POI vulnerabilities about birt HOT 7 CLOSED

Ooh! That is great. I was looking at upgrading this the other day and also noticed that the API was changed. Thanks for taking this on.

from birt.

I was able to get this to work for my client in 4.8 but I didn't use Maven. I just let eclipse auto-build the classes and copied them into the birt runtime jar and it worked, but in 4.9 I need to use Maven.

I have zero experience with using maven for building things that require eclipse plugins. I can see that the 3.9 poi jars are getting put into a variety of lib and plugins folders all of which are inside target folders, so maven is putting them there but I don't know how it knows to do that. I need to switch 3.9 to 4.1.1 and add 3 other plugins from orbit. I've found a couple of files by search for /poi.*3.9/ but modifying them hasn't done anything except cause errors. Maybe it's using a target platform but I can't figure out how.

Can anyone give me any guidance?

from birt.

You can just update the .target file. It is located in the org.eclipse.build.target bundle in the build folder.

https://github.com/eclipse/birt/tree/master/build/org.eclipse.birt.target

Let me know if you need help.

from birt.

I see a file named org.eclipse.birt.target.target and it contains these lines:

		<unit id="org.apache.poi" version="0.0.0"/>
		<unit id="org.apache.poi.ooxml" version="0.0.0"/>
		<unit id="org.apache.poi.ooxml.schemas" version="0.0.0"/>

How does it know those are currently 3.9 and how can I change to 4.1.1?

Update: I see the <repository> tag and it's pointing to an orbit repo that only has poi 3.9. The latest repo has both 3.9 and 4.1.1. I'll experiment with it.

from birt.

This was the error I was getting:

[INFO] Scanning for projects...
[ERROR] Internal error: java.lang.IllegalArgumentException: invalid range "[4.1.1": invalid format: NoSuchElementException -> [Help 1]
org.apache.maven.InternalErrorException: Internal error: java.lang.IllegalArgumentException: invalid range "[4.1.1": invalid format

but it turns out I accidentally deleted the leading quote, so it was a syntax error.

Following is what I changed, in case anyone has any comments. Some of these might be unnecessary.

build/org.eclipse.birt.target/org.eclipse.birt.target.target:
Added a new location pointing to the latest orbit repo, with version specified instead of 0.0.0. Removed the 3 poi units from the original location. Added new units for org.apache.commons.collections4 4.4.1, org.apache.commons.compress 1.19.0, org.apache.xmlbeans 3.1.0, and removed org.apache.xmlbeans from the old location.

	<location includeAllPlatforms="false" includeConfigurePhase="true" includeMode="planner" includeSource="true" type="InstallableUnit">
		<repository location="https://download.eclipse.org/tools/orbit/downloads/drops/I20210306035740/repository/"/>
		<unit id="org.apache.poi" version="4.1.1.v20200604-1524"/>
		<unit id="org.apache.poi.ooxml" version="4.1.1.v20200820-1148"/>
		<unit id="org.apache.poi.ooxml.schemas" version="4.1.1.v20200922-2105"/>
		<unit id="org.apache.commons.collections4" version="4.4.0.v20200420-1700"/>
		<unit id="org.apache.commons.compress" version="1.19.0.v20200106-2343"/>
		<unit id="org.apache.xmlbeans" version="3.1.0.v20200922-1359"/>
	</location>

build/org.eclipse.birt.build/externalRepo.properties:
the comment says "If the bundle under ReportEngine/lib has changed version in this release, it should be removed from this property file, otherwise, it should be added into this file" so I removed the three poi lines.

releng/maps/orbit_bundles.map:
Changed the poi plugin to 4.1.1 and pasted the URL from orbit. Added new lines for poi.ooxml and poi.ooxml.schemas. Also added org.apache.commons.collections4 4.4.0, org.apache.commons.compres 1.19.0, and org.apache.xmlbeans 3.1.0 which are now needed by poi 4.1.1.

4 MANIFEST.MF files:
Changed "[3.9.0,4.0.0)" to "[4.1.1,5.0.0)" for all poi required bundles.

from birt.

Ok, that looks fine. Please create a PR to see if it builds correctly.

from birt.

PR successful, so closing

from birt.