From ca8e9bd66a8b3dd09e7c250e38b7d2c97de03aa0 Mon Sep 17 00:00:00 2001 From: Alexander Kurtakov Date: Fri, 22 Jan 2021 23:51:52 +0200 Subject: [PATCH 5/5] Remove guava dependency from indexer-core It suffers from multiple CVEs: * guava < 24.1.1 is vulnerable to CVE-2018-10237. * guava < 30.0 is vulnerable to CVE-2020-8908. Moving to guava 30.1 will require moving to Java 8 so it's actually simpler to just remove the dependency altogether. Signed-off-by: Alexander Kurtakov Closes #75 --- indexer-core/pom.xml | 5 ----- .../java/org/apache/maven/index/ArtifactInfo.java | 5 ++--- .../maven/index/context/TrackingLockFactory.java | 12 +++++++----- .../maven/index/packer/IndexPackingRequest.java | 8 ++++---- .../apache/maven/index/updater/IndexDataReader.java | 7 +++---- 5 files changed, 16 insertions(+), 21 deletions(-) diff --git a/indexer-core/pom.xml b/indexer-core/pom.xml index 5b3ea08..2418fc6 100644 --- a/indexer-core/pom.xml +++ b/indexer-core/pom.xml @@ -40,11 +40,6 @@ under the License. slf4j-api - - com.google.guava - guava - - javax.inject diff --git a/indexer-core/src/main/java/org/apache/maven/index/ArtifactInfo.java b/indexer-core/src/main/java/org/apache/maven/index/ArtifactInfo.java index af917ea..e77df69 100644 --- a/indexer-core/src/main/java/org/apache/maven/index/ArtifactInfo.java +++ b/indexer-core/src/main/java/org/apache/maven/index/ArtifactInfo.java @@ -37,8 +37,6 @@ import org.eclipse.aether.version.InvalidVersionSpecificationException; import org.eclipse.aether.version.Version; import org.eclipse.aether.version.VersionScheme; -import com.google.common.base.Strings; - /** * ArtifactInfo holds the values known about an repository artifact. This is a simple Value Object kind of stuff. * Phasing out. @@ -428,7 +426,8 @@ public class ArtifactInfo public String toString() { final StringBuilder result = new StringBuilder( getUinfo() ); - if ( !Strings.isNullOrEmpty( getPackaging() ) ) + String packaging = getPackaging(); + if ( packaging != null && !getPackaging().isEmpty() ) { result.append( "[" ).append( getPackaging() ).append( "]" ); } diff --git a/indexer-core/src/main/java/org/apache/maven/index/context/TrackingLockFactory.java b/indexer-core/src/main/java/org/apache/maven/index/context/TrackingLockFactory.java index 9bc6a02..a2a4d62 100644 --- a/indexer-core/src/main/java/org/apache/maven/index/context/TrackingLockFactory.java +++ b/indexer-core/src/main/java/org/apache/maven/index/context/TrackingLockFactory.java @@ -21,13 +21,15 @@ package org.apache.maven.index.context; import java.io.IOException; import java.util.Collections; +import java.util.HashSet; import java.util.Set; import java.util.concurrent.ConcurrentHashMap; + import org.apache.lucene.store.Directory; import org.apache.lucene.store.Lock; import org.apache.lucene.store.LockFactory; -import static com.google.common.base.Preconditions.checkNotNull; -import java.util.HashSet; + +import static java.util.Objects.requireNonNull; /** * @@ -43,7 +45,7 @@ final class TrackingLockFactory TrackingLockFactory( final LockFactory delegate ) { - this.delegate = checkNotNull( delegate ); + this.delegate = requireNonNull( delegate ); this.emittedLocks = Collections.newSetFromMap( new ConcurrentHashMap() ); } @@ -78,8 +80,8 @@ final class TrackingLockFactory TrackingLock( final Lock delegate, final String name ) { - this.delegate = checkNotNull( delegate ); - this.name = checkNotNull( name ); + this.delegate = requireNonNull( delegate ); + this.name = requireNonNull( name ); } String getName() diff --git a/indexer-core/src/main/java/org/apache/maven/index/packer/IndexPackingRequest.java b/indexer-core/src/main/java/org/apache/maven/index/packer/IndexPackingRequest.java index 850d9d8..a4af036 100644 --- a/indexer-core/src/main/java/org/apache/maven/index/packer/IndexPackingRequest.java +++ b/indexer-core/src/main/java/org/apache/maven/index/packer/IndexPackingRequest.java @@ -26,7 +26,7 @@ import java.util.Collection; import org.apache.lucene.index.IndexReader; import org.apache.maven.index.context.IndexingContext; -import static com.google.common.base.Preconditions.checkNotNull; +import static java.util.Objects.requireNonNull; /** * An index packing request. @@ -53,11 +53,11 @@ public class IndexPackingRequest public IndexPackingRequest( final IndexingContext context, final IndexReader indexReader, final File targetDir ) { - this.context = checkNotNull( context ); + this.context = requireNonNull( context ); - this.indexReader = checkNotNull( indexReader ); + this.indexReader = requireNonNull( indexReader ); - this.targetDir = checkNotNull( targetDir ); + this.targetDir = requireNonNull( targetDir ); this.createIncrementalChunks = true; diff --git a/indexer-core/src/main/java/org/apache/maven/index/updater/IndexDataReader.java b/indexer-core/src/main/java/org/apache/maven/index/updater/IndexDataReader.java index c5f1d71..3e80c13 100644 --- a/indexer-core/src/main/java/org/apache/maven/index/updater/IndexDataReader.java +++ b/indexer-core/src/main/java/org/apache/maven/index/updater/IndexDataReader.java @@ -27,11 +27,10 @@ import java.io.IOException; import java.io.InputStream; import java.io.UTFDataFormatException; import java.util.Date; -import java.util.zip.GZIPInputStream; - -import com.google.common.base.Strings; import java.util.LinkedHashSet; import java.util.Set; +import java.util.zip.GZIPInputStream; + import org.apache.lucene.document.Document; import org.apache.lucene.document.Field; import org.apache.lucene.document.FieldType; @@ -159,7 +158,7 @@ public class IndexDataReader // Fix up UINFO field wrt MINDEXER-41 final Field uinfoField = (Field) doc.getField( ArtifactInfo.UINFO ); final String info = doc.get( ArtifactInfo.INFO ); - if ( uinfoField != null && !Strings.isNullOrEmpty( info ) ) + if ( uinfoField != null && info != null && !info.isEmpty() ) { final String[] splitInfo = ArtifactInfo.FS_PATTERN.split( info ); if ( splitInfo.length > 6 ) -- 2.31.1