Re: Log4j vulnerability

[Carl Mosca]

Log4j-core

On Wed, Dec 15, 2021 at 7:07 PM Alonso Del Arte 
wrote:

> Excellent question. I hope not. I'll check if there's been any discussion
> in the Slack...
>
> On Wed, Dec 15, 2021 at 2:13 PM Mike Hallan 
> wrote:
>
>> Does Netbeans Platform at any level use Log4j? I was thinking maybe the
>> logging module may, if not use it, then be based on it.
>>
>> Are applications built on Netbeans Platform are in any way vulnerable to
>> Log4j exploits as described at
>> mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 ?
>>
>> Thanks,
>> Mike
>>
>
>
> --
> Alonso del Arte
> Author at SmashWords.com
> 
> Musician at ReverbNation.com 
>
-- 
Regards,
Carl

Re: Log4j vulnerability

[Scott Palmer]

Also consider if NetBeans Platform apps are likely to be in a situation where 
malicious input is possible to exploit the vulnerability in the first place. I 
suppose if the update centre or start page content were hacked it could be a 
vector to get malicious input into the NB logging. 

So the main concern is if log4j is used in the servers or if your platform app 
logs input from the wild. I think you also have to be running on an older JVM, 
don’t you?

Scott

> On Dec 15, 2021, at 7:06 PM, Alonso Del Arte  wrote:
> 
> 
> Excellent question. I hope not. I'll check if there's been any discussion in 
> the Slack...
> 
>> On Wed, Dec 15, 2021 at 2:13 PM Mike Hallan  
>> wrote:
>> Does Netbeans Platform at any level use Log4j? I was thinking maybe the 
>> logging module may, if not use it, then be based on it.
>> 
>> Are applications built on Netbeans Platform are in any way vulnerable to 
>> Log4j exploits as described at 
>> mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 ?
>> 
>> Thanks,
>> Mike
> 
> 

Re: Log4j vulnerability

[Alonso Del Arte]

Excellent question. I hope not. I'll check if there's been any discussion
in the Slack...

On Wed, Dec 15, 2021 at 2:13 PM Mike Hallan 
wrote:

> Does Netbeans Platform at any level use Log4j? I was thinking maybe the
> logging module may, if not use it, then be based on it.
>
> Are applications built on Netbeans Platform are in any way vulnerable to
> Log4j exploits as described at
> mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 ?
>
> Thanks,
> Mike
>


-- 
Alonso del Arte
Author at SmashWords.com

Musician at ReverbNation.com 

Encoding semicolon in an param-value

[Mark Eggers]

I am using NetBeans 12.4 (I know, upgrade) on a Windows 10 Professional 
system with JDK 11.0.12 (I know, upgrade).


I am writing a proof of concept web application (Maven, Java EE 6) to 
test configurable servlet filters for Content-Security-Policy and 
X-Frame-Options.


This all works well, except that NetBeans marks my web.xml with errors 
if I put something like the following into a 


default-src 'self' object-src 'none'

It's read correctly, and examining the Content-Security-Policy values 
shows up the expected results (with the semicolons).


What is the proper way of encoding a semicolon so that it's read by the 
filter as a

 but does not generate an error by NetBeans?

. . . just my two cents
/mde/


OpenPGP_signature
Description: OpenPGP digital signature

Log4j vulnerability

[Mike Hallan]

Does Netbeans Platform at any level use Log4j? I was thinking maybe the logging 
module may, if not use it, then be based on it.
Are applications built on Netbeans Platform are in any way vulnerable to Log4j 
exploits as described at mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 ?
Thanks,Mike

RE: Maven NetBeans Module and gRPC dependencies

[Giovanni Dal Maso]

At the moment the only solution is to create a shaded jar with an independent 
maven project and use it as a dependency in the NB module.

It triggers what seems a bug in maven dependencies as some NB modules mix 
creates a dependency from an [allow] class.

For example, adding this dependency in the pom.xml:

org.netbeans.api
org-apache-tools-ant-module
RELEASE126


And in the class usage there is a "allow" class:

Failed to execute goal 
org.apache.netbeans.utilities:nbm-maven-plugin:4.6:manifest (default-manifest) 
on project standalone-grpc-module: Uncategorized problems with NetBeans 
dependency verification (maybe MNBMODULE-102 or wrong maven dependency 
metadata). Supposedly external classes are used in the project's binaries but 
the classes are not found on classpath. Class usages: [io.perfmark.Tag, 
android.annotation.SuppressLint, com.google.gson.stream.JsonToken, allow, 
io.perfmark.Link, io.perfmark.PerfMark, com.google.gson.stream.JsonReader, 
org.codehaus.mojo.animal_sniffer.IgnoreJRERequirement] -> [Help 1]

Without the dependency:

Failed to execute goal 
org.apache.netbeans.utilities:nbm-maven-plugin:4.6:manifest (default-manifest) 
on project standalone-grpc-module: Uncategorized problems with NetBeans 
dependency verification (maybe MNBMODULE-102 or wrong maven dependency 
metadata). Supposedly external classes are used in the project's binaries but 
the classes are not found on classpath. Class usages: [io.perfmark.Tag, 
android.annotation.SuppressLint, com.google.gson.stream.JsonToken, 
io.perfmark.Link, io.perfmark.PerfMark, com.google.gson.stream.JsonReader, 
org.codehaus.mojo.animal_sniffer.IgnoreJRERequirement] -> [Help 1]



From: Giovanni Dal Maso 
Sent: venerdì 10 dicembre 2021 16:21
To: users@netbeans.apache.org
Subject: Maven NetBeans Module and gRPC dependencies

Hi, a maven based NetBeans Module with GRPC dependencies cannot compile:
Steps to reproduce with NetBeans 12.5 or 12.6:

  1.  Create Maven NetBeans Module
  2.  Add gRPC dependencies as suggested by gRPC project 
(https://github.com/grpc/grpc-java#download)
  3.  Clean & build the module

It is also possible to clone my repo (contains only the standalone module):
https://github.com/gdm-tts/nbm-grpc

The error is missing dependencies verification: while it is possible to add 
some (e.g. "io.perfmark.Tag") it is not possible to add all dependencies (e.g. 
"android.annotation.SuppressLint").
Maybe the error should be a warning.

Does anybody ever tried to compile NB module with maven and GRPC dependencies?

Thanks for any help you can provide in resolving this issue.



Output:

Scanning for projects...

< test:standalone-grpc-module >-
Building standalone-grpc-module 1.0-SNAPSHOT
[ nbm ]-

--- maven-clean-plugin:2.5:clean (default-clean) @ standalone-grpc-module ---
Deleting C:\tmp\standalone-grpc-module\target

--- maven-resources-plugin:3.2.0:resources (default-resources) @ 
standalone-grpc-module ---
Using 'UTF-8' encoding to copy filtered resources.
Using 'UTF-8' encoding to copy filtered properties files.
Copying 1 resource

--- maven-compiler-plugin:3.8.1:compile (default-compile) @ 
standalone-grpc-module ---
Nothing to compile - all classes are up to date

--- nbm-maven-plugin:4.6:manifest (default-manifest) @ standalone-grpc-module 
---
NBM Plugin generates manifest
Adding on module's Class-Path:
io.grpc:grpc-netty-shaded:jar:1.42.1
com.google.guava:guava:jar:30.1-android
com.google.guava:failureaccess:jar:1.0.1

com.google.guava:listenablefuture:jar:.0-empty-to-avoid-conflict-with-guava
org.checkerframework:checker-compat-qual:jar:2.5.5
com.google.j2objc:j2objc-annotations:jar:1.3
com.google.errorprone:error_prone_annotations:jar:2.9.0
io.grpc:grpc-core:jar:1.42.1
io.grpc:grpc-protobuf:jar:1.42.1
io.grpc:grpc-api:jar:1.42.1
io.grpc:grpc-context:jar:1.42.1
com.google.code.findbugs:jsr305:jar:3.0.2
com.google.protobuf:protobuf-java:jar:3.17.2
com.google.api.grpc:proto-google-common-protos:jar:2.0.1
io.grpc:grpc-protobuf-lite:jar:1.42.1
io.grpc:grpc-stub:jar:1.42.1

BUILD FAILURE

Total time:  2.340 s
Finished at: 2021-12-10T15:40:37+01:00

Failed to execute goal 
org.apache.netbeans.utilities:nbm-maven-plugin:4.6:manifest (default-manifest) 
on project standalone-grpc-module: Uncategorized problems with NetBeans 
dependency verification (maybe MNBMODULE-102 or wrong maven dependency 
metadata). Supposedly external classes are used in the project's binaries but 
the classes are not found on classpath. Class usages: [io.perfmark.Tag, 
android.annotation.SuppressLint,