Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Testcases for plugins #517

Open
lapnd opened this issue Apr 21, 2022 · 2 comments
Open

Testcases for plugins #517

lapnd opened this issue Apr 21, 2022 · 2 comments
Assignees

Comments

@lapnd
Copy link

lapnd commented Apr 21, 2022

Hi,
Currently, the plugins use some lib that out of date and has direct direct vulnerabilities such as https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.9.9.3
I would like to update this library, for example. The building is successful with latest lib (ex https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.13.2.2) but I'm not sure if this change will affect to plugin.

Do we have a set of test cases to run to verify the plugin for such kind of change?

Thank you!

@ilg-ul
Copy link
Contributor

ilg-ul commented Apr 21, 2022

... jackson-databind/2.13.2.2

Hi @lapnd, thank you for notifying such vulnerabilities.

@jonahgraham, what is the current procedure to update the dependencies, hopefully without having to get approval from the legal team? Can we go up to this latest version? In the latest Orbit I see only 2.12.1.

Do we have a set of test cases to run to verify the plugin for such kind of change?

Unfortunately not, we have to test the plug-ins manually.

@ilg-ul ilg-ul self-assigned this Apr 21, 2022
@jonahgraham
Copy link
Contributor

... jackson-databind/2.13.2.2

Hi @lapnd, thank you for notifying such vulnerabilities.

@jonahgraham, what is the current procedure to update the dependencies, hopefully without having to get approval from the legal team? Can we go up to this latest version? In the latest Orbit I see only 2.12.1.

Getting a new version into Orbit should be easy enough - I can help do that, or even better we can make the updates so that we can consume content directly from Maven central. The latter has benefits long term, but more effort now.

However there is still the issue of https://github.com/eclipse-embed-cdt/eclipse-plugins/blob/master/plugins/org.eclipse.embedcdt.core/lib/jackson-databind-2.9.9.3.jar being in this repo, so some refactoring is needed to make sure we are pulling this from external bundle and remove this jar from embedcdt. We could update the embedded jar, but that would be less ideal.

@lapnd I can help guide you through this process / review the changes. Have you already started work in this area?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants