Listing all the CVEs for all dependencies is possible. Doing it manually might be tedious and not sustainable for all versions.
If we can find some ways to query a couple of websites to grab all the CVE and generate release notes with all CVE. -- Jean-Louis Monteiro http://twitter.com/jlouismonteiro http://www.tomitribe.com On Fri, Feb 11, 2022 at 10:51 AM Zowalla, Richard < [email protected]> wrote: > Hi Alex, > > it is essentially a diligence task to label the relevant dependency > upgrades with "cve" in Jira when a security vulnerability has been > fixed in a third-party dependency. > > The release notes tooling will then list them in the CVE section of the > generated notes. > > Gruß > Richard > > Am Freitag, dem 11.02.2022 um 10:44 +0100 schrieb Alex The Rocker: > > Hello, > > > > Would it be possible to get the list of fixed CVEs in the release > > notes, regardless whether it's directly or through embedded stuff > > (like Tomcat, CXF, etc) ? > > Indeed, we are more and more challenged by security scans, so the > > more > > accurate TomEE's community is about security fixes, the better... > > > > (no vote yet since I haven't tried 8.0.10 yet, but great thanks for > > the Java 17 fix for Windows version of TomEE service) > > > > Thanks, > > Alex > > > > Le ven. 11 févr. 2022 à 09:54, Jean-Louis Monteiro > > <[email protected]> a écrit : > > > Hi All, > > > > > > This is a first attempt at a vote for a release of Apache TomEE > > > 8.0.10 > > > > > > Maven Repo: > > > > https://repository.apache.org/content/repositories/orgapachetomee-1193/ > > > > > > Binaries & Source: > > > > https://dist.apache.org/repos/dist/dev/tomee/staging_1193-TomEE-8.0.10/ > > > > > > Tags: > > > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.10 > > > > > > Release notes: > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12350706 > > > > > > Here are the releases notes > > > Sub-task > > > > > > - [TOMEE-2117 <https://issues.apache.org/jira/browse/TOMEE-2117> > > > ;] - > > > Rework ProcessObserverMethod integration > > > - [TOMEE-2289 <https://issues.apache.org/jira/browse/TOMEE-2289> > > > ;] - > > > MicroProfile OpenAPI Example > > > - [TOMEE-2349 <https://issues.apache.org/jira/browse/TOMEE-2349> > > > ;] - > > > Ensure each module can generate javadoc jars on release > > > - [TOMEE-2350 <https://issues.apache.org/jira/browse/TOMEE-2350> > > > ;] - > > > Create a list of existing Javadoc using html > > > - [TOMEE-2351 <https://issues.apache.org/jira/browse/TOMEE-2351> > > > ;] - > > > MicroProfile OpenTracing Example for Distributed Microservices > > > - [TOMEE-2358 <https://issues.apache.org/jira/browse/TOMEE-2358> > > > ;] - > > > MicroProfile JWT rest-mp-jwt-claim Example > > > > > > Bug > > > > > > - [TOMEE-2169 <https://issues.apache.org/jira/browse/TOMEE-2169> > > > ;] - > > > Interceptor Bean injection does not work for EJBs > > > - [TOMEE-2270 <https://issues.apache.org/jira/browse/TOMEE-2270> > > > ;] - > > > Java11: Unable to initialize agent with embedded-maven-plugin > > > - [TOMEE-2403 <https://issues.apache.org/jira/browse/TOMEE-2403> > > > ;] - > > > AutoConnectionTrackerTest fails randomly > > > - [TOMEE-2427 <https://issues.apache.org/jira/browse/TOMEE-2427> > > > ;] - > > > Align text above the pictures > > > - [TOMEE-2800 <https://issues.apache.org/jira/browse/TOMEE-2800> > > > ;] - > > > Issue : Unable to run EJB test cases for upgradation in current > > > project > > > with Java 1.8 and WebLogic version 12.2.1.4 along with > > > openejb.cxf.version > > > 7.0.1 / openejb.cxf.version 8 jar. > > > - [TOMEE-2941 <https://issues.apache.org/jira/browse/TOMEE-2941> > > > ;] - > > > Regression: A connection factory created with TransactionSupport > > > of "none" > > > only sending message when transaction completes > > > - [TOMEE-3777 <https://issues.apache.org/jira/browse/TOMEE-3777> > > > ;] - > > > <openjpa-3.1.2-r66d2a72 fatal user error> > > > org.apache.openjpa.persistence.ArgumentException: The > > > persistence provider > > > is attempting to use properties in the persistence.xml file to > > > resolve the > > > data source ... > > > - [TOMEE-3816 <https://issues.apache.org/jira/browse/TOMEE-3816> > > > ;] - > > > Return "this" on stateless EJB method looses container > > > transaction > > > management > > > - [TOMEE-3823 <https://issues.apache.org/jira/browse/TOMEE-3823> > > > ;] - > > > TomEE and Java 17 compatibility issue with Windows Service > > > Tooling > > > - [TOMEE-3825 <https://issues.apache.org/jira/browse/TOMEE-3825> > > > ;] - > > > TomEE Maven Plugin does not wait for container startup, if > > > "checkStarted" > > > is set to true > > > - [TOMEE-3832 <https://issues.apache.org/jira/browse/TOMEE-3832> > > > ;] - > > > JAX-RS TomEEJsonbProvider not registered in tomee-embedded- > > > maven-plugin > > > when MicroProfile is present > > > > > > New Feature > > > > > > - [TOMEE-2306 <https://issues.apache.org/jira/browse/TOMEE-2306> > > > ;] - New > > > Java EE Schemas for Java EE Deployment Descriptors > > > - [TOMEE-2584 <https://issues.apache.org/jira/browse/TOMEE-2584> > > > ;] - Java > > > 11 compliancy > > > - [TOMEE-2706 <https://issues.apache.org/jira/browse/TOMEE-2706> > > > ;] - New > > > TomEE Embedded Bootstrap > > > > > > Improvement > > > > > > - [TOMEE-1618 <https://issues.apache.org/jira/browse/TOMEE-1618> > > > ;] - > > > Replace three register maps in Container in favour of one > > > - [TOMEE-2277 <https://issues.apache.org/jira/browse/TOMEE-2277> > > > ;] - > > > Java11: module name for TomEE > > > - [TOMEE-2425 <https://issues.apache.org/jira/browse/TOMEE-2425> > > > ;] - > > > Generate TomEE-Cluster.html page > > > - [TOMEE-2519 <https://issues.apache.org/jira/browse/TOMEE-2519> > > > ;] - MP > > > JWT Logging Improvements > > > - [TOMEE-2847 <https://issues.apache.org/jira/browse/TOMEE-2847> > > > ;] - > > > Patch key `jakarta` namespace support > > > - [TOMEE-2949 <https://issues.apache.org/jira/browse/TOMEE-2949> > > > ;] - > > > Match TomEE tar and zip file syntax with extracted folder > > > - [TOMEE-3826 <https://issues.apache.org/jira/browse/TOMEE-3826> > > > ;] - Add > > > exclusion list maven config for patch plugin to preserve jars > > > with signature > > > > > > Wish > > > > > > - [TOMEE-2347 <https://issues.apache.org/jira/browse/TOMEE-2347> > > > ;] - Use > > > Asciidoc for all Javadoc > > > > > > Task > > > > > > - [TOMEE-2285 <https://issues.apache.org/jira/browse/TOMEE-2285> > > > ;] - > > > Microprofile Examples > > > - [TOMEE-2867 <https://issues.apache.org/jira/browse/TOMEE-2867> > > > ;] - Add > > > Documentation links to website download page > > > - [TOMEE-2868 <https://issues.apache.org/jira/browse/TOMEE-2868> > > > ;] - Add > > > instructions on each example page > > > - [TOMEE-3724 <https://issues.apache.org/jira/browse/TOMEE-3724> > > > ;] - > > > Remove TomEE drop-in webapp distributions > > > > > > Dependency upgrade > > > > > > - [TOMEE-2630 <https://issues.apache.org/jira/browse/TOMEE-2630> > > > ;] - > > > update to latest geronimo-jsonb_1.0-spec > > > - [TOMEE-2765 <https://issues.apache.org/jira/browse/TOMEE-2765> > > > ;] - > > > ShrinkWrap Maven Resolver 3.1.4 > > > - [TOMEE-3723 <https://issues.apache.org/jira/browse/TOMEE-3723> > > > ;] - > > > Upgrade to commons-lang3 3.12.0 > > > - [TOMEE-3800 <https://issues.apache.org/jira/browse/TOMEE-3800> > > > ;] - DBCP > > > 2.9.0 > > > - [TOMEE-3828 <https://issues.apache.org/jira/browse/TOMEE-3828> > > > ;] - > > > Upgrade to Tomcat 9.0.58 > > > - [TOMEE-3829 <https://issues.apache.org/jira/browse/TOMEE-3829> > > > ;] - > > > Upgrade Log4J2 to 2.17.1 in log4j2-tomee utils module > > > - [TOMEE-3830 <https://issues.apache.org/jira/browse/TOMEE-3830> > > > ;] - > > > Upgrade BatchEE to 1.0.1 > > > - [TOMEE-3835 <https://issues.apache.org/jira/browse/TOMEE-3835> > > > ;] - > > > Apache OpenWebBeans 2.0.26 > > > - [TOMEE-3836 <https://issues.apache.org/jira/browse/TOMEE-3836> > > > ;] - > > > Apache Johnzon 1.2.16 > > > - [TOMEE-3837 <https://issues.apache.org/jira/browse/TOMEE-3837> > > > ;] - > > > Apache OpenJPA 3.2.1 > > > > > > Documentation > > > > > > - [TOMEE-2293 <https://issues.apache.org/jira/browse/TOMEE-2293> > > > ;] - The > > > README.md's on many of the CDI examples requires some clean up. > > > - [TOMEE-2303 <https://issues.apache.org/jira/browse/TOMEE-2303> > > > ;] - Add > > > technical documentation to main TomEE repo > > > - [TOMEE-2852 <https://issues.apache.org/jira/browse/TOMEE-2852> > > > ;] - > > > Create session of documentation for Tomee Docker > > > > > > > > > (Developers - please review and adjust your tickets if necessary!) > > > > > > Please VOTE: > > > > > > [+1] Yes, release it > > > [+0] Not fussed > > > [-1] Don't release, there's a showstopper (please specify what the > > > showstopper is) > > > > > > Vote will be open for 72 hours. > > > > > > Thanks > > > -- > > > Jean-Louis Monteiro > > > http://twitter.com/jlouismonteiro > > > http://www.tomitribe.com >
