e.

* created file on main.

* Deleted foo.txt

* #661 Added ability to generate OSGi metadata with the command 'mvn org.apache.felix:maven-bundle-plugin:manifest'.

* Updated to AntiSamy 1.6.5.

* Revert "#661 Added ability to generate OSGi metadata with the command 'mvn org.apache.felix:maven-bundle-plugin:manifest'."

This reverts commit 9fa2a53.

* #656 -->  Parameterized cookie name length and value to correspond with the HTTP maxes defined in esapi.properties.

* Adjusted regex to allow for zero-length matches.

* Added per review comments for PR #663

Co-authored-by: Matt Seil <xeno6696[at]gmail.com>
@zspitzer
Copy link
Contributor Author

unfortunately, due to log4j1, the Lucee project has to do some extra OSGI rewrapping of this project, which means we can't just use the normal distribution. https://github.com/lucee/extension-esapi

Too many Govs and Corps have banned software which still uses log4j1

however, this manifest might be useful?
https://mvnrepository.com/artifact/org.apache.servicemix.bundles/org.apache.servicemix.bundles.esapi/2.2.3.1_1

Manifest-Version: 1.0 Bnd-LastModified: 1622013078884 Build-Jdk: 1.8.0_172 Built-By: jbonofre Bundle-Description: This OSGi bundle wraps esapi 2.2.3.1 jar file. Bundle-DocURL: http://www.apache.org/ Bundle-License: http://www.apache.org/licenses/LICENSE-2.0.txt Bundle-ManifestVersion: 2 Bundle-Name: Apache ServiceMix :: Bundles :: esapi Bundle-SymbolicName: org.apache.servicemix.bundles.esapi Bundle-Vendor: The Apache Software Foundation Bundle-Version: 2.2.3.1_1 Created-By: Apache Maven Bundle Plugin Export-Package: org.owasp.esapi;version="2.2.3.1";uses:="javax.crypto, javax.servlet,javax.servlet.http,org.owasp.esapi.codecs,org.owasp.esa pi.configuration,org.owasp.esapi.crypto,org.owasp.esapi.errors",org.o wasp.esapi.codecs;version="2.2.3.1",org.owasp.esapi.codecs.ref;versio n="2.2.3.1",org.owasp.esapi.configuration;version="2.2.3.1";uses:="or g.owasp.esapi.configuration.consts,org.owasp.esapi.errors",org.owasp. esapi.configuration.consts;version="2.2.3.1",org.owasp.esapi.crypto;v ersion="2.2.3.1";uses:="javax.crypto,org.owasp.esapi.errors",org.owas p.esapi.doc-files;version="2.2.3.1",org.owasp.esapi.errors;version="2 .2.3.1";uses:="org.owasp.esapi",org.owasp.esapi.filters;version="2.2. 3.1";uses:="javax.servlet,javax.servlet.http",org.owasp.esapi.logging .appender;version="2.2.3.1";uses:="org.owasp.esapi",org.owasp.esapi.l ogging.cleaning;version="2.2.3.1";uses:="org.owasp.esapi.codecs",org. owasp.esapi.logging.java;version="2.2.3.1";uses:="org.owasp.esapi,org .owasp.esapi.logging.appender,org.owasp.esapi.logging.cleaning",org.o wasp.esapi.logging.log4j;version="2.2.3.1";uses:="org.apache.log4j,or g.apache.log4j.spi,org.owasp.esapi,org.owasp.esapi.logging.appender,o rg.owasp.esapi.logging.cleaning",org.owasp.esapi.logging.slf4j;versio n="2.2.3.1";uses:="org.owasp.esapi,org.owasp.esapi.logging.appender,o rg.owasp.esapi.logging.cleaning",org.owasp.esapi.reference;version="2 .2.3.1";uses:="javax.servlet,javax.servlet.http,org.owasp.esapi,org.o wasp.esapi.codecs,org.owasp.esapi.errors",org.owasp.esapi.reference.a ccesscontrol;version="2.2.3.1";uses:="org.apache.commons.beanutils,or g.owasp.esapi,org.owasp.esapi.errors,org.owasp.esapi.reference.access control.policyloader",org.owasp.esapi.reference.accesscontrol.policyl oader;version="2.2.3.1";uses:="org.apache.commons.configuration,org.o wasp.esapi,org.owasp.esapi.errors,org.owasp.esapi.reference.accesscon trol",org.owasp.esapi.reference.crypto;version="2.2.3.1";uses:="javax .crypto,org.owasp.esapi,org.owasp.esapi.crypto,org.owasp.esapi.errors ",org.owasp.esapi.reference.validation;version="2.2.3.1";uses:="org.o wasp.esapi,org.owasp.esapi.errors",org.owasp.esapi.tags;version="2.2. 3.1";uses:="javax.servlet.jsp,javax.servlet.jsp.tagext,org.owasp.esap i,org.owasp.esapi.errors",org.owasp.esapi.util;version="2.2.3.1";uses :="org.owasp.esapi.errors",org.owasp.esapi.waf;version="2.2.3.1";uses :="javax.servlet,org.owasp.esapi.errors,org.owasp.esapi.waf.configura tion",org.owasp.esapi.waf.actions;version="2.2.3.1",org.owasp.esapi.w af.configuration;version="2.2.3.1";uses:="org.apache.log4j,org.owasp. esapi.waf,org.owasp.esapi.waf.rules",org.owasp.esapi.waf.internal;ver sion="2.2.3.1";uses:="javax.servlet,javax.servlet.http,org.apache.com mons.fileupload,org.owasp.esapi.waf.rules",org.owasp.esapi.waf.rules; version="2.2.3.1";uses:="bsh,javax.servlet.http,org.owasp.esapi,org.o wasp.esapi.waf.actions,org.owasp.esapi.waf.internal" Import-Package: bsh;resolution:=optional,javax.crypto,javax.crypto.spe c,javax.servlet;resolution:=optional,javax.servlet.http;resolution:=o ptional,javax.servlet.jsp;resolution:=optional,javax.servlet.jsp.tage xt;resolution:=optional,javax.xml.parsers,javax.xml.transform,javax.x ml.transform.stream,javax.xml.validation,nu.xom;resolution:=optional, org.apache.commons.beanutils;version="[1.9,2)",org.apache.commons.con figuration;version="[1.10,2)",org.apache.commons.lang.text;version="[ 2.6,3)",org.apache.commons.fileupload;resolution:=optional;version="[ 1.3,2)",org.apache.commons.fileupload.disk;resolution:=optional;versi on="[1.3,2)",org.apache.commons.fileupload.servlet;resolution:=option al;version="[1.3,2)",org.apache.commons.fileupload.util;resolution:=o ptional;version="[1.3,2)",org.apache.log4j;resolution:=optional;versi on="[1.2,2)",org.apache.log4j.spi;resolution:=optional;version="[1.2, 2)",org.apache.log4j.xml;resolution:=optional;version="[1.2,2)",org.o wasp.validator.html;version="[1.4,2)",org.w3c.dom,org.apache.commons. collections.iterators;version="[3.2,4)" Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Tool: Bnd-4.1.0.201810181252

@kwwall
Copy link
Contributor

kwwall commented Feb 27, 2022

Regarding log4j1, you know that you can just exclude it from your builds, right? All the security bulletins relevant to log4j1 show how to do this. And log4j1 isn't really needed as it is no longer the default logger (JUL is). As soon as the two year anniversary after deprecation hits (sometime in mid-July, I think), we are removing it and all the code that accesses it.

@xeno6696
Copy link
Collaborator

xeno6696 commented Feb 27, 2022

@zspitzer that doesn't precisely answer my question. What you show there is the result of using the bundle plugin. What I need to understand is if that manifest data--is sufficient for your purposes? It's pretty trival to add though @kwwall and I will need to discuss if its okay to replace the current manifest with the OSGI-compliant manifest. Or if we need to supply a separate OSGI-MANIFEST.MF. And will downstream infrastructure know to select the OSGI-MANIFEST.MF if we go down that path? And it's also a good question if the OSGI clients you're referring to will be adhering to the security BOM that we were already planning to add?

This helps us figure out what the best course of action will be. If the security BOM will work, there's no need to do an OSGI manifest, and also, if an OSGI manifest isn't sufficient, I need to know what IS sufficient so that way we can appropriately scope the work. It looks like achieving full OSGI compliance takes some development effort plus an NDA, and since I'm donating free time on holidays and occasional weekends...

@kwwall
Copy link
Contributor

kwwall commented Feb 28, 2022

Well, we definitely are NOT going down any NDA path. I think that goes against all the transparency that OWASP tries to stand for.

And as far as the BOM goes, I attached a copy of what's supposed to get uploaded to Maven Repository in #661 (comment). I have yet to hear any comment from @zspitzer about it. The BOM also has hashes of the dependencies. The MANIFEST.MF that was requested doesn't, so IMHO, a BOM, like the one we propose, provides a higher level of assurance.

I will say one more thing. We are planning on one last release that will support Java 7 as a minimal JDK. After that, JDK 8 or higher will be required. I am hoping that we'll release that in the next two weeks at the max. (Yeah; I think I said that 2 weeks ago, but I keep finding new stuff that needs fixed for those still stuck on Java 7.) But what I am saying is if this OSGI needs to be put into a version that supports Java 7 that @zspitzer needs to be a little more proactive in answering @xeno6696's questions or it's not going to make it in on time.

@xeno6696
Copy link
Collaborator

xeno6696 commented Mar 2, 2022

So to be clear @kwwall, the NDA would be to gain access to the jarfiles used to analyze OSGI package compliance.

I have absolutely no idea why an apache project would be mandating an NDA for that. Seems particularly silly for a FOSS organization.

@zspitzer
Copy link
Contributor Author

zspitzer commented Mar 2, 2022

all that the BOM stuff (has merit) but has nothing to do with what I'm asking for, nor does the NDA stuff.

All I was after is having the extra metadata which that maven plugin adds to the existing MANIFEST file, which allows a framework like Apache Felix https://felix.apache.org/ to dynamically load the esapi jar

i.e.
srikanth-lingala/zip4j#89
danfickle/openhtmltopdf#510

@xeno6696
Copy link
Collaborator

xeno6696 commented Mar 3, 2022

@kwwall do you see anything that might conflict anywhere else with the manifest differences?

BEFORE:

Manifest-Version: 1.0
Build-Jdk-Spec: 12
Specification-Title: ESAPI
Specification-Version: 0.0
Specification-Vendor: The Open Web Application Security Project (OWASP)
Implementation-Title: ESAPI
Implementation-Version: 2.2.4.0-SNAPSHOT
Implementation-Vendor: The Open Web Application Security Project (OWASP)
Created-By: Maven Integration for Eclipse
Class-Path: 

AFTER:

Manifest-Version: 1.0 Bnd-LastModified: 1646274890406 Build-Jdk-Spec: 1.8 Bundle-Description: The Enterprise Security API (ESAPI) project is an OW ASP project to create simple strong security controls for every web platform. Security controls are not simple to build. You can read about the hundreds of pitfalls for unwary developers on th e OWASP web site. By providing developers with a set of strong c ontrols, we aim to eliminate some of the complexity of creating secure web applications. This can result in significant cost sav ings across the SDLC. Bundle-DocURL: https://owasp.org/ Bundle-License: http://www.opensource.org/licenses/bsd-license.php, http ://creativecommons.org/licenses/by-sa/3.0/ Bundle-ManifestVersion: 2 Bundle-Name: ESAPI Bundle-SymbolicName: org.owasp.esapi Bundle-Vendor: The Open Web Application Security Project (OWASP) Bundle-Version: 2.2.4.0-SNAPSHOT Class-Path: Created-By: Apache Maven Bundle Plugin 5.1.4 Export-Package: org.owasp.esapi;uses:="javax.crypto,javax.servlet,javax. servlet.http,org.owasp.esapi.codecs,org.owasp.esapi.configuration,org.o wasp.esapi.crypto,org.owasp.esapi.errors";version="2.2.4",org.owasp.esa pi.codecs;version="2.2.4",org.owasp.esapi.codecs.ref;version="2.2.4",or g.owasp.esapi.configuration;uses:="org.owasp.esapi.configuration.consts ,org.owasp.esapi.errors";version="2.2.4",org.owasp.esapi.configuration. consts;version="2.2.4",org.owasp.esapi.crypto;uses:="javax.crypto,org.o wasp.esapi.errors";version="2.2.4",org.owasp.esapi.errors;uses:="org.ow asp.esapi";version="2.2.4",org.owasp.esapi.filters;uses:="javax.servlet ,javax.servlet.http";version="2.2.4",org.owasp.esapi.logging.appender;u ses:="org.owasp.esapi";version="2.2.4",org.owasp.esapi.logging.cleaning ;uses:="org.owasp.esapi.codecs";version="2.2.4",org.owasp.esapi.logging .java;uses:="org.owasp.esapi,org.owasp.esapi.logging.appender,org.owasp .esapi.logging.cleaning";version="2.2.4",org.owasp.esapi.logging.log4j; uses:="org.apache.log4j,org.apache.log4j.spi,org.owasp.esapi,org.owasp. esapi.logging.appender,org.owasp.esapi.logging.cleaning";version="2.2.4 ",org.owasp.esapi.logging.slf4j;uses:="org.owasp.esapi,org.owasp.esapi. logging.appender,org.owasp.esapi.logging.cleaning,org.slf4j";version="2 .2.4",org.owasp.esapi.reference;uses:="javax.servlet,javax.servlet.http ,org.owasp.esapi,org.owasp.esapi.codecs,org.owasp.esapi.errors";version ="2.2.4",org.owasp.esapi.reference.accesscontrol;uses:="org.apache.comm ons.beanutils,org.owasp.esapi,org.owasp.esapi.errors,org.owasp.esapi.re ference.accesscontrol.policyloader";version="2.2.4",org.owasp.esapi.ref erence.accesscontrol.policyloader;uses:="org.apache.commons.configurati on,org.owasp.esapi,org.owasp.esapi.errors,org.owasp.esapi.reference.acc esscontrol";version="2.2.4",org.owasp.esapi.reference.crypto;uses:="jav ax.crypto,org.owasp.esapi,org.owasp.esapi.crypto,org.owasp.esapi.errors ";version="2.2.4",org.owasp.esapi.reference.validation;uses:="org.owasp .esapi,org.owasp.esapi.errors";version="2.2.4",org.owasp.esapi.tags;use s:="javax.servlet.jsp,javax.servlet.jsp.tagext,org.owasp.esapi,org.owas p.esapi.errors";version="2.2.4",org.owasp.esapi.util;uses:="org.owasp.e sapi.errors";version="2.2.4",org.owasp.esapi.waf.actions;version="2.2.4 ",org.owasp.esapi.waf.configuration;uses:="org.apache.log4j,org.owasp.e sapi.waf,org.owasp.esapi.waf.rules";version="2.2.4",org.owasp.esapi.waf ;uses:="javax.servlet,org.owasp.esapi.errors,org.owasp.esapi.waf.config uration";version="2.2.4",org.owasp.esapi.waf.rules;uses:="bsh,javax.ser vlet.http,org.owasp.esapi,org.owasp.esapi.waf.actions";version="2.2.4" Implementation-Title: ESAPI Implementation-Vendor: The Open Web Application Security Project (OWASP) Implementation-Version: 2.2.4.0-SNAPSHOT Import-Package: bsh,javax.crypto,javax.crypto.spec,javax.servlet;version ="[3.0,4)",javax.servlet.http;version="[3.0,4)",javax.servlet.jsp;versi on="[2.3,3)",javax.servlet.jsp.tagext;version="[2.3,3)",javax.xml.parse rs,javax.xml.transform,javax.xml.transform.stream,javax.xml.validation, nu.xom,org.apache.commons.beanutils;version="[1.9,2)",org.apache.common s.collections4.iterators;version="[4.2,5)",org.apache.commons.configura tion;version="[1.10,2)",org.apache.commons.fileupload;version="[1.3,2)" ,org.apache.commons.fileupload.disk;version="[1.3,2)",org.apache.common s.fileupload.servlet;version="[1.3,2)",org.apache.commons.fileupload.ut il;version="[1.3,2)",org.apache.commons.lang.text;version="[2.6,3)",org .apache.log4j;version="[1.2,2)",org.apache.log4j.spi;version="[1.2,2)", org.apache.log4j.xml;version="[1.2,2)",org.owasp.esapi,org.owasp.esapi. codecs,org.owasp.esapi.codecs.ref,org.owasp.esapi.configuration,org.owa sp.esapi.configuration.consts,org.owasp.esapi.crypto,org.owasp.esapi.er rors,org.owasp.esapi.logging.appender,org.owasp.esapi.logging.cleaning, org.owasp.esapi.reference,org.owasp.esapi.reference.accesscontrol,org.o wasp.esapi.reference.accesscontrol.policyloader,org.owasp.esapi.referen ce.validation,org.owasp.esapi.util,org.owasp.esapi.waf.actions,org.owas p.esapi.waf.configuration,org.owasp.validator.html,org.slf4j;version="[ 1.7,2)",org.slf4j.helpers;version="[1.7,2)",org.w3c.dom,org.xml.sax Originally-Created-By: Maven Integration for Eclipse PhaseIfJava8plus: site Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))" Specification-Title: ESAPI Specification-Vendor: The Open Web Application Security Project (OWASP) Specification-Version: 0.0 Tool: Bnd-5.1.1.202006162103

Me personally, I can't see any reason why we can't replace it as-is. I've yet to encounter tooling that looks into manifest files, but overall I see this providing some concise information.

@zspitzer
Copy link
Contributor Author

zspitzer commented Mar 3, 2022

looks good,

Attributes which are not understood are ignored. Such attributes may include implementation specific information used by applications.

https://docs.oracle.com/javase/7/docs/technotes/guides/jar/jar.html#JAR_Manifest

@xeno6696
Copy link
Collaborator

xeno6696 commented Mar 3, 2022

@zspitzer so I'm stuck, and this should be easy but it is driving me nuts.

I can generate that file using mvn org.apache.felix:maven-bundle-plugin:manifest

The relevant part of the pom looks like this right now:

				<plugin>
				  <groupId>org.apache.felix</groupId>
				  <artifactId>maven-bundle-plugin</artifactId>
				  <configuration>
				  	<rebuildBundle>true</rebuildBundle>
				  	<niceManifest>true</niceManifest>
				  	<supportIncrementalBuild>true</supportIncrementalBuild>
				  	<runOnIncremental>true</runOnIncremental>
					<archive>
					  <forced>true</forced>
					</archive>
				  	<manifestLocation>${project.build.outputDirectory}/META-INF</manifestLocation>
				  </configuration>
				  <executions>
				    <execution>
				      <id>bundle-manifest</id>
				      <phase>process-classes</phase>
				      <goals>
				        <goal>manifest</goal>
				      </goals>
				    </execution>
				  </executions>
				</plugin>

This SHOULD run by a simple "mvn package" which runs "process-classes" right after the compile phase.

But it never fires.

I added these:

				  	<rebuildBundle>true</rebuildBundle>
				  	<niceManifest>true</niceManifest>
				  	<supportIncrementalBuild>true</supportIncrementalBuild>
				  	<runOnIncremental>true</runOnIncremental>

Trying to help troubleshoot, but they don't seem to affect the behavior.

Everything I've found in documentation tells me that maven should be creating the new manifest file. We release to maven central only a few times a year, so it becomes easy to forget to run the standalone command.

@zspitzer
Copy link
Contributor Author

zspitzer commented Mar 3, 2022

@xeno6696 I'll have a look into it tomorrow!

@xeno6696
Copy link
Collaborator

xeno6696 commented Mar 3, 2022

@zspitzer thanks. If you clone this: 9fa2a53

and then just run "mvn package -DskipTests" you should get a rapid run of the build. So far I have tried:

1.) Removing maven-jar reference
2.) added <manifestFile>${project.build.outputDirectory}/META-INF/MANIFEST.MF</manifestFile> around line 624 of the pom
3.) multiple lifecycle target goals.

kwwall added a commit that referenced this issue Apr 8, 2022
* Signed key history for MATT SEIL begins here.

* Signed key history for MATT SEIL begins here.  Fixed email typo.

* Revert "Signed key history for MATT SEIL begins here.  Fixed email typo."

This reverts commit 87c4c4e.

* created file on main.

* Deleted foo.txt

* Bump release to new patch version #.

* #661 Added ability to generate OSGi metadata with the command 'mvn org.apache.felix:maven-bundle-plugin:manifest'.

* Updated to AntiSamy 1.6.5.

* Revert "#661 Added ability to generate OSGi metadata with the command 'mvn org.apache.felix:maven-bundle-plugin:manifest'."

This reverts commit 9fa2a53.

* #656 -->  Parameterized cookie name length and value to correspond with the HTTP maxes defined in esapi.properties.

* Adjusted regex to allow for zero-length matches.

* Added per review comments for PR #663

* #656 Finished sweep looking for headername, headervalue, and header value sizes as well as the 'Cookie' versions of those statements.  Added unit tests.

* #663 Fixed a missed unit test.

* Antisamy 1.6.6, Antisamy regression test for analysis 1.  A handful of new regression tests for other purposes in validation and encoder tests.

* Attempting to fix classfile differences with antisamy dependencies.

* Fixed typo on exclusion.

* Added xerces exclusion to antisamy in the pom.xml

* Added test cases 2 & 3.

* Added test cases 2 & 3.  @ignore on test case 3 from AntiSamy as the DOS is still present.

* Forced my version to match Wichers.

* Added a pair of unit tests for canoncialization to prove out an issue opened up on github.  One of which however reminded me that we need a codec to account for UTF-8 encoding/decoding.

Co-authored-by: Matt Seil <xeno6696[at]gmail.com>
Co-authored-by: kwwall <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants