[jira] [Updated] (OFBIZ-10213) Update build.gradle to the latest dependencies

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Updated] (OFBIZ-10213) Update build.gradle to the latest dependencies

Jacques Le Roux (Jira)

     [ https://issues.apache.org/jira/browse/OFBIZ-10213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-10213:
------------------------------------
    Description:
h2. h2. This is an umbrella task for action tasks.

We want to check from time to time if we need to update the dependencies.

It's easily done with the [gradle-versions-plugin |https://github.com/ben-manes/gradle-versions-plugin] which analyzes the dependencies and checks if there are newer versions available.

Running the check with
{code:java}
gradlew -PenableDependencyUpdates dependencyUpdates -Drevision=release
{code}
We get a list of dependencies to update.

We have problems with a number of libs. We keep comments in the main build.gradle for special updating issues. For ease of use, you may also refer and update the of libs that can't be updated in their last version. You may try newer version thatn below but most of the time it does not work either.

at.bxm.svntools:at.bxm.svntools.gradle.plugin [2.2.1 -> 3.0]
 com.lowagie:itext [2.1.7 -> 4.2.2]
 org.apache.derby:derby [10.14.2.0 -> 10.15.2.0]
 org.apache.sshd:sshd-core [1.7.0 -> 2.4.0]
 org.apache.tomcat:tomcat-catalina-ha [9.0.34 -> 10.0.0-M3]
 org.apache.tomcat:tomcat-jasper [9.0.34 -> 10.0.0-M3]
 org.apache.tomcat.embed:tomcat-embed-websocket [9.0.34 -> 10.0.0-M3]
 org.apache.xmlgraphics:fop [2.3 -> 2.4]
 org.codehaus.groovy:groovy-all [2.5.8 -> 3.0.3]
 org.jasig.cas:cas-server-core [3.3.5 -> 4.2.7]
 org.apache.shiro:shiro-core [1.4.1 -> 1.5.3]

I tried to update Solr and Lucene to 8.7.0 but crossed issues (compilation and Eclipse classpath)

Same for Jersey with 3.0.0 version

Also be sure to check the main build.gradle. Some Java classes need internal versions update too:

SearchWorker
 FreeMarkerWorker

Also Solr et Lucene should use the same version, luceneMatchVersion should be updated in solrconfig.xml

Beware that this may not be as up to date as in the main build.gradle file.

  was:
We want to check from time to time if we need to update the dependencies.

It's easily done with the [gradle-versions-plugin |https://github.com/ben-manes/gradle-versions-plugin] which analyzes the dependencies and checks if there are newer versions available.

Running the check with
{code:java}
gradlew -PenableDependencyUpdates dependencyUpdates -Drevision=release
{code}

We get a list of dependencies to update. This is an umbrella task for action tasks.

It's then good to run OWASP dependency check to get a report about the security situation. Note though that all dependent libraries (ie also dependencies from the libraries OFBiz uses and recursively) are loaded by Gradle and analysed by the OWASP Dependency Check plugin. So it's materially impossible to check all the possible vulnerabilities. You can refer to this wiki page:  [About OWASP Dependency Check|https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check].

We have problems with a number of libs. We keep comments in the main build.gradle for special updating issues. For ease of use, you may also refer to "Libs that can't be updated in their last version section" in [About OWASP Dependency Check|https://cwiki.apache.org/confluence/display/OFBIZ/About+OWASP+Dependency+Check] wiki page. Beware that this may not be as up to date as in the main build.gradle file.



> Update build.gradle to the latest dependencies
> ----------------------------------------------
>
>                 Key: OFBIZ-10213
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10213
>             Project: OFBiz
>          Issue Type: Task
>          Components: Gradle
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Trivial
>         Attachments: OFBIZ-10213.patch, OFBIZ-10213.patch, OFBIZ-10213.patch
>
>
> h2. h2. This is an umbrella task for action tasks.
> We want to check from time to time if we need to update the dependencies.
> It's easily done with the [gradle-versions-plugin |https://github.com/ben-manes/gradle-versions-plugin] which analyzes the dependencies and checks if there are newer versions available.
> Running the check with
> {code:java}
> gradlew -PenableDependencyUpdates dependencyUpdates -Drevision=release
> {code}
> We get a list of dependencies to update.
> We have problems with a number of libs. We keep comments in the main build.gradle for special updating issues. For ease of use, you may also refer and update the of libs that can't be updated in their last version. You may try newer version thatn below but most of the time it does not work either.
> at.bxm.svntools:at.bxm.svntools.gradle.plugin [2.2.1 -> 3.0]
>  com.lowagie:itext [2.1.7 -> 4.2.2]
>  org.apache.derby:derby [10.14.2.0 -> 10.15.2.0]
>  org.apache.sshd:sshd-core [1.7.0 -> 2.4.0]
>  org.apache.tomcat:tomcat-catalina-ha [9.0.34 -> 10.0.0-M3]
>  org.apache.tomcat:tomcat-jasper [9.0.34 -> 10.0.0-M3]
>  org.apache.tomcat.embed:tomcat-embed-websocket [9.0.34 -> 10.0.0-M3]
>  org.apache.xmlgraphics:fop [2.3 -> 2.4]
>  org.codehaus.groovy:groovy-all [2.5.8 -> 3.0.3]
>  org.jasig.cas:cas-server-core [3.3.5 -> 4.2.7]
>  org.apache.shiro:shiro-core [1.4.1 -> 1.5.3]
> I tried to update Solr and Lucene to 8.7.0 but crossed issues (compilation and Eclipse classpath)
> Same for Jersey with 3.0.0 version
> Also be sure to check the main build.gradle. Some Java classes need internal versions update too:
> SearchWorker
>  FreeMarkerWorker
> Also Solr et Lucene should use the same version, luceneMatchVersion should be updated in solrconfig.xml
> Beware that this may not be as up to date as in the main build.gradle file.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)