Openbravo Issue Tracking System - Retail Modules | ||||||||||||
| View Issue Details | ||||||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | |||||||
| 0049609 | Retail Modules | Nexo Implementation | public | 2022-06-20 17:49 | 2022-06-20 17:49 | |||||||
| Reporter | adrianromero | |||||||||||
| Assigned To | adrianromero | |||||||||||
| Priority | normal | Severity | major | Reproducibility | have not tried | |||||||
| Status | new | Resolution | open | |||||||||
| Platform | OS | 5 | OS Version | |||||||||
| Product Version | ||||||||||||
| Target Version | Fixed in Version | |||||||||||
| Merge Request Status | ||||||||||||
| Review Assigned To | ||||||||||||
| OBNetwork customer | ||||||||||||
| Support ticket | ||||||||||||
| Regression level | ||||||||||||
| Regression date | ||||||||||||
| Regression introduced in release | ||||||||||||
| Regression introduced by commit | ||||||||||||
| Triggers an Emergency Pack | No | |||||||||||
| Summary | 0049609: nexoprovider module package.json versions should be reviewed because of jsonix dependency | |||||||||||
| Description | That should be reviewed and unless special reason exists more typical ^ semver instead of = should be used. b.1) npm audit issues (easy) run "npm audit fix" b.2) npm audit issues xmldom avoiding old versions is still not possible as depended upon by jsonix@3.0.0 c.) jsonix@3.0.0 contains jsonix-schema-compiler-full.jar including outdated other libraries jsonix-schema-compiler-full.jar (shaded: commons-beanutils:commons-beanutils:1.9.2) jsonix-schema-compiler-full.jar (shaded: commons-collections:commons-collections:3.2.1) Note: - jsonix upstream seems to not have released a new version >3.0.0 yet JSONIX project upstream is dead. As in, the guy behind the project died last year :( https://github.com/highsource/jsonix/issues/255 [^] And for current security issues we have: - the 2* jar we about here (high severity) - missing to move from xmldom (dead with that name) to @xmldom/xmldom which is new upstream name (medium severity) Also checking another issue seems to say it is not possible to run java10 (or 11) while you didn't raise this one will be the next issue over time. https://github.com/highsource/jsonix/issues/226 [^] | |||||||||||
| Steps To Reproduce | run npm audit run owasp-dependency check with "npm install" done before in the module | |||||||||||
| Proposed Solution | JSONIX is used for generating java model classes from NEXO sxd schema. So it is needed only if NEXO schema changes. A new alternative, or active fork of JSONIX needs to be used if the java model classes require to be generated again. | |||||||||||
| Additional Information | ||||||||||||
| Tags | No tags attached. | |||||||||||
| Relationships |
| |||||||||||
| Attached Files | ||||||||||||
| Issue History | ||||||||||||
| Date Modified | Username | Field | Change | |||||||||
| 2022-06-20 17:49 | adrianromero | New Issue | ||||||||||
| 2022-06-20 17:49 | adrianromero | Assigned To | => adrianromero | |||||||||
| 2022-06-20 17:49 | adrianromero | Triggers an Emergency Pack | => No | |||||||||
| 2022-06-20 17:49 | adrianromero | Issue generated from | 0049377 | |||||||||
| 2022-06-20 17:49 | adrianromero | Relationship added | related to 0049377 | |||||||||
| There are no notes attached to this issue. |