Project:
| View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||||||
| ID | ||||||||||||
| 0049609 | ||||||||||||
| Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||||||
| design defect | [Retail Modules] Nexo Implementation | major | have not tried | 2022-06-20 17:49 | 2022-06-20 17:49 | |||||||
| Reporter | adrianromero | View Status | public | |||||||||
| Assigned To | adrianromero | |||||||||||
| Priority | normal | Resolution | open | Fixed in Version | ||||||||
| Status | new | Fix in branch | Fixed in SCM revision | |||||||||
| Projection | none | ETA | none | Target Version | ||||||||
| OS | Any | Database | Any | Java version | ||||||||
| OS Version | Database version | Ant version | ||||||||||
| Product Version | SCM revision | |||||||||||
| Review Assigned To | ||||||||||||
| Regression level | ||||||||||||
| Regression date | ||||||||||||
| Regression introduced in release | ||||||||||||
| Regression introduced by commit | ||||||||||||
| Triggers an Emergency Pack | No | |||||||||||
| Summary | 0049609: nexoprovider module package.json versions should be reviewed because of jsonix dependency | |||||||||||
| Description | That should be reviewed and unless special reason exists more typical ^ semver instead of = should be used. b.1) npm audit issues (easy) run "npm audit fix" b.2) npm audit issues xmldom avoiding old versions is still not possible as depended upon by jsonix@3.0.0 c.) jsonix@3.0.0 contains jsonix-schema-compiler-full.jar including outdated other libraries jsonix-schema-compiler-full.jar (shaded: commons-beanutils:commons-beanutils:1.9.2) jsonix-schema-compiler-full.jar (shaded: commons-collections:commons-collections:3.2.1) Note: - jsonix upstream seems to not have released a new version >3.0.0 yet JSONIX project upstream is dead. As in, the guy behind the project died last year :( https://github.com/highsource/jsonix/issues/255 [^] And for current security issues we have: - the 2* jar we about here (high severity) - missing to move from xmldom (dead with that name) to @xmldom/xmldom which is new upstream name (medium severity) Also checking another issue seems to say it is not possible to run java10 (or 11) while you didn't raise this one will be the next issue over time. https://github.com/highsource/jsonix/issues/226 [^] | |||||||||||
| Steps To Reproduce | run npm audit run owasp-dependency check with "npm install" done before in the module | |||||||||||
| Proposed Solution | JSONIX is used for generating java model classes from NEXO sxd schema. So it is needed only if NEXO schema changes. A new alternative, or active fork of JSONIX needs to be used if the java model classes require to be generated again. | |||||||||||
| Tags | No tags attached. | |||||||||||
| Attached Files | ||||||||||||
 Relationships [ Relation Graph ]
[ Dependency Graph ]
|
||||||||
|
||||||||
 Relationships |
|
Notes |
|
| There are no notes attached to this issue. |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2022-06-20 17:49 | adrianromero | New Issue | |
| 2022-06-20 17:49 | adrianromero | Assigned To | => adrianromero |
| 2022-06-20 17:49 | adrianromero | Triggers an Emergency Pack | => No |
| 2022-06-20 17:49 | adrianromero | Issue generated from | 0049377 |
| 2022-06-20 17:49 | adrianromero | Relationship added | related to 0049377 |
|
Issue History |
| Copyright © 2000 - 2009 MantisBT Group |
 |