[jira] [Updated] (KARAF-4306) karaf-maven-plugin is not assembling the correct version of dependencies
[ https://issues.apache.org/jira/browse/KARAF-4306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Grzegorz Grzybek updated KARAF-4306: Fix Version/s: (was: 4.0.11) 4.0.7 > karaf-maven-plugin is not assembling the correct version of dependencies > > > Key: KARAF-4306 > URL: https://issues.apache.org/jira/browse/KARAF-4306 > Project: Karaf > Issue Type: Bug > Components: karaf-tooling >Affects Versions: 4.0.4 >Reporter: Raman Gupta >Assignee: Jean-Baptiste Onofré > Fix For: 4.0.7, 4.1.4, 4.2.0 > > > This is similar to KARAF-3994. > I see that the commit for that issue added the following TODO: > * TODO Need to also check for version ranges. Currently ranges are ignored > and all features matching the name > I have a similar problem -- the generated system repo contains all versions > of a feature that is matched by a range, not just the highest one that > fulfills all of the requirements of the boot features. This is an issue > because the generated repo may contain older (or newer) versions of libraries > that have CVEs against them, which is then flagged by ops. > For example: > My feature depends on spring-dm which depends on spring range [2.5.6,4). At > runtime, Karaf only needs and uses Spring 3.2.14, but my system repo contains > Spring 3.1.4 (as well as three versions of Spring 4), all of which are > defined in the Karaf Spring repo. And of course, Spring 3.1.4 has CVEs > against it, so the system is flagged by ops as using jars with security > problems (even though those jars are not actually used by the app). > Shouldn't the Builder apply the same resolution logic as is used by Karaf > itself, and assemble only those jars? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (KARAF-4306) karaf-maven-plugin is not assembling the correct version of dependencies
[ https://issues.apache.org/jira/browse/KARAF-4306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Guillaume Nodet updated KARAF-4306: --- Fix Version/s: (was: 4.2.0.M1) > karaf-maven-plugin is not assembling the correct version of dependencies > > > Key: KARAF-4306 > URL: https://issues.apache.org/jira/browse/KARAF-4306 > Project: Karaf > Issue Type: Bug > Components: karaf-tooling >Affects Versions: 4.0.4 >Reporter: Raman Gupta >Assignee: Jean-Baptiste Onofré > Fix For: 4.0.11, 4.1.4, 4.2.0 > > > This is similar to KARAF-3994. > I see that the commit for that issue added the following TODO: > * TODO Need to also check for version ranges. Currently ranges are ignored > and all features matching the name > I have a similar problem -- the generated system repo contains all versions > of a feature that is matched by a range, not just the highest one that > fulfills all of the requirements of the boot features. This is an issue > because the generated repo may contain older (or newer) versions of libraries > that have CVEs against them, which is then flagged by ops. > For example: > My feature depends on spring-dm which depends on spring range [2.5.6,4). At > runtime, Karaf only needs and uses Spring 3.2.14, but my system repo contains > Spring 3.1.4 (as well as three versions of Spring 4), all of which are > defined in the Karaf Spring repo. And of course, Spring 3.1.4 has CVEs > against it, so the system is flagged by ops as using jars with security > problems (even though those jars are not actually used by the app). > Shouldn't the Builder apply the same resolution logic as is used by Karaf > itself, and assemble only those jars? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (KARAF-4306) karaf-maven-plugin is not assembling the correct version of dependencies
[ https://issues.apache.org/jira/browse/KARAF-4306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Guillaume Nodet updated KARAF-4306: --- Fix Version/s: 4.2.0 > karaf-maven-plugin is not assembling the correct version of dependencies > > > Key: KARAF-4306 > URL: https://issues.apache.org/jira/browse/KARAF-4306 > Project: Karaf > Issue Type: Bug > Components: karaf-tooling >Affects Versions: 4.0.4 >Reporter: Raman Gupta >Assignee: Jean-Baptiste Onofré > Fix For: 4.0.11, 4.1.4, 4.2.0.M1, 4.2.0 > > > This is similar to KARAF-3994. > I see that the commit for that issue added the following TODO: > * TODO Need to also check for version ranges. Currently ranges are ignored > and all features matching the name > I have a similar problem -- the generated system repo contains all versions > of a feature that is matched by a range, not just the highest one that > fulfills all of the requirements of the boot features. This is an issue > because the generated repo may contain older (or newer) versions of libraries > that have CVEs against them, which is then flagged by ops. > For example: > My feature depends on spring-dm which depends on spring range [2.5.6,4). At > runtime, Karaf only needs and uses Spring 3.2.14, but my system repo contains > Spring 3.1.4 (as well as three versions of Spring 4), all of which are > defined in the Karaf Spring repo. And of course, Spring 3.1.4 has CVEs > against it, so the system is flagged by ops as using jars with security > problems (even though those jars are not actually used by the app). > Shouldn't the Builder apply the same resolution logic as is used by Karaf > itself, and assemble only those jars? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (KARAF-4306) karaf-maven-plugin is not assembling the correct version of dependencies
[ https://issues.apache.org/jira/browse/KARAF-4306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jean-Baptiste Onofré updated KARAF-4306: Fix Version/s: (was: 4.1.3) 4.1.4 > karaf-maven-plugin is not assembling the correct version of dependencies > > > Key: KARAF-4306 > URL: https://issues.apache.org/jira/browse/KARAF-4306 > Project: Karaf > Issue Type: Bug > Components: karaf-tooling >Affects Versions: 4.0.4 >Reporter: Raman Gupta >Assignee: Jean-Baptiste Onofré > Fix For: 4.2.0, 4.0.11, 4.1.4 > > > This is similar to KARAF-3994. > I see that the commit for that issue added the following TODO: > * TODO Need to also check for version ranges. Currently ranges are ignored > and all features matching the name > I have a similar problem -- the generated system repo contains all versions > of a feature that is matched by a range, not just the highest one that > fulfills all of the requirements of the boot features. This is an issue > because the generated repo may contain older (or newer) versions of libraries > that have CVEs against them, which is then flagged by ops. > For example: > My feature depends on spring-dm which depends on spring range [2.5.6,4). At > runtime, Karaf only needs and uses Spring 3.2.14, but my system repo contains > Spring 3.1.4 (as well as three versions of Spring 4), all of which are > defined in the Karaf Spring repo. And of course, Spring 3.1.4 has CVEs > against it, so the system is flagged by ops as using jars with security > problems (even though those jars are not actually used by the app). > Shouldn't the Builder apply the same resolution logic as is used by Karaf > itself, and assemble only those jars? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (KARAF-4306) karaf-maven-plugin is not assembling the correct version of dependencies
[ https://issues.apache.org/jira/browse/KARAF-4306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jean-Baptiste Onofré updated KARAF-4306: Fix Version/s: (was: 4.0.10) 4.0.11 4.2.0 > karaf-maven-plugin is not assembling the correct version of dependencies > > > Key: KARAF-4306 > URL: https://issues.apache.org/jira/browse/KARAF-4306 > Project: Karaf > Issue Type: Bug > Components: karaf-tooling >Affects Versions: 4.0.4 >Reporter: Raman Gupta >Assignee: Jean-Baptiste Onofré > Fix For: 4.2.0, 4.1.3, 4.0.11 > > > This is similar to KARAF-3994. > I see that the commit for that issue added the following TODO: > * TODO Need to also check for version ranges. Currently ranges are ignored > and all features matching the name > I have a similar problem -- the generated system repo contains all versions > of a feature that is matched by a range, not just the highest one that > fulfills all of the requirements of the boot features. This is an issue > because the generated repo may contain older (or newer) versions of libraries > that have CVEs against them, which is then flagged by ops. > For example: > My feature depends on spring-dm which depends on spring range [2.5.6,4). At > runtime, Karaf only needs and uses Spring 3.2.14, but my system repo contains > Spring 3.1.4 (as well as three versions of Spring 4), all of which are > defined in the Karaf Spring repo. And of course, Spring 3.1.4 has CVEs > against it, so the system is flagged by ops as using jars with security > problems (even though those jars are not actually used by the app). > Shouldn't the Builder apply the same resolution logic as is used by Karaf > itself, and assemble only those jars? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (KARAF-4306) karaf-maven-plugin is not assembling the correct version of dependencies
[ https://issues.apache.org/jira/browse/KARAF-4306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jean-Baptiste Onofré updated KARAF-4306: Fix Version/s: (was: 4.1.2) 4.1.3 > karaf-maven-plugin is not assembling the correct version of dependencies > > > Key: KARAF-4306 > URL: https://issues.apache.org/jira/browse/KARAF-4306 > Project: Karaf > Issue Type: Bug > Components: karaf-tooling >Affects Versions: 4.0.4 >Reporter: Raman Gupta >Assignee: Jean-Baptiste Onofré > Fix For: 4.0.10, 4.1.3 > > > This is similar to KARAF-3994. > I see that the commit for that issue added the following TODO: > * TODO Need to also check for version ranges. Currently ranges are ignored > and all features matching the name > I have a similar problem -- the generated system repo contains all versions > of a feature that is matched by a range, not just the highest one that > fulfills all of the requirements of the boot features. This is an issue > because the generated repo may contain older (or newer) versions of libraries > that have CVEs against them, which is then flagged by ops. > For example: > My feature depends on spring-dm which depends on spring range [2.5.6,4). At > runtime, Karaf only needs and uses Spring 3.2.14, but my system repo contains > Spring 3.1.4 (as well as three versions of Spring 4), all of which are > defined in the Karaf Spring repo. And of course, Spring 3.1.4 has CVEs > against it, so the system is flagged by ops as using jars with security > problems (even though those jars are not actually used by the app). > Shouldn't the Builder apply the same resolution logic as is used by Karaf > itself, and assemble only those jars? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (KARAF-4306) karaf-maven-plugin is not assembling the correct version of dependencies
[ https://issues.apache.org/jira/browse/KARAF-4306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jean-Baptiste Onofré updated KARAF-4306: Fix Version/s: (was: 4.0.9) 4.0.10 > karaf-maven-plugin is not assembling the correct version of dependencies > > > Key: KARAF-4306 > URL: https://issues.apache.org/jira/browse/KARAF-4306 > Project: Karaf > Issue Type: Bug > Components: karaf-tooling >Affects Versions: 4.0.4 >Reporter: Raman Gupta >Assignee: Jean-Baptiste Onofré > Fix For: 4.1.2, 4.0.10 > > > This is similar to KARAF-3994. > I see that the commit for that issue added the following TODO: > * TODO Need to also check for version ranges. Currently ranges are ignored > and all features matching the name > I have a similar problem -- the generated system repo contains all versions > of a feature that is matched by a range, not just the highest one that > fulfills all of the requirements of the boot features. This is an issue > because the generated repo may contain older (or newer) versions of libraries > that have CVEs against them, which is then flagged by ops. > For example: > My feature depends on spring-dm which depends on spring range [2.5.6,4). At > runtime, Karaf only needs and uses Spring 3.2.14, but my system repo contains > Spring 3.1.4 (as well as three versions of Spring 4), all of which are > defined in the Karaf Spring repo. And of course, Spring 3.1.4 has CVEs > against it, so the system is flagged by ops as using jars with security > problems (even though those jars are not actually used by the app). > Shouldn't the Builder apply the same resolution logic as is used by Karaf > itself, and assemble only those jars? -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (KARAF-4306) karaf-maven-plugin is not assembling the correct version of dependencies
[ https://issues.apache.org/jira/browse/KARAF-4306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jean-Baptiste Onofré updated KARAF-4306: Fix Version/s: (was: 4.1.1) 4.1.2 > karaf-maven-plugin is not assembling the correct version of dependencies > > > Key: KARAF-4306 > URL: https://issues.apache.org/jira/browse/KARAF-4306 > Project: Karaf > Issue Type: Bug > Components: karaf-tooling >Affects Versions: 4.0.4 >Reporter: Raman Gupta >Assignee: Jean-Baptiste Onofré > Fix For: 4.0.9, 4.1.2 > > > This is similar to KARAF-3994. > I see that the commit for that issue added the following TODO: > * TODO Need to also check for version ranges. Currently ranges are ignored > and all features matching the name > I have a similar problem -- the generated system repo contains all versions > of a feature that is matched by a range, not just the highest one that > fulfills all of the requirements of the boot features. This is an issue > because the generated repo may contain older (or newer) versions of libraries > that have CVEs against them, which is then flagged by ops. > For example: > My feature depends on spring-dm which depends on spring range [2.5.6,4). At > runtime, Karaf only needs and uses Spring 3.2.14, but my system repo contains > Spring 3.1.4 (as well as three versions of Spring 4), all of which are > defined in the Karaf Spring repo. And of course, Spring 3.1.4 has CVEs > against it, so the system is flagged by ops as using jars with security > problems (even though those jars are not actually used by the app). > Shouldn't the Builder apply the same resolution logic as is used by Karaf > itself, and assemble only those jars? -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (KARAF-4306) karaf-maven-plugin is not assembling the correct version of dependencies
[ https://issues.apache.org/jira/browse/KARAF-4306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jean-Baptiste Onofré updated KARAF-4306: Fix Version/s: (was: 4.1.0) 4.1.1 > karaf-maven-plugin is not assembling the correct version of dependencies > > > Key: KARAF-4306 > URL: https://issues.apache.org/jira/browse/KARAF-4306 > Project: Karaf > Issue Type: Bug > Components: karaf-tooling >Affects Versions: 4.0.4 >Reporter: Raman Gupta >Assignee: Jean-Baptiste Onofré > Fix For: 4.0.9, 4.1.1 > > > This is similar to KARAF-3994. > I see that the commit for that issue added the following TODO: > * TODO Need to also check for version ranges. Currently ranges are ignored > and all features matching the name > I have a similar problem -- the generated system repo contains all versions > of a feature that is matched by a range, not just the highest one that > fulfills all of the requirements of the boot features. This is an issue > because the generated repo may contain older (or newer) versions of libraries > that have CVEs against them, which is then flagged by ops. > For example: > My feature depends on spring-dm which depends on spring range [2.5.6,4). At > runtime, Karaf only needs and uses Spring 3.2.14, but my system repo contains > Spring 3.1.4 (as well as three versions of Spring 4), all of which are > defined in the Karaf Spring repo. And of course, Spring 3.1.4 has CVEs > against it, so the system is flagged by ops as using jars with security > problems (even though those jars are not actually used by the app). > Shouldn't the Builder apply the same resolution logic as is used by Karaf > itself, and assemble only those jars? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (KARAF-4306) karaf-maven-plugin is not assembling the correct version of dependencies
[ https://issues.apache.org/jira/browse/KARAF-4306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jean-Baptiste Onofré updated KARAF-4306: Fix Version/s: (was: 4.0.8) 4.0.9 > karaf-maven-plugin is not assembling the correct version of dependencies > > > Key: KARAF-4306 > URL: https://issues.apache.org/jira/browse/KARAF-4306 > Project: Karaf > Issue Type: Bug > Components: karaf-tooling >Affects Versions: 4.0.4 >Reporter: Raman Gupta >Assignee: Jean-Baptiste Onofré > Fix For: 4.1.0, 4.0.9 > > > This is similar to KARAF-3994. > I see that the commit for that issue added the following TODO: > * TODO Need to also check for version ranges. Currently ranges are ignored > and all features matching the name > I have a similar problem -- the generated system repo contains all versions > of a feature that is matched by a range, not just the highest one that > fulfills all of the requirements of the boot features. This is an issue > because the generated repo may contain older (or newer) versions of libraries > that have CVEs against them, which is then flagged by ops. > For example: > My feature depends on spring-dm which depends on spring range [2.5.6,4). At > runtime, Karaf only needs and uses Spring 3.2.14, but my system repo contains > Spring 3.1.4 (as well as three versions of Spring 4), all of which are > defined in the Karaf Spring repo. And of course, Spring 3.1.4 has CVEs > against it, so the system is flagged by ops as using jars with security > problems (even though those jars are not actually used by the app). > Shouldn't the Builder apply the same resolution logic as is used by Karaf > itself, and assemble only those jars? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (KARAF-4306) karaf-maven-plugin is not assembling the correct version of dependencies
[ https://issues.apache.org/jira/browse/KARAF-4306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jean-Baptiste Onofré updated KARAF-4306: Fix Version/s: (was: 4.0.7) 4.0.8 > karaf-maven-plugin is not assembling the correct version of dependencies > > > Key: KARAF-4306 > URL: https://issues.apache.org/jira/browse/KARAF-4306 > Project: Karaf > Issue Type: Bug > Components: karaf-tooling >Affects Versions: 4.0.4 >Reporter: Raman Gupta >Assignee: Jean-Baptiste Onofré > Fix For: 4.1.0, 4.0.8 > > > This is similar to KARAF-3994. > I see that the commit for that issue added the following TODO: > * TODO Need to also check for version ranges. Currently ranges are ignored > and all features matching the name > I have a similar problem -- the generated system repo contains all versions > of a feature that is matched by a range, not just the highest one that > fulfills all of the requirements of the boot features. This is an issue > because the generated repo may contain older (or newer) versions of libraries > that have CVEs against them, which is then flagged by ops. > For example: > My feature depends on spring-dm which depends on spring range [2.5.6,4). At > runtime, Karaf only needs and uses Spring 3.2.14, but my system repo contains > Spring 3.1.4 (as well as three versions of Spring 4), all of which are > defined in the Karaf Spring repo. And of course, Spring 3.1.4 has CVEs > against it, so the system is flagged by ops as using jars with security > problems (even though those jars are not actually used by the app). > Shouldn't the Builder apply the same resolution logic as is used by Karaf > itself, and assemble only those jars? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (KARAF-4306) karaf-maven-plugin is not assembling the correct version of dependencies
[ https://issues.apache.org/jira/browse/KARAF-4306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jean-Baptiste Onofré updated KARAF-4306: Fix Version/s: (was: 4.0.6) 4.0.7 > karaf-maven-plugin is not assembling the correct version of dependencies > > > Key: KARAF-4306 > URL: https://issues.apache.org/jira/browse/KARAF-4306 > Project: Karaf > Issue Type: Bug > Components: karaf-tooling >Affects Versions: 4.0.4 >Reporter: Raman Gupta >Assignee: Jean-Baptiste Onofré > Fix For: 4.1.0, 4.0.7 > > > This is similar to KARAF-3994. > I see that the commit for that issue added the following TODO: > * TODO Need to also check for version ranges. Currently ranges are ignored > and all features matching the name > I have a similar problem -- the generated system repo contains all versions > of a feature that is matched by a range, not just the highest one that > fulfills all of the requirements of the boot features. This is an issue > because the generated repo may contain older (or newer) versions of libraries > that have CVEs against them, which is then flagged by ops. > For example: > My feature depends on spring-dm which depends on spring range [2.5.6,4). At > runtime, Karaf only needs and uses Spring 3.2.14, but my system repo contains > Spring 3.1.4 (as well as three versions of Spring 4), all of which are > defined in the Karaf Spring repo. And of course, Spring 3.1.4 has CVEs > against it, so the system is flagged by ops as using jars with security > problems (even though those jars are not actually used by the app). > Shouldn't the Builder apply the same resolution logic as is used by Karaf > itself, and assemble only those jars? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (KARAF-4306) karaf-maven-plugin is not assembling the correct version of dependencies
[ https://issues.apache.org/jira/browse/KARAF-4306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jean-Baptiste Onofré updated KARAF-4306: Fix Version/s: 4.0.6 4.1.0 > karaf-maven-plugin is not assembling the correct version of dependencies > > > Key: KARAF-4306 > URL: https://issues.apache.org/jira/browse/KARAF-4306 > Project: Karaf > Issue Type: Bug > Components: karaf-tooling >Affects Versions: 4.0.4 >Reporter: Raman Gupta >Assignee: Jean-Baptiste Onofré > Fix For: 4.1.0, 4.0.6 > > > This is similar to KARAF-3994. > I see that the commit for that issue added the following TODO: > * TODO Need to also check for version ranges. Currently ranges are ignored > and all features matching the name > I have a similar problem -- the generated system repo contains all versions > of a feature that is matched by a range, not just the highest one that > fulfills all of the requirements of the boot features. This is an issue > because the generated repo may contain older (or newer) versions of libraries > that have CVEs against them, which is then flagged by ops. > For example: > My feature depends on spring-dm which depends on spring range [2.5.6,4). At > runtime, Karaf only needs and uses Spring 3.2.14, but my system repo contains > Spring 3.1.4 (as well as three versions of Spring 4), all of which are > defined in the Karaf Spring repo. And of course, Spring 3.1.4 has CVEs > against it, so the system is flagged by ops as using jars with security > problems (even though those jars are not actually used by the app). > Shouldn't the Builder apply the same resolution logic as is used by Karaf > itself, and assemble only those jars? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
