[PR] Bump org.owasp:dependency-check-maven from 10.0.4 to 11.1.0 [cxf]
dependabot[bot] opened a new pull request, #2153: URL: https://github.com/apache/cxf/pull/2153 Bumps [org.owasp:dependency-check-maven](https://github.com/jeremylong/DependencyCheck) from 10.0.4 to 11.1.0. Release notes Sourced from https://github.com/jeremylong/DependencyCheck/releases";>org.owasp:dependency-check-maven's releases. Version 11.1.0 Refer to the https://github.com/jeremylong/DependencyCheck/blob/main/CHANGELOG.md#change-log";>CHANGELOG.md for information about improvements and upgrade notes. Version 11.0.0 Refer to the https://github.com/jeremylong/DependencyCheck/blob/main/CHANGELOG.md#change-log";>CHANGELOG.md for information about improvements and upgrade notes. Changelog Sourced from https://github.com/jeremylong/DependencyCheck/blob/main/CHANGELOG.md";>org.owasp:dependency-check-maven's changelog. https://github.com/jeremylong/DependencyCheck/releases/tag/v11.1.0";>Version 11.1.0 (2024-10-30) feat: PHP Composer Analyzer now scans packages-dev by default (https://redirect.github.com/jeremylong/DependencyCheck/issues/7114";>#7114) Users can configure if packages-dev should be skipped fix(regression): re-add h2 database driver name (https://redirect.github.com/jeremylong/DependencyCheck/issues/7115";>#7115) fix(regression): Make the Downloader honour the proxy.nonproxyhosts ODC Setting (https://redirect.github.com/jeremylong/DependencyCheck/issues/7077";>#7077) fix: do not set legacy proxy from maven or env (https://redirect.github.com/jeremylong/DependencyCheck/issues/7072";>#7072) (https://redirect.github.com/jeremylong/DependencyCheck/issues/7074";>#7074) docs: add missing documentation for the MS Build Analyzer (https://redirect.github.com/jeremylong/DependencyCheck/issues/7113";>#7113) docs: Document the breaking change for Maven plugin as reporting plugin (https://redirect.github.com/jeremylong/DependencyCheck/issues/7079";>#7079) See the full listing of https://github.com/jeremylong/DependencyCheck/milestone/89?closed=1";>changes. https://github.com/jeremylong/DependencyCheck/releases/tag/v11.0.0";>Version 11.0.0 (2024-10-21) breaking change: Switch from JMockit to Mockito & build target to Java 11 (https://redirect.github.com/jeremylong/DependencyCheck/issues/6922";>#6922) dependency-check now requires a minimum of Java 11.0 to run breaking change: bump com.h2database:h2 from 2.1.214 to 2.3.232 (https://redirect.github.com/jeremylong/DependencyCheck/issues/6132";>#6132) H2 databases generated with an older version of ODC will not work with ODC 11.0.0; a new H2 db must be generated breaking change: Maven plugin updated to Doxia 2.x reporting stack Users of the Maven plugin that configure it as a reporting plugin will need to use maven-site-plugin 3.20.0 or later (https://redirect.github.com/jeremylong/DependencyCheck/issues/6959";>#6959) feat: Replace old Downloader by an Apache HTTPClient based downloader feat: Use Apache HTTPClient for downloads of public resources (https://redirect.github.com/jeremylong/DependencyCheck/issues/6949";>#6949) feat: Also make NodeAuditSearch usr our HTTPClient based connections feat: Also make OSSIndexAnalyzer use our HTTPClient based connections feat: Migrate CentralSearch to use Apache HTTP-client via Downloader feat: Extend apache HTTP-client usage to EngineVersionCheck feat: Remove the need to specify dbDriver for external databases using JDBCv4 ServiceLoader supporting JDBC drivers (https://redirect.github.com/jeremylong/DependencyCheck/issues/6938";>#6938) fix: use latest generated suppressions (https://redirect.github.com/jeremylong/DependencyCheck/issues/7064";>#7064) fix: Fixup parameter sequence for Dowloader credentials (https://redirect.github.com/jeremylong/DependencyCheck/issues/7033";>#7033) fix: Fixup the missing addition of NVD API Datafeed credentials (if configured) fix: Fixup broken proxy authentication in first attempt; extend to include KEV downloads fix: store timestamps locally for local resources (https://redirect.github.com/jeremylong/DependencyCheck/issues/6936";>#6936) build: Remove the animal-sniffer, propagate java version to plugin-archetype (https://redirect.github.com/jeremylong/DependencyCheck/issues/6950";>#6950) build: Update Checkstyle configuration and Suppression DTD references (https://redirect.github.com/jeremylong/DependencyCheck/issues/6951";>#6951) chore: Update test db schema (https://redirect.github.com/jeremylong/DependencyCheck/issues/7036";>#7036) chore: remove old, unneeded database upgrade script docs: reformat javadoc (https://redirect.github.com/jeremylong/DependencyCheck/issues/7009";>#7009) docs: Fixup javadoc warnings (https://redirect.github.com/jeremylong/DependencyCheck/issues/6995";>#6995) chore: Replace use of several deprecated methods/classes by their
[PR] Bump github/codeql-action from 3.27.1 to 3.27.4 [cxf]
dependabot[bot] opened a new pull request, #2154: URL: https://github.com/apache/cxf/pull/2154 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.27.1 to 3.27.4. Release notes Sourced from https://github.com/github/codeql-action/releases";>github/codeql-action's releases. v3.27.4 CodeQL Action Changelog See the https://github.com/github/codeql-action/releases";>releases page for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. 3.27.4 - 14 Nov 2024 No user facing changes. See the full https://github.com/github/codeql-action/blob/v3.27.4/CHANGELOG.md";>CHANGELOG.md for more information. v3.27.3 CodeQL Action Changelog See the https://github.com/github/codeql-action/releases";>releases page for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. 3.27.3 - 12 Nov 2024 No user facing changes. See the full https://github.com/github/codeql-action/blob/v3.27.3/CHANGELOG.md";>CHANGELOG.md for more information. v3.27.2 CodeQL Action Changelog See the https://github.com/github/codeql-action/releases";>releases page for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. 3.27.2 - 12 Nov 2024 Fixed an issue where setting up the CodeQL tools would sometimes fail with the message "Invalid value 'undefined' for header 'authorization'". https://redirect.github.com/github/codeql-action/pull/2590";>#2590 See the full https://github.com/github/codeql-action/blob/v3.27.2/CHANGELOG.md";>CHANGELOG.md for more information. Changelog Sourced from https://github.com/github/codeql-action/blob/main/CHANGELOG.md";>github/codeql-action's changelog. CodeQL Action Changelog See the https://github.com/github/codeql-action/releases";>releases page for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. [UNRELEASED] No user facing changes. 3.27.4 - 14 Nov 2024 No user facing changes. 3.27.3 - 12 Nov 2024 No user facing changes. 3.27.2 - 12 Nov 2024 Fixed an issue where setting up the CodeQL tools would sometimes fail with the message "Invalid value 'undefined' for header 'authorization'". https://redirect.github.com/github/codeql-action/pull/2590";>#2590 3.27.1 - 08 Nov 2024 The CodeQL Action now downloads bundles compressed using Zstandard on GitHub Enterprise Server when using Linux or macOS runners. This speeds up the installation of the CodeQL tools. This feature is already available to GitHub.com users. https://redirect.github.com/github/codeql-action/pull/2573";>#2573 Update default CodeQL bundle version to 2.19.3. https://redirect.github.com/github/codeql-action/pull/2576";>#2576 3.27.0 - 22 Oct 2024 Bump the minimum CodeQL bundle version to 2.14.6. https://redirect.github.com/github/codeql-action/pull/2549";>#2549 Fix an issue where the upload-sarif Action would fail with "upload-sarif post-action step failed: Input required and not supplied: token" when called in a composite Action that had a different set of inputs to the ones expected by the upload-sarif Action. https://redirect.github.com/github/codeql-action/pull/2557";>#2557 Update default CodeQL bund
Re: CXF JAX-RS: working with multipart form-data
Hi Jean,
So I have been able to spend some time on the issue and it seems like you
might not be using the client properly (hence getting the exceptions), just a
hypothesis.
Here I have crafted a version of the API:
@POST
@Path("/multipart")
@Consumes("multipart/form-data")
@Produces("text/xml")
public Response addParts(@Multipart(value = "messageToSend",
type="application/xml") MessageToSend messageToSend,
@Multipart("upfile1Detail") Attachment a1,
@Multipart("upfile2Detail") Attachment a2,
@Multipart("upfile3Detail") Attachment a3)
...
}
And the client invocation sequence:
final Client client = ClientBuilder.newClient();
final MultipartBody builder = new MultipartBody(Arrays.asList(
new AttachmentBuilder()
.mediaType("application/xml")
.id("messageToSend")
.object(new MessageToSend())
.build(),
new AttachmentBuilder()
.id("upfile1Detail")
.dataHandler(new DataHandler(new
InputStreamDataSource(getClass().getResourceAsStream("/org/apache/cxf/systest/jaxrs/resources/attachmentData"),
"text/xml")))
.contentDisposition(new ContentDisposition("form-data;
name=\"field1\";"))
.build(),
new AttachmentBuilder()
.id("upfile2Detail")
.dataHandler(new DataHandler(new InputStreamDataSource(new
ByteArrayInputStream(new byte[0]), "text/xml")))
.contentDisposition(new ContentDisposition("form-data;
name=\"field2\";"))
.build(),
new AttachmentBuilder()
.id("upfile3Detail")
.dataHandler(new DataHandler(new InputStreamDataSource(new
ByteArrayInputStream(new byte[0]), "text/xml")))
.contentDisposition(new ContentDisposition("form-data;
name=\"field3\";"))
.build()));
final Response response = client
.target(address)
.request("text/xml")
.post(Entity.entity(builder, "multipart/form-data"));
It works perfectly when the unified Attachment body part is used. I also
crafted the test case over
here [1], to help you out to get it working or point me out if there is a gap
here that I missed.
Thank you.
[1] https://github.com/apache/cxf/pull/2152
Best Regards,
Andriy Redko
> Hi Andriy,
> The option to use a List or a MultipartBody does work, I've
> testcases to confirm this.
> But it somehow breaks the original spec since trying to do a round trip
code->>>spec),
> the spec generated from the code (based on annotations) no longer
> reflects the input spec.
> What I find unexpected is that for multipart bodies all input parameters
> are attempted to be wrapped into Attachment objects,
> (cf. method
> org.apache.cxf.jaxrs.client.ClientProxyImpl#handleMultipart(MultivaluedMap
> map,OperationResourceInfo ori,Object[]
> params)).
> So why doesn't the stack allow to mix request body parameters that are
> either @Multipart annotated or are Attachment itself.
> Now you can't mix them since
> org.apache.cxf.jaxrs.client.ClientProxyImpl#getParametersInfo(Method
> m,Object[] params, OperationResourceInfo ori) will fail
> with error "SINGLE_BODY_ONLY". It wouldn't be hard to support the mixture
> of both, or even an @Multipart annotated Attachment parameter (you could
> just combine what is specified in the annotation with what is already
> present in the Attachment, giving priority to one of both in case of
> overlapping parameters).
> Further, if 'Content-Disposition' is obligatory (at least by openAPI spec,
> however don't know whether this is the industry reference) why doesn't the
> @Multipart
> annotation allow to specify it? Why i.o. setting header Content-ID=
> isn't the header Content-Disposition=form-date:name="value" set when
> wrapping
> a @Multipart annotated object into an Attachment object?
> Strangely I don't even find a reference to the header Content-ID in
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers. It is described
> in
> https://www.rfc-editor.org/rfc/rfc2045#section-7,
> https://www.rfc-editor.org/rfc/rfc2392.txt and should have the form
> 'url-addr-spec according to RFC822'
> enclosed within '<>' and it is used to reference a multipartbody part in
> another part of the message. This doesn't seem to be the context in which
> it is used in
> JAX-RS messages, further the url-addr-spec actually tells me there should
> a ' @' sign in the value of the content-id header which is surely not the
> case in all examples
> I've seen sofar. So why is CXF even using Content-ID?
> Regards,
> J.P.
> -Oorspronkelijk bericht-
> Van: Andriy Redko
> Verzonden: vrijdag 15 november 2024 21:02
> Aan: Jean Pierre URKENS ;
> dev@cxf.apache.org
> Onderwerp: Re: CXF JAX-RS: working with multipart form-d
