Is commons-digester still an active project?

2024-05-17 Thread Mclachlan, Alan 
Hi

Is commons-digester still an active project?
I ask because while it's not in the Attic, the last release (3.2) was in 2011.

There are two CVEs in a dependency (CVE-2019-10086 and CVE-2014-0114).

Is there going to be a commons-digester with an uplifted version of 
commons-beanutils?
Or is commons-digester destined for the Apache Attic?

regards

Alan McLachlan
ACI Worldwide
www.aciworldwide.com


[https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg]
This email message and any attachments may contain confidential, proprietary or 
non-public information. The information is intended solely for the designated 
recipient(s). If an addressing or transmission error has misdirected this 
email, please notify the sender immediately and destroy this email. Any review, 
dissemination, use or reliance upon this information by unintended recipients 
is prohibited. Any opinions expressed in this email are those of the author 
personally.

Re: [aspectj-users] AspectJ versioning question

2024-05-02 Thread Mclachlan, Alan via aspectj-users 
Hi Alexander

Thanks for the feedback!

> It should be super easy to upgrade. Have you tried?

I have not, that's on the list.

I think I have what I need for now though.
Thanks again, I appreciate the engagement.

regards

Alan McLachlan
ACI Worldwide
http://www.aciworldwide.com/

-Original Message-
From: aspectj-users  On Behalf Of Alexander 
Kriegisch via aspectj-users
Sent: Wednesday, May 1, 2024 10:51 AM
To: aspectj-users@eclipse.org
Cc: Alexander Kriegisch 
Subject: Re: [aspectj-users] AspectJ versioning question

EXTERNAL EMAIL: Do not click links or open attachments unless you know the 
content is safe.


Here is the CVE I was talking about, just found it again. It was in 1.9.19:

https://github.com/eclipse-aspectj/aspectj/issues/192

--
Alexander Kriegisch
https://scrum-master.de/


Alexander Kriegisch via aspectj-users schrieb am 01.05.2024 um 10:46:
> Yes, 1.8.14 was unusual. That was before UI was an AspectJ committer,
> though.
>
> Concerning the hypothetical CVE report, let us walk through that door
> if and when we stand in front of it. It always depends on the
> circumstances, but actually I see no reason why Java 8 users should
> not use e.g. 1.9.22. Installing an extra JDK on the build machine and
> pointing to that during compile-time weaving is not rocket science and
> in no way impedes you in using the compile results on Java 8. Besides,
> many bugs and even one CVE I personally remember were fixed in more
> recent versions, i.e. it might be beneficial even for legacy projects
> to recompile and use more recent AspectJ dependencies.
>
> It should be super easy to upgrade. Have you tried?
>
>
> Mclachlan, Alan via aspectj-users schrieb am 30.04.2024 um 15:02:
>
>> 1.8.14 must have been unusual then, because I did see it released
>> after the 1.9.xx branch was in progress.
>>
>> For a team on 1.8.x facing a hypothetical CVE report, how hard is the
>> upgrade to 1.9.22 likely to be? Sounds like a Java build time version
>> upgrade may be needed.
>>
>>
>> From: Alexander Kriegisch
>>
>>> Thanks for your  inquiry.
>>>
>>> AspectJ generally does not release updates for older versions.
>>> Usually, more recent versions are backward compatible. E.g., you can
>>> use the current 1.9.22 to compile with 1.8 source/target or use LTW
>>> on Java 8. Only in your build environment when using AJC directly or
>>> aspectjtools.jar via Maven oder Gradle plugin, you would need Java
>>> 17, because the upstream Eclipse compiler requires it.
>>>
>>>
>>> Mclachlan, Alan via aspectj-users schrieb am 30.04.2024 um
>>> 13:13:
>>>
>>>> I read up on the supported Java versions situation on the github
>>>> issue tracker. I have some related questions around the v1.8.x
>>>> line:
>>>>
>>>> 1. Is the project still releasing fixes on the 1.8.x line, at least
>>>> while Java 8 is still in support? I ask because I think the last
>>>> one was 1.8.14 in 2019. Say a CVE shows up, would you be likely to
>>>> release a 1.8.15 with a fix?
>>>>
>>>> 2. Are the 1.8.x minor releases compatible, in the
>>>> semantic-versioning sense of the word? i.e would a hypothetical
>>>> 1.8.15 be a drop-in replacement? I ask because this project doesn't
>>>> explicitly follow semantic versioning, although I suspect it may
>>>> have back in the 1.8 days?
>>>>
>>>> Apologies if these are answered elsewhere, if so I didn't manage to
>>>> find them on the website.
>>>>
>>>> The context of my ask is OWASP A06 analysis of our SBOM, not to
>>>> motivate for any project action.
___
aspectj-users mailing list
aspectj-users@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/aspectj-users

 [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg] 
<http://www.aciworldwide.com/>
This email message and any attachments may contain confidential, proprietary or 
non-public information. The information is intended solely for the designated 
recipient(s). If an addressing or transmission error has misdirected this 
email, please notify the sender immediately and destroy this email. Any review, 
dissemination, use or reliance upon this information by unintended recipients 
is prohibited. Any opinions expressed in this email are those of the author 
personally.
___
aspectj-users mailing list
aspectj-users@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/aspectj-users

Re: [aspectj-users] AspectJ versioning question

2024-04-30 Thread Mclachlan, Alan via aspectj-users 
Thanks for the quick response Alexander.

1.8.14 must have been unusual then, because I did see it released after the 
1.9.xx branch was in progress.

For a team on 1.8.x facing a hypothetical CVE report, how hard is the upgrade 
to 1.9.22 likely to be?
Sounds like a Java build time version upgrade may be needed.

regards

Alan McLachlan
Chief Architect - Merchant
T +27 21 525 5008 / M +27 81 334 5946
ACI Worldwide, Building A, The Estuaries, Century City, Milnerton, Cape Town, 
7435, South Africa.
http://www.aciworldwide.com/

-Original Message-
From: aspectj-users  On Behalf Of Alexander 
Kriegisch via aspectj-users
Sent: Tuesday, April 30, 2024 1:30 PM
To: aspectj-users@eclipse.org
Cc: Alexander Kriegisch 
Subject: Re: [aspectj-users] AspectJ versioning question

[You don't often get email from aspectj-users@eclipse.org. Learn why this is 
important at https://aka.ms/LearnAboutSenderIdentification ]

EXTERNAL EMAIL: Do not click links or open attachments unless you know the 
content is safe.


Hi Alan.

Thanks for your  inquiry.

AspectJ generally does not release updates for older versions. Usually, more 
recent versions are backward compatible. E.g., you can use the current 1.9.22 
to compile with 1.8 source/target or use LTW on Java 8.
Only in your build environment when using AJC directly or aspectjtools.jar via 
Maven oder Gradle plugin, you would need Java 17, because the upstream Eclipse 
compiler requires it.

Regards
--
Alexander Kriegisch
https://scrum-master.de/


Mclachlan, Alan via aspectj-users schrieb am 30.04.2024 um 13:13:

> I read up on the supported Java versions situation on the github issue 
> tracker.
> I have some related questions around the v1.8.x line:
>
> 1. Is the project still releasing fixes on the 1.8.x line, at least while 
> Java 8 is still in support?
> I ask because I think the last one was 1.8.14 in 2019. Say a CVE shows up, 
> would you be likely to release a 1.8.15 with a fix?
>
> 2. Are the 1.8.x minor releases compatible, in the semantic-versioning sense 
> of the word?
> i.e would a hypothetical 1.8.15 be a drop-in replacement?
> I ask because this project doesn't explicitly follow semantic versioning, 
> although I suspect it may have back in the 1.8 days?
>
> Apologies if these are answered elsewhere, if so I didn't manage to find them 
> on the website.
>
> The context of my ask is OWASP A06 analysis of our SBOM, not to motivate for 
> any project action.
>
> regards
>
> Alan McLachlan
> ACI Worldwide
> http://www.aciworldwide.com/
___
aspectj-users mailing list
aspectj-users@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/aspectj-users

 [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg] 
<http://www.aciworldwide.com/>
This email message and any attachments may contain confidential, proprietary or 
non-public information. The information is intended solely for the designated 
recipient(s). If an addressing or transmission error has misdirected this 
email, please notify the sender immediately and destroy this email. Any review, 
dissemination, use or reliance upon this information by unintended recipients 
is prohibited. Any opinions expressed in this email are those of the author 
personally.
___
aspectj-users mailing list
aspectj-users@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/aspectj-users

[aspectj-users] AspectJ versioning question

2024-04-30 Thread Mclachlan, Alan via aspectj-users 
Hi folks

I read up on the supported Java versions situation on the github issue tracker.
I have some related questions around the v1.8.x line:

1. Is the project still releasing fixes on the 1.8.x line, at least while Java 
8 is still in support?
I ask because I think the last one was 1.8.14 in 2019. Say a CVE shows up, 
would you be likely to release a 1.8.15 with a fix?

2. Are the 1.8.x minor releases compatible, in the semantic-versioning sense of 
the word?
i.e would a hypothetical 1.8.15 be a drop-in replacement?
I ask because this project doesn't explicitly follow semantic versioning, 
although I suspect it may have back in the 1.8 days?

Apologies if these are answered elsewhere, if so I didn't manage to find them 
on the website.

The context of my ask is OWASP A06 analysis of our SBOM, not to motivate for 
any project action.

regards

Alan McLachlan
ACI Worldwide
www.aciworldwide.com


 [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg] 

This email message and any attachments may contain confidential, proprietary or 
non-public information. The information is intended solely for the designated 
recipient(s). If an addressing or transmission error has misdirected this 
email, please notify the sender immediately and destroy this email. Any review, 
dissemination, use or reliance upon this information by unintended recipients 
is prohibited. Any opinions expressed in this email are those of the author 
personally.
___
aspectj-users mailing list
aspectj-users@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/aspectj-users