prepare 6.0.2 release (#291)

* avoid creating List iterators during evaluations

* remove unnecessary copy

* update data model for U2C schema changes, without using contexts yet

* more model updates + tests

* update benchmark code

* more model updates

* use LDContext in Evaluator; add per-kind targets logic

* rm redundant test

* skip inapplicable contract tests

* implement new context kind logic for clauses

* implement new context kind logic for rollouts

* skip inapplicable contract tests

* add context kind logic for regular segments and big segments

* allow segments to reference other segments

* guard against prerequisite cycles

* implement event context redaction logic

* misc fixes

* implement the rest of U2C event logic

* misc fixes

* fix benchmarks

* add contextKinds to summary + misc fixes

* events schema 4

* update client API to use contexts; enable v2 contract tests

* misc fixes

* javadoc & test app fixes

* javadoc fix

* javadoc fix

* unskip some tests since the behavior was fixed in java-sdk-common

* bad attribute in clause should be reported as an error

* update TestData to be context-aware

* misc fixes + javadoc

* fix allFlagsState to not generate prereq eval events

* factor context deduplication logic out of DefaultEventProcessor

* fix JSON serialization test

* refactor diagnostic events logic to abstract out server-side-specific info

* separate inner events implementation from public interface, don't expose event types

* fix benchmarks

* fix benchmarks

* rm unused

* rm unused

* separate Java-SDK-specific HTTP functionality from events logic

* fix tests

* don't close the underlying Writer when we stop using the JsonWriter

* rm unused

* remove references to Java 8 types and Guava from shared event/HTTP code

* fix benchmarks

* also try not to use java.time.Duration in the event tests

* also avoid using lambdas in event test code

* move shared code into internal packages before splitting it off

* add "...ForAll" TestData methods to replace "...ForAllUsers"

* replace all component factory interfaces with a single generic one

* change HttpConfiguration and LoggingConfiguration to concrete classes

* bump okhttp & okhttp-eventsource dependencies

* update comment to clarify that level() doesn't apply to SLF4J

* update readme to mention different logging examples in hello-java

* switch to use snapshot build of java-logging, pending next release

* level setting does not apply to SLF4J and JUL

* use java-logging 1.1.0 release

* make sure META-INF files are never mistaken for classes and relocated

* update shared data store test logic to pass ClientContext with logger

* enable external javadoc links for com.launchdarkly.logging types

* use variable for dependency version

* remove another Guava usage

* make events test code independent of server-side data model

* fix flaky big segment status polling tests

* fix benchmark code

* update benchmarks

* javadoc formatting

* javadocs

* undo accidental reversion

* remove some more stray references to java-server-sdk test helper code

* more efficient equals() and hashCode() for Operator

* method can be static

* clarify comment

* typo

* remove event logic, migrate to using java-sdk-internal

* adjust for API change

* use constant

* fix packaging tests

* remove inapplicable benchmarks

* add error message if makefile can't run

* force result to be "not in experiment" if bucketing calculation failed due to context kind not found

* use newer HTTP/TCP test helpers

* Update Windows orb, fix Windows JDK install in CI (#372)

* update snakeyaml for CVE-CVE-2022-25857

* latest snakeyaml is 1.31

* bump snakeyaml version for CVE-2022-38752

* disable Windows Java 11 build

* minor test updates for java-sdk-internal API changes

* fix packaging of com.launchdarkly.logging classes

* rm debugging

* reconsidered - let's include the logging classes in the jars

* fix packaging test logic

* correct documentation

* remove secondary meta-attribute

* rm obsolete references to UserAttribute

* support passing LDUser instead of LDContext in all SDK methods (#379)

* support passing LDUser instead of LDContext in all SDK methods

* actually we should use default methods

* rm unused

* enable test capability for user type

* update java-sdk-common dependency

* use okhttp-eventsource 3.0.0-SNAPSHOT

* use non-snapshot okhttp-eventsource

* include nested segment references in dependency update checks

* use java-sdk-internal 1.0.0

* remove SLF4J dependency, remove "all" jar, simplify build (#381)

* don't generate evaluation events for invalid context

* use synchronous EventSource

* comments

* revise implementation of special HTTP configurations test

* make sure we set readTimeout last

* use okhttp-eventsource 4.0.0

* use newer HTTP test helpers (#385)

* use synchronous EventSource (5.x backport)

* update Gradle to 7.6 + fix snapshot releases

* fix #288 (#289)

* add unit test for externally-contributed YAML security fix

* backport YAML CVE fix from 6.x

* prepare 5.10.5 release (#290)

* update CI and Gradle to test with newer JDKs (#259)

* update okhttp to 3.14.9 (fixes incompatibility with OpenJDK 8.0.252)

* prepare 4.14.2 release (#205)

* Releasing version 4.14.2

* update okhttp to 4.8.1 (fixes incompatibility with OpenJDK 8.0.252)

* gitignore

* Bump SnakeYAML from 1.19 to 1.26 to address CVE-2017-18640

* prepare 4.14.3 release (#209)

* Releasing version 4.14.3

* comments

* only log initialization message once in polling mode

* [ch89935] Correct some logging call format strings (#264)

Also adds debug logs for full exception information in a couple locations.

* [ch90109] Remove outdated trackMetric comment from before service support. (#265)

* Fix compatibility with Java 7.

* Remove import that is no longer used.

* add Java 7 build (#267)

* prepare 4.14.4 release (#214)

* Releasing version 4.14.4

* add and use getSocketFactory

* alignment

* add socketFactory to builder

* test socket factory builder

* preserve dummy CI config file when pushing to gh-pages (#271)

* fix concatenation when base URI has a context path (#270)

* fix shaded jar builds to exclude Jackson classes and not modify Jackson return types (#268)

* add test httpClientCanUseCustomSocketFactory for DefaultFeatureRequestor

* add httpClientCanUseCustomSocketFactory() test for DefaultEventSenderTest

* add httpClientCanUseCustomSocketFactory() test to StreamProcessorTest

* pass URI to in customSocketFactory event test

* make test less ambiguous

* copy rules to new FlagBuilder instances (#273)

* Bump guava version (#274)

* Removed the guides link

* increment versions when loading file data, so FlagTracker will work (#275)

* increment versions when loading file data, so FlagTracker will work

* update doc comment about flag change events with file data

* add ability to ignore duplicate keys in file data (#276)

* add alias events (#278)

* add alias events and function
* update tests for new functionality
* update javadoc strings

* add validation of javadoc build to CI

* update commons-codec to 1.15 (#279)

* Add support for experiment rollouts

* add tests and use seed for allocating user to partition

* test serialization and add check for isExperiment

* fix PollingProcessorTest test race condition + other test issues (#282)

* use launchdarkly-java-sdk-common 1.1.0-alpha-expalloc.2

* Update src/test/java/com/launchdarkly/sdk/server/EvaluatorTest.java

Co-authored-by: Sam Stokes <[email protected]>

* Update src/test/java/com/launchdarkly/sdk/server/EvaluatorTest.java

Co-authored-by: Sam Stokes <[email protected]>

* Update src/test/java/com/launchdarkly/sdk/server/EvaluatorTest.java

Co-authored-by: Sam Stokes <[email protected]>

* Update src/test/java/com/launchdarkly/sdk/server/EvaluatorTest.java

Co-authored-by: Sam Stokes <[email protected]>

* changes per code review comments

* Please enter the commit message for your changes. Lines starting

* fix null pointer exception

* address code review comments

* address more comments

* missed a ! for isUntracked()

* fix default boolean for json

* make untracked FALSE by default

* refactoring of bucketing logic to remove the need for an extra result object (#283)

* add comment to enum

* various JSON fixes, update common-sdk (#284)

* simlpify the logic and make it match node/.Net sdks

* Update src/main/java/com/launchdarkly/sdk/server/EventFactory.java

Co-authored-by: Sam Stokes <[email protected]>

* add the same comment as the Node SDK

* Remove outdated/meaningless doc comment. (#286)

* protect against NPEs if flag/segment JSON contains a null value

* use java-sdk-common 1.2.0

* fix Jackson-related build issues (again) (#288)

* update to okhttp-eventsource patch for stream retry bug, improve tests (#289)

* update to okhttp-eventsource patch for stream retry bug, improve test

* add test for appropriate stream retry

* add public builder for FeatureFlagsState (#290)

* add public builder for FeatureFlagsState

* javadoc fixes

* clarify FileData doc comment to say you shouldn't use offline mode (#291)

* improve validation of SDK key so we won't throw an exception that contains the key (#293)

* fix javadoc link in FileData comment (#294)

* fix PollingProcessor 401 behavior and use new HTTP test helpers (#292)

* re-fix metadata to remove Jackson dependencies, also remove Class-Path from manifest (#295)

* make FeatureFlagsState.Builder.build() public (#297)

* clean up tests using java-test-helpers 1.1.0 (#296)

* use Releaser v2 config + newer CI images (#298)

* [ch123129] Fix `PollingDataSourceBuilder` example. (#299)

* Updates docs URLs

* always use US locale when parsing HTTP dates

* use Gson 2.8.9

* don't try to send more diagnostic events after an unrecoverable HTTP error

* ensure module-info file isn't copied into our jars during build

* use Gradle 7

* update build for benchmarks

* more Gradle 7 compatibility changes for benchmark job

* test with Java 17 in CI (#307)

* test with Java 17 in CI

* also test in Java 17 for Windows

* fix choco install command

* do date comparisons as absolute times, regardless of time zone (#310)

* fix suppression of nulls in JSON representations (#311)

* fix suppression of nulls in JSON representations

* distinguish between situations where we do or do not want to suppress nulls

* fix identify/track null user key check, also don't create index event for alias

* use latest java-sdk-common

* fix setting of trackEvents/trackReason in allFlagsState data when there's an experiment

* implement contract tests (#314)

* Merge Big Segments feature branch for 5.7.0 release (#316)

Includes Big Segments implementation and contract test support for the new behavior.

* Fix for pom including SDK common library as a dependency. (#317)

* use new logging API

* update readme notes about logging

* set base logger name for SDK per test

* comment

* javadoc fixes

* revert accidental commit

* Upload JUnit XML to CircleCI on failure (#320)

Fix a bug in the CircleCI config that was only uploading JUnit XML on _success_, not failure.

* Add application tag support (#319)

* Enforce 64 character limit on application tag values (#323)

* fix "wrong type" logic in evaluations when default value is null

* Rename master to main in .ldrelease/config.yml (#325)

* Simpler way of setting base URIs in Java (#322)

Now supports the `ServiceEndpoints` config for setting custom URIs for endpoints in a single place

* update logging info in readme

* use 1.0.0 release of logging package

* misc cleanup

* remove unnecessary extra interfaces, just use default methods instead

* make BigSegmentStoreWrapper.pollingDetectsStaleStatus test less timing-sensitive

* make LDEndToEndClientTest.test____SpecialHttpConfigurations less timing-sensitive

* make data source status tests less timing-sensitive

* use streaming JSON parsing for incoming LD data

* fix tests

* rm unused

* rm unused

* use okhttp-eventsource 2.6.0

* update eventsource to 2.6.1 to fix pom/manifest problem

* increase efficiency of summary event data structures (#335)

* make reusable EvaluationDetail instances as part of flag preprocessing (#336)

* make evaluator result object immutable and reuse instances

* comment

* avoid creating List iterators during evaluations

* remove unnecessary copy

* fix allFlagsState to not generate prereq eval events

* add "...ForAll" TestData methods to replace "...ForAllUsers"

* bump okhttp & okhttp-eventsource dependencies

* update comment to clarify that level() doesn't apply to SLF4J

* update readme to mention different logging examples in hello-java

* switch to use snapshot build of java-logging, pending next release

* level setting does not apply to SLF4J and JUL

* use java-logging 1.1.0 release

* make sure META-INF files are never mistaken for classes and relocated

* update shared data store test logic to pass ClientContext with logger

* enable external javadoc links for com.launchdarkly.logging types

* use variable for dependency version

* fix flaky big segment status polling tests

* Update Windows orb, fix Windows JDK install in CI (#372)

* update snakeyaml for CVE-CVE-2022-25857

* latest snakeyaml is 1.31

* bump snakeyaml version for CVE-2022-38752

* disable Windows Java 11 build

* fix packaging of com.launchdarkly.logging classes

* rm debugging

* reconsidered - let's include the logging classes in the jars

* fix packaging test logic

* correct documentation

* use synchronous EventSource (5.x backport)

* backport YAML CVE fix from 6.x

Co-authored-by: LaunchDarklyCI <[email protected]>
Co-authored-by: Eli Bishop <[email protected]>
Co-authored-by: LaunchDarklyCI <[email protected]>
Co-authored-by: Gavin Whelan <[email protected]>
Co-authored-by: ssrm <[email protected]>
Co-authored-by: Harpo Roeder <[email protected]>
Co-authored-by: Ben Woskow <[email protected]>
Co-authored-by: Elliot <[email protected]>
Co-authored-by: Robert J. Neal <[email protected]>
Co-authored-by: Robert J. Neal <[email protected]>
Co-authored-by: Sam Stokes <[email protected]>
Co-authored-by: LaunchDarklyReleaseBot <[email protected]>
Co-authored-by: Ember Stevens <[email protected]>
Co-authored-by: ember-stevens <[email protected]>
Co-authored-by: Alex Engelberg <[email protected]>
Co-authored-by: Alex Engelberg <[email protected]>

* Releasing version 5.10.5

Co-authored-by: Eli Bishop <[email protected]>
Co-authored-by: LaunchDarklyReleaseBot <[email protected]>
Co-authored-by: Alex Engelberg <[email protected]>
Co-authored-by: Anton Mostovoy <[email protected]>
Co-authored-by: LaunchDarklyCI <[email protected]>
Co-authored-by: LaunchDarklyCI <[email protected]>
Co-authored-by: Gavin Whelan <[email protected]>
Co-authored-by: ssrm <[email protected]>
Co-authored-by: Harpo Roeder <[email protected]>
Co-authored-by: Ben Woskow <[email protected]>
Co-authored-by: Elliot <[email protected]>
Co-authored-by: Robert J. Neal <[email protected]>
Co-authored-by: Robert J. Neal <[email protected]>
Co-authored-by: Sam Stokes <[email protected]>
Co-authored-by: Ember Stevens <[email protected]>
Co-authored-by: ember-stevens <[email protected]>
Co-authored-by: Alex Engelberg <[email protected]>

.circleci/config.yml

@@ -18,11 +18,17 @@ workflows:
           requires:
             - build-linux
       - test-linux:
+          # current LTS version
           name: Java 17 - Linux - OpenJDK
           docker-image: cimg/openjdk:17.0
           with-coverage: true
           requires:
             - build-linux
+      - test-linux:
+          name: Java 19 - Linux - OpenJDK
+          docker-image: cimg/openjdk:19.0
+          requires:
+            - build-linux
       - packaging:
           requires:
             - build-linux

.ldrelease/config.yml

@@ -12,7 +12,7 @@ publications:
 
 jobs:
   - docker:
-      image: gradle:6.8.3-jdk11
+      image: gradle:7.6-jdk11
     template:
       name: gradle
 

.ldrelease/publish.sh

@@ -4,4 +4,9 @@ set -ue
 
 # Publish to Sonatype
 echo "Publishing to Sonatype"
-./gradlew publishToSonatype closeAndReleaseRepository || { echo "Gradle publish/release failed" >&2; exit 1; }
+if [[ -n "${LD_RELEASE_IS_PRERELEASE}" ]]; then
+  ./gradlew publishToSonatype || { echo "Gradle publish/release failed" >&2; exit 1; }	
+else
+  ./gradlew publishToSonatype closeAndReleaseRepository || { echo "Gradle publish/release failed" >&2; exit 1; }
+fi
+

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 All notable changes to the LaunchDarkly Java SDK will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org).
 
+## [5.10.5] - 2023-01-04
+### Fixed:
+- Fixed vulnerability [CVE-2022-1471](https://nvd.nist.gov/vuln/detail/CVE-2022-1471) which could allow arbitrary code execution if using `FileDataSource` with a YAML file. (Thanks, [antonmos](https://github.com/launchdarkly/java-server-sdk/pull/289)!)
+
 ## [6.0.1] - 2022-12-20
 ### Changed:
 - The internal implementation of the SSE client for streaming updates has been revised to use a single worker thread instead of two worker threads, reducing thread contention and memory usage.

build.gradle

@@ -150,7 +150,7 @@ libraries.test = [
     "junit:junit:4.12",
     "com.fasterxml.jackson.core:jackson-core:${versions.jackson}",
     "com.fasterxml.jackson.core:jackson-databind:${versions.jackson}",
-    "com.launchdarkly:test-helpers:1.3.0"
+    "com.launchdarkly:test-helpers:2.0.1"
 ]
 
 configurations {
@@ -173,6 +173,7 @@ dependencies {
 }
 
 checkstyle {
+    toolVersion = "9.3"
     configFile file("${project.rootDir}/config/checkstyle/checkstyle.xml")
 }
 

config/checkstyle/checkstyle.xml

@@ -10,7 +10,7 @@
     <module name="JavadocPackage"/>    
     <module name="TreeWalker">
         <module name="JavadocMethod">
-	        <property name="scope" value="public"/>
+	        <property name="accessModifiers" value="public"/>
     	</module>
 	    <module name="JavadocType">
 	        <property name="scope" value="public"/>

contract-tests/service/build.gradle

@@ -30,7 +30,7 @@ ext.versions = [
     "gson": "2.7",
     "logback": "1.1.3",
     "okhttp": "4.5.0",
-    "testHelpers": "1.1.0",
+    "testHelpers": "2.0.1",
     "launchdarklyJavaSdkCommon": project(":sdk").versions["launchdarklyJavaSdkCommon"]
 ]
 

contract-tests/service/src/main/java/sdktest/TestService.java

@@ -58,7 +58,7 @@ public BadRequestException(String message) {
     }
   }
 
-  public static void main(String[] args) {
+  public static void main(String[] args) throws Exception {
     // ((ch.qos.logback.classic.Logger)LoggerFactory.getLogger(org.slf4j.Logger.ROOT_LOGGER_NAME)).setLevel(
     //     Level.valueOf(config.logLevel.toUpperCase()));
 
@@ -75,6 +75,11 @@ public static void main(String[] args) {
     server.getRecorder().setEnabled(false); // don't accumulate a request log
 
     System.out.println("Listening on port " + PORT);
+
+    // need to explicitly sleep because HttpServer now starts as a daemon thread
+    while (true) {
+      Thread.sleep(1000);
+    }
   }
 
   private Status getStatus() {

gradle/wrapper/gradle-wrapper.properties

@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.3.3-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-7.6-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists