Jeg tok en titt på 'ps -ef|grep java' etter å ha startet Nikita med 'make run', og ser følgende 161 oppføringer som argument til -cp, for å starte Nikita:
~/.m2/repository/ch/qos/logback/logback-classic/1.4.14/logback-classic-1.4.14.jar ~/.m2/repository/ch/qos/logback/logback-core/1.4.14/logback-core-1.4.14.jar ~/.m2/repository/com/beust/jcommander/1.82/jcommander-1.82.jar ~/.m2/repository/com/fasterxml/classmate/1.6.0/classmate-1.6.0.jar ~/.m2/repository/com/fasterxml/jackson/core/jackson-annotations/2.15.4/jackson-annotations-2.15.4.jar ~/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.15.4/jackson-core-2.15.4.jar ~/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.15.4/jackson-databind-2.15.4.jar ~/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-yaml/2.15.4/jackson-dataformat-yaml-2.15.4.jar ~/.m2/repository/com/fasterxml/jackson/datatype/jackson-datatype-jdk8/2.15.4/jackson-datatype-jdk8-2.15.4.jar ~/.m2/repository/com/fasterxml/jackson/datatype/jackson-datatype-jsr310/2.15.4/jackson-datatype-jsr310-2.15.4.jar ~/.m2/repository/com/fasterxml/jackson/module/jackson-module-parameter-names/2.15.4/jackson-module-parameter-names-2.15.4.jar ~/.m2/repository/com/github/ben-manes/caffeine/caffeine/3.1.8/caffeine-3.1.8.jar ~/.m2/repository/com/github/jnr/jffi/1.3.9/jffi-1.3.9-native.jar ~/.m2/repository/com/github/jnr/jffi/1.3.9/jffi-1.3.9.jar ~/.m2/repository/com/github/jnr/jnr-a64asm/1.0.0/jnr-a64asm-1.0.0.jar ~/.m2/repository/com/github/jnr/jnr-constants/0.10.3/jnr-constants-0.10.3.jar ~/.m2/repository/com/github/jnr/jnr-enxio/0.32.13/jnr-enxio-0.32.13.jar ~/.m2/repository/com/github/jnr/jnr-ffi/2.2.11/jnr-ffi-2.2.11.jar ~/.m2/repository/com/github/jnr/jnr-netdb/1.2.0/jnr-netdb-1.2.0.jar ~/.m2/repository/com/github/jnr/jnr-posix/3.1.15/jnr-posix-3.1.15.jar ~/.m2/repository/com/github/jnr/jnr-unixsocket/0.38.17/jnr-unixsocket-0.38.17.jar ~/.m2/repository/com/github/jnr/jnr-x86asm/1.0.2/jnr-x86asm-1.0.2.jar ~/.m2/repository/com/github/stephenc/jcip/jcip-annotations/1.0-1/jcip-annotations-1.0-1.jar ~/.m2/repository/com/github/waffle/waffle-jna/3.3.0/waffle-jna-3.3.0.jar ~/.m2/repository/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar ~/.m2/repository/com/google/code/gson/gson/2.10.1/gson-2.10.1.jar ~/.m2/repository/com/google/errorprone/error_prone_annotations/2.21.1/error_prone_annotations-2.21.1.jar ~/.m2/repository/com/h2database/h2/2.2.224/h2-2.2.224.jar ~/.m2/repository/com/headius/backport9/1.12/backport9-1.12.jar ~/.m2/repository/com/headius/invokebinder/1.12/invokebinder-1.12.jar ~/.m2/repository/com/headius/options/1.6/options-1.6.jar ~/.m2/repository/com/jcraft/jzlib/1.1.3/jzlib-1.1.3.jar ~/.m2/repository/com/nimbusds/content-type/2.2/content-type-2.2.jar ~/.m2/repository/com/nimbusds/lang-tag/1.7/lang-tag-1.7.jar ~/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.24.4/nimbus-jose-jwt-9.24.4.jar ~/.m2/repository/com/nimbusds/oauth2-oidc-sdk/9.43.3/oauth2-oidc-sdk-9.43.3.jar ~/.m2/repository/com/rabbitmq/amqp-client/5.19.0/amqp-client-5.19.0.jar ~/.m2/repository/com/sun/istack/istack-commons-runtime/4.1.2/istack-commons-runtime-4.1.2.jar ~/.m2/repository/com/zaxxer/HikariCP/5.0.1/HikariCP-5.0.1.jar ~/.m2/repository/com/zaxxer/SparseBitSet/1.2/SparseBitSet-1.2.jar ~/.m2/repository/commons-codec/commons-codec/1.16.1/commons-codec-1.16.1.jar ~/.m2/repository/commons-io/commons-io/2.11.0/commons-io-2.11.0.jar ~/.m2/repository/io/github/classgraph/classgraph/4.8.149/classgraph-4.8.149.jar ~/.m2/repository/io/micrometer/micrometer-commons/1.12.5/micrometer-commons-1.12.5.jar ~/.m2/repository/io/micrometer/micrometer-core/1.12.5/micrometer-core-1.12.5.jar ~/.m2/repository/io/micrometer/micrometer-jakarta9/1.12.5/micrometer-jakarta9-1.12.5.jar ~/.m2/repository/io/micrometer/micrometer-observation/1.12.5/micrometer-observation-1.12.5.jar ~/.m2/repository/io/projectreactor/reactor-core/3.6.5/reactor-core-3.6.5.jar ~/.m2/repository/io/smallrye/jandex/3.1.2/jandex-3.1.2.jar ~/.m2/repository/io/swagger/core/v3/swagger-annotations/2.2.8/swagger-annotations-2.2.8.jar ~/.m2/repository/io/swagger/core/v3/swagger-core/2.2.8/swagger-core-2.2.8.jar ~/.m2/repository/io/swagger/core/v3/swagger-models/2.2.8/swagger-models-2.2.8.jar ~/.m2/repository/jakarta/activation/jakarta.activation-api/2.1.3/jakarta.activation-api-2.1.3.jar ~/.m2/repository/jakarta/annotation/jakarta.annotation-api/2.1.1/jakarta.annotation-api-2.1.1.jar ~/.m2/repository/jakarta/inject/jakarta.inject-api/2.0.1/jakarta.inject-api-2.0.1.jar ~/.m2/repository/jakarta/mail/jakarta.mail-api/2.1.2/jakarta.mail-api-2.1.2.jar ~/.m2/repository/jakarta/persistence/jakarta.persistence-api/3.1.0/jakarta.persistence-api-3.1.0.jar ~/.m2/repository/jakarta/transaction/jakarta.transaction-api/2.0.1/jakarta.transaction-api-2.0.1.jar ~/.m2/repository/jakarta/validation/jakarta.validation-api/3.0.2/jakarta.validation-api-3.0.2.jar ~/.m2/repository/jakarta/xml/bind/jakarta.xml.bind-api/4.0.2/jakarta.xml.bind-api-4.0.2.jar ~/.m2/repository/joda-time/joda-time/2.12.5/joda-time-2.12.5.jar ~/.m2/repository/me/qmx/jitescript/jitescript/0.4.1/jitescript-0.4.1.jar ~/.m2/repository/net/bytebuddy/byte-buddy/1.14.13/byte-buddy-1.14.13.jar ~/.m2/repository/net/java/dev/jna/jna-platform/5.13.0/jna-platform-5.13.0.jar ~/.m2/repository/net/java/dev/jna/jna/5.13.0/jna-5.13.0.jar ~/.m2/repository/net/minidev/accessors-smart/2.5.1/accessors-smart-2.5.1.jar ~/.m2/repository/net/minidev/json-smart/2.5.1/json-smart-2.5.1.jar ~/.m2/repository/org/antlr/antlr4-runtime/4.13.0/antlr4-runtime-4.13.0.jar ~/.m2/repository/org/apache/commons/commons-collections4/4.4/commons-collections4-4.4.jar ~/.m2/repository/org/apache/commons/commons-lang3/3.12.0/commons-lang3-3.12.0.jar ~/.m2/repository/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar ~/.m2/repository/org/apache/httpcomponents/httpasyncclient/4.1.5/httpasyncclient-4.1.5.jar ~/.m2/repository/org/apache/httpcomponents/httpclient/4.5.13/httpclient-4.5.13.jar ~/.m2/repository/org/apache/httpcomponents/httpcore-nio/4.4.16/httpcore-nio-4.4.16.jar ~/.m2/repository/org/apache/httpcomponents/httpcore/4.4.16/httpcore-4.4.16.jar ~/.m2/repository/org/apache/logging/log4j/log4j-api/2.21.1/log4j-api-2.21.1.jar ~/.m2/repository/org/apache/logging/log4j/log4j-to-slf4j/2.21.1/log4j-to-slf4j-2.21.1.jar ~/.m2/repository/org/apache/poi/poi/5.2.3/poi-5.2.3.jar ~/.m2/repository/org/apache/tika/tika-core/2.8.0/tika-core-2.8.0.jar ~/.m2/repository/org/apache/tika/tika-parsers/2.8.0/tika-parsers-2.8.0.pom ~/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.20/tomcat-embed-core-10.1.20.jar ~/.m2/repository/org/apache/tomcat/embed/tomcat-embed-el/10.1.20/tomcat-embed-el-10.1.20.jar ~/.m2/repository/org/apache/tomcat/embed/tomcat-embed-websocket/10.1.20/tomcat-embed-websocket-10.1.20.jar ~/.m2/repository/org/asciidoctor/asciidoctorj-api/2.5.7/asciidoctorj-api-2.5.7.jar ~/.m2/repository/org/asciidoctor/asciidoctorj/2.5.7/asciidoctorj-2.5.7.jar ~/.m2/repository/org/aspectj/aspectjweaver/1.9.22/aspectjweaver-1.9.22.jar ~/.m2/repository/org/checkerframework/checker-qual/3.31.0/checker-qual-3.31.0.jar ~/.m2/repository/org/eclipse/angus/angus-activation/2.0.2/angus-activation-2.0.2.jar ~/.m2/repository/org/elasticsearch/client/elasticsearch-rest-client-sniffer/8.10.4/elasticsearch-rest-client-sniffer-8.10.4.jar ~/.m2/repository/org/elasticsearch/client/elasticsearch-rest-client/8.10.4/elasticsearch-rest-client-8.10.4.jar ~/.m2/repository/org/glassfish/jaxb/jaxb-core/4.0.5/jaxb-core-4.0.5.jar ~/.m2/repository/org/glassfish/jaxb/jaxb-runtime/4.0.5/jaxb-runtime-4.0.5.jar ~/.m2/repository/org/glassfish/jaxb/txw2/4.0.5/txw2-4.0.5.jar ~/.m2/repository/org/hdrhistogram/HdrHistogram/2.1.12/HdrHistogram-2.1.12.jar ~/.m2/repository/org/hibernate/common/hibernate-commons-annotations/6.0.6.Final/hibernate-commons-annotations-6.0.6.Final.jar ~/.m2/repository/org/hibernate/orm/hibernate-core/6.4.4.Final/hibernate-core-6.4.4.Final.jar ~/.m2/repository/org/hibernate/search/hibernate-search-backend-elasticsearch/6.2.0.Final/hibernate-search-backend-elasticsearch-6.2.0.Final.jar ~/.m2/repository/org/hibernate/search/hibernate-search-engine/6.2.0.Final/hibernate-search-engine-6.2.0.Final.jar ~/.m2/repository/org/hibernate/search/hibernate-search-util-common/6.2.0.Final/hibernate-search-util-common-6.2.0.Final.jar ~/.m2/repository/org/hibernate/validator/hibernate-validator/8.0.1.Final/hibernate-validator-8.0.1.Final.jar ~/.m2/repository/org/javassist/javassist/3.28.0-GA/javassist-3.28.0-GA.jar ~/.m2/repository/org/jboss/jandex/2.4.2.Final/jandex-2.4.2.Final.jar ~/.m2/repository/org/jboss/logging/jboss-logging/3.5.3.Final/jboss-logging-3.5.3.Final.jar ~/.m2/repository/org/jruby/dirgra/0.3/dirgra-0.3.jar ~/.m2/repository/org/jruby/jcodings/jcodings/1.0.57/jcodings-1.0.57.jar ~/.m2/repository/org/jruby/joni/joni/2.1.43/joni-2.1.43.jar ~/.m2/repository/org/jruby/jruby-base/9.3.8.0/jruby-base-9.3.8.0.jar ~/.m2/repository/org/jruby/jruby-stdlib/9.3.8.0/jruby-stdlib-9.3.8.0.jar ~/.m2/repository/org/jruby/jruby/9.3.8.0/jruby-9.3.8.0.jar ~/.m2/repository/org/json/json/20231013/json-20231013.jar ~/.m2/repository/org/latencyutils/LatencyUtils/2.0.3/LatencyUtils-2.0.3.jar ~/.m2/repository/org/mariadb/jdbc/mariadb-java-client/3.3.3/mariadb-java-client-3.3.3.jar ~/.m2/repository/org/ow2/asm/asm-analysis/9.2/asm-analysis-9.2.jar ~/.m2/repository/org/ow2/asm/asm-commons/9.2/asm-commons-9.2.jar ~/.m2/repository/org/ow2/asm/asm-tree/9.2/asm-tree-9.2.jar ~/.m2/repository/org/ow2/asm/asm-util/9.2/asm-util-9.2.jar ~/.m2/repository/org/ow2/asm/asm/9.6/asm-9.6.jar ~/.m2/repository/org/postgresql/postgresql/42.6.2/postgresql-42.6.2.jar ~/.m2/repository/org/reactivestreams/reactive-streams/1.0.4/reactive-streams-1.0.4.jar ~/.m2/repository/org/reflections/reflections/0.10.2/reflections-0.10.2.jar ~/.m2/repository/org/slf4j/jcl-over-slf4j/2.0.13/jcl-over-slf4j-2.0.13.jar ~/.m2/repository/org/slf4j/jul-to-slf4j/2.0.13/jul-to-slf4j-2.0.13.jar ~/.m2/repository/org/slf4j/slf4j-api/2.0.13/slf4j-api-2.0.13.jar ~/.m2/repository/org/springdoc/springdoc-openapi-common/1.6.15/springdoc-openapi-common-1.6.15.jar ~/.m2/repository/org/springdoc/springdoc-openapi-ui/1.6.15/springdoc-openapi-ui-1.6.15.jar ~/.m2/repository/org/springdoc/springdoc-openapi-webmvc-core/1.6.15/springdoc-openapi-webmvc-core-1.6.15.jar ~/.m2/repository/org/springframework/amqp/spring-amqp/3.1.4/spring-amqp-3.1.4.jar ~/.m2/repository/org/springframework/amqp/spring-rabbit/3.1.4/spring-rabbit-3.1.4.jar ~/.m2/repository/org/springframework/boot/spring-boot-actuator-autoconfigure/3.2.5/spring-boot-actuator-autoconfigure-3.2.5.jar ~/.m2/repository/org/springframework/boot/spring-boot-actuator/3.2.5/spring-boot-actuator-3.2.5.jar ~/.m2/repository/org/springframework/boot/spring-boot-autoconfigure/3.2.5/spring-boot-autoconfigure-3.2.5.jar ~/.m2/repository/org/springframework/boot/spring-boot/3.2.5/spring-boot-3.2.5.jar ~/.m2/repository/org/springframework/data/spring-data-commons/3.2.5/spring-data-commons-3.2.5.jar ~/.m2/repository/org/springframework/data/spring-data-jpa/3.2.5/spring-data-jpa-3.2.5.jar ~/.m2/repository/org/springframework/integration/spring-integration-core/6.2.4/spring-integration-core-6.2.4.jar ~/.m2/repository/org/springframework/restdocs/spring-restdocs-asciidoctor/3.0.1/spring-restdocs-asciidoctor-3.0.1.jar ~/.m2/repository/org/springframework/retry/spring-retry/2.0.5/spring-retry-2.0.5.jar ~/.m2/repository/org/springframework/security/spring-security-config/6.2.4/spring-security-config-6.2.4.jar ~/.m2/repository/org/springframework/security/spring-security-core/6.2.4/spring-security-core-6.2.4.jar ~/.m2/repository/org/springframework/security/spring-security-crypto/6.2.4/spring-security-crypto-6.2.4.jar ~/.m2/repository/org/springframework/security/spring-security-oauth2-client/6.2.4/spring-security-oauth2-client-6.2.4.jar ~/.m2/repository/org/springframework/security/spring-security-oauth2-core/6.2.4/spring-security-oauth2-core-6.2.4.jar ~/.m2/repository/org/springframework/security/spring-security-oauth2-jose/6.2.4/spring-security-oauth2-jose-6.2.4.jar ~/.m2/repository/org/springframework/security/spring-security-oauth2-resource-server/6.2.4/spring-security-oauth2-resource-server-6.2.4.jar ~/.m2/repository/org/springframework/security/spring-security-web/6.2.4/spring-security-web-6.2.4.jar ~/.m2/repository/org/springframework/spring-aop/6.1.6/spring-aop-6.1.6.jar ~/.m2/repository/org/springframework/spring-aspects/6.1.6/spring-aspects-6.1.6.jar ~/.m2/repository/org/springframework/spring-beans/6.1.6/spring-beans-6.1.6.jar ~/.m2/repository/org/springframework/spring-context/6.1.6/spring-context-6.1.6.jar ~/.m2/repository/org/springframework/spring-core/6.1.6/spring-core-6.1.6.jar ~/.m2/repository/org/springframework/spring-expression/6.1.6/spring-expression-6.1.6.jar ~/.m2/repository/org/springframework/spring-jcl/6.1.6/spring-jcl-6.1.6.jar ~/.m2/repository/org/springframework/spring-jdbc/6.1.6/spring-jdbc-6.1.6.jar ~/.m2/repository/org/springframework/spring-messaging/6.1.6/spring-messaging-6.1.6.jar ~/.m2/repository/org/springframework/spring-orm/6.1.6/spring-orm-6.1.6.jar ~/.m2/repository/org/springframework/spring-tx/6.1.6/spring-tx-6.1.6.jar ~/.m2/repository/org/springframework/spring-web/6.1.6/spring-web-6.1.6.jar ~/.m2/repository/org/springframework/spring-webmvc/6.1.6/spring-webmvc-6.1.6.jar ~/.m2/repository/org/webjars/swagger-ui/4.17.1/swagger-ui-4.17.1.jar ~/.m2/repository/org/webjars/webjars-locator-core/0.55/webjars-locator-core-0.55.jar ~/.m2/repository/org/yaml/snakeyaml/2.2/snakeyaml-2.2.jar
Er det kjent hvilke angrepsflater disse bibliotekene åpner mot Nikita som nett-tjeneste? Trengs virkelig alle disse 161 avhengighetene for å kjøre Nikita? For eksempel asciidoctor og jruby virker litt rart på meg. Hvorfor trengs både json og jsonsmart?
Hei,
Det er blitt tatt ut flere avhengigheter siden log4j-saken så det å ha fokus på unødvendig avhengigheter er noe vi bør fortsette med. Om du ikke har prøvd det enda, er det mulig å gjøre en
mvn dependency:tree
for å se oppbygging av avhengigheter som et tre.
Er det kjent hvilke angrepsflater disse bibliotekene åpner mot Nikita som nett-tjeneste?
Det er ikke gjort noe spesiel arbeid med dette i det siste, men jeg hadde tidligere utforsket dependency-check-maven plugin i maven. Det er kanskje på tide å gjøre det igjen. Litt mer info om denne fant jeg raskt her:
https://nullbeans.com/2021/02/28/how-to-identify-vulnerable-dependencies-in-...
men det er en stund siden jeg så på det. Gitlab hadde også en vulnerability checker som en del av CI. Disse er ting som absolutt er verdt å prøve å få mer inn i CI.
Trengs virkelig alle disse 161 avhengighetene for å kjøre Nikita?
Dersom du ser på avhengighetstreet så ser du at mange av disse er spring avhengigheter.
For eksempel asciidoctor og jruby virker litt rart på meg.
Begge disse spesielt, asciidoctor avhengigheten er i bruk. Dersom du ser i filen:
target/generated-docs/index.html
så ser du starten på et arbeid for å lage egen dokumentasjon som genereres ved bygging. Her er det mulig å lage masse nyttig dokumentasjon for utviklere. Dessverre, har jeg ikke hatt tid til å jobbe videre med dette, så det kan være at vi tar det ut av prosjektet.
Hvorfor trengs både json og jsonsmart?
[INFO] +- org.json:json:jar:20231013:compile
peker til at det er en frittstående avhengighet. Dette er noe som burde blitt håndtert av spring synes jeg.
[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:3.2.5:test [INFO] | +- org.springframework.boot:spring-boot-test:jar:3.2.5:test [INFO] | +- org.springframework.boot:spring-boot-test-autoconfigure:jar:3.2.5:test [INFO] | +- com.jayway.jsonpath:json-path:jar:2.9.0:test [INFO] | +- jakarta.xml.bind:jakarta.xml.bind-api:jar:4.0.2:compile [INFO] | +- net.minidev:json-smart:jar:2.5.1:compile
Dersom man ser på avhengighetstreet så er det egentlig alt som ikke henger av en spring avhengighet som er noe vi kan/bør stille spørsmål til.
Å bruke litt tid på avhengigheter i spring prosjekter er alltid en god ide og noe vi bør bruke litt tid på her.
Thomas ________________________________ Fra: Petter Reinholdtsen pere@hungry.com Sendt: mandag 16. desember 2024 16:42 Til: nikita-noark@nuug.no nikita-noark@nuug.no Emne: Angrepsflate mot Nikita - oppstartavhengigheter
Jeg tok en titt på 'ps -ef|grep java' etter å ha startet Nikita med 'make run', og ser følgende 161 oppføringer som argument til -cp, for å starte Nikita:
~/.m2/repository/ch/qos/logback/logback-classic/1.4.14/logback-classic-1.4.14.jar ~/.m2/repository/ch/qos/logback/logback-core/1.4.14/logback-core-1.4.14.jar ~/.m2/repository/com/beust/jcommander/1.82/jcommander-1.82.jar ~/.m2/repository/com/fasterxml/classmate/1.6.0/classmate-1.6.0.jar ~/.m2/repository/com/fasterxml/jackson/core/jackson-annotations/2.15.4/jackson-annotations-2.15.4.jar ~/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.15.4/jackson-core-2.15.4.jar ~/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.15.4/jackson-databind-2.15.4.jar ~/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-yaml/2.15.4/jackson-dataformat-yaml-2.15.4.jar ~/.m2/repository/com/fasterxml/jackson/datatype/jackson-datatype-jdk8/2.15.4/jackson-datatype-jdk8-2.15.4.jar ~/.m2/repository/com/fasterxml/jackson/datatype/jackson-datatype-jsr310/2.15.4/jackson-datatype-jsr310-2.15.4.jar ~/.m2/repository/com/fasterxml/jackson/module/jackson-module-parameter-names/2.15.4/jackson-module-parameter-names-2.15.4.jar ~/.m2/repository/com/github/ben-manes/caffeine/caffeine/3.1.8/caffeine-3.1.8.jar ~/.m2/repository/com/github/jnr/jffi/1.3.9/jffi-1.3.9-native.jar ~/.m2/repository/com/github/jnr/jffi/1.3.9/jffi-1.3.9.jar ~/.m2/repository/com/github/jnr/jnr-a64asm/1.0.0/jnr-a64asm-1.0.0.jar ~/.m2/repository/com/github/jnr/jnr-constants/0.10.3/jnr-constants-0.10.3.jar ~/.m2/repository/com/github/jnr/jnr-enxio/0.32.13/jnr-enxio-0.32.13.jar ~/.m2/repository/com/github/jnr/jnr-ffi/2.2.11/jnr-ffi-2.2.11.jar ~/.m2/repository/com/github/jnr/jnr-netdb/1.2.0/jnr-netdb-1.2.0.jar ~/.m2/repository/com/github/jnr/jnr-posix/3.1.15/jnr-posix-3.1.15.jar ~/.m2/repository/com/github/jnr/jnr-unixsocket/0.38.17/jnr-unixsocket-0.38.17.jar ~/.m2/repository/com/github/jnr/jnr-x86asm/1.0.2/jnr-x86asm-1.0.2.jar ~/.m2/repository/com/github/stephenc/jcip/jcip-annotations/1.0-1/jcip-annotations-1.0-1.jar ~/.m2/repository/com/github/waffle/waffle-jna/3.3.0/waffle-jna-3.3.0.jar ~/.m2/repository/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar ~/.m2/repository/com/google/code/gson/gson/2.10.1/gson-2.10.1.jar ~/.m2/repository/com/google/errorprone/error_prone_annotations/2.21.1/error_prone_annotations-2.21.1.jar ~/.m2/repository/com/h2database/h2/2.2.224/h2-2.2.224.jar ~/.m2/repository/com/headius/backport9/1.12/backport9-1.12.jar ~/.m2/repository/com/headius/invokebinder/1.12/invokebinder-1.12.jar ~/.m2/repository/com/headius/options/1.6/options-1.6.jar ~/.m2/repository/com/jcraft/jzlib/1.1.3/jzlib-1.1.3.jar ~/.m2/repository/com/nimbusds/content-type/2.2/content-type-2.2.jar ~/.m2/repository/com/nimbusds/lang-tag/1.7/lang-tag-1.7.jar ~/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.24.4/nimbus-jose-jwt-9.24.4.jar ~/.m2/repository/com/nimbusds/oauth2-oidc-sdk/9.43.3/oauth2-oidc-sdk-9.43.3.jar ~/.m2/repository/com/rabbitmq/amqp-client/5.19.0/amqp-client-5.19.0.jar ~/.m2/repository/com/sun/istack/istack-commons-runtime/4.1.2/istack-commons-runtime-4.1.2.jar ~/.m2/repository/com/zaxxer/HikariCP/5.0.1/HikariCP-5.0.1.jar ~/.m2/repository/com/zaxxer/SparseBitSet/1.2/SparseBitSet-1.2.jar ~/.m2/repository/commons-codec/commons-codec/1.16.1/commons-codec-1.16.1.jar ~/.m2/repository/commons-io/commons-io/2.11.0/commons-io-2.11.0.jar ~/.m2/repository/io/github/classgraph/classgraph/4.8.149/classgraph-4.8.149.jar ~/.m2/repository/io/micrometer/micrometer-commons/1.12.5/micrometer-commons-1.12.5.jar ~/.m2/repository/io/micrometer/micrometer-core/1.12.5/micrometer-core-1.12.5.jar ~/.m2/repository/io/micrometer/micrometer-jakarta9/1.12.5/micrometer-jakarta9-1.12.5.jar ~/.m2/repository/io/micrometer/micrometer-observation/1.12.5/micrometer-observation-1.12.5.jar ~/.m2/repository/io/projectreactor/reactor-core/3.6.5/reactor-core-3.6.5.jar ~/.m2/repository/io/smallrye/jandex/3.1.2/jandex-3.1.2.jar ~/.m2/repository/io/swagger/core/v3/swagger-annotations/2.2.8/swagger-annotations-2.2.8.jar ~/.m2/repository/io/swagger/core/v3/swagger-core/2.2.8/swagger-core-2.2.8.jar ~/.m2/repository/io/swagger/core/v3/swagger-models/2.2.8/swagger-models-2.2.8.jar ~/.m2/repository/jakarta/activation/jakarta.activation-api/2.1.3/jakarta.activation-api-2.1.3.jar ~/.m2/repository/jakarta/annotation/jakarta.annotation-api/2.1.1/jakarta.annotation-api-2.1.1.jar ~/.m2/repository/jakarta/inject/jakarta.inject-api/2.0.1/jakarta.inject-api-2.0.1.jar ~/.m2/repository/jakarta/mail/jakarta.mail-api/2.1.2/jakarta.mail-api-2.1.2.jar ~/.m2/repository/jakarta/persistence/jakarta.persistence-api/3.1.0/jakarta.persistence-api-3.1.0.jar ~/.m2/repository/jakarta/transaction/jakarta.transaction-api/2.0.1/jakarta.transaction-api-2.0.1.jar ~/.m2/repository/jakarta/validation/jakarta.validation-api/3.0.2/jakarta.validation-api-3.0.2.jar ~/.m2/repository/jakarta/xml/bind/jakarta.xml.bind-api/4.0.2/jakarta.xml.bind-api-4.0.2.jar ~/.m2/repository/joda-time/joda-time/2.12.5/joda-time-2.12.5.jar ~/.m2/repository/me/qmx/jitescript/jitescript/0.4.1/jitescript-0.4.1.jar ~/.m2/repository/net/bytebuddy/byte-buddy/1.14.13/byte-buddy-1.14.13.jar ~/.m2/repository/net/java/dev/jna/jna-platform/5.13.0/jna-platform-5.13.0.jar ~/.m2/repository/net/java/dev/jna/jna/5.13.0/jna-5.13.0.jar ~/.m2/repository/net/minidev/accessors-smart/2.5.1/accessors-smart-2.5.1.jar ~/.m2/repository/net/minidev/json-smart/2.5.1/json-smart-2.5.1.jar ~/.m2/repository/org/antlr/antlr4-runtime/4.13.0/antlr4-runtime-4.13.0.jar ~/.m2/repository/org/apache/commons/commons-collections4/4.4/commons-collections4-4.4.jar ~/.m2/repository/org/apache/commons/commons-lang3/3.12.0/commons-lang3-3.12.0.jar ~/.m2/repository/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar ~/.m2/repository/org/apache/httpcomponents/httpasyncclient/4.1.5/httpasyncclient-4.1.5.jar ~/.m2/repository/org/apache/httpcomponents/httpclient/4.5.13/httpclient-4.5.13.jar ~/.m2/repository/org/apache/httpcomponents/httpcore-nio/4.4.16/httpcore-nio-4.4.16.jar ~/.m2/repository/org/apache/httpcomponents/httpcore/4.4.16/httpcore-4.4.16.jar ~/.m2/repository/org/apache/logging/log4j/log4j-api/2.21.1/log4j-api-2.21.1.jar ~/.m2/repository/org/apache/logging/log4j/log4j-to-slf4j/2.21.1/log4j-to-slf4j-2.21.1.jar ~/.m2/repository/org/apache/poi/poi/5.2.3/poi-5.2.3.jar ~/.m2/repository/org/apache/tika/tika-core/2.8.0/tika-core-2.8.0.jar ~/.m2/repository/org/apache/tika/tika-parsers/2.8.0/tika-parsers-2.8.0.pom ~/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.20/tomcat-embed-core-10.1.20.jar ~/.m2/repository/org/apache/tomcat/embed/tomcat-embed-el/10.1.20/tomcat-embed-el-10.1.20.jar ~/.m2/repository/org/apache/tomcat/embed/tomcat-embed-websocket/10.1.20/tomcat-embed-websocket-10.1.20.jar ~/.m2/repository/org/asciidoctor/asciidoctorj-api/2.5.7/asciidoctorj-api-2.5.7.jar ~/.m2/repository/org/asciidoctor/asciidoctorj/2.5.7/asciidoctorj-2.5.7.jar ~/.m2/repository/org/aspectj/aspectjweaver/1.9.22/aspectjweaver-1.9.22.jar ~/.m2/repository/org/checkerframework/checker-qual/3.31.0/checker-qual-3.31.0.jar ~/.m2/repository/org/eclipse/angus/angus-activation/2.0.2/angus-activation-2.0.2.jar ~/.m2/repository/org/elasticsearch/client/elasticsearch-rest-client-sniffer/8.10.4/elasticsearch-rest-client-sniffer-8.10.4.jar ~/.m2/repository/org/elasticsearch/client/elasticsearch-rest-client/8.10.4/elasticsearch-rest-client-8.10.4.jar ~/.m2/repository/org/glassfish/jaxb/jaxb-core/4.0.5/jaxb-core-4.0.5.jar ~/.m2/repository/org/glassfish/jaxb/jaxb-runtime/4.0.5/jaxb-runtime-4.0.5.jar ~/.m2/repository/org/glassfish/jaxb/txw2/4.0.5/txw2-4.0.5.jar ~/.m2/repository/org/hdrhistogram/HdrHistogram/2.1.12/HdrHistogram-2.1.12.jar ~/.m2/repository/org/hibernate/common/hibernate-commons-annotations/6.0.6.Final/hibernate-commons-annotations-6.0.6.Final.jar ~/.m2/repository/org/hibernate/orm/hibernate-core/6.4.4.Final/hibernate-core-6.4.4.Final.jar ~/.m2/repository/org/hibernate/search/hibernate-search-backend-elasticsearch/6.2.0.Final/hibernate-search-backend-elasticsearch-6.2.0.Final.jar ~/.m2/repository/org/hibernate/search/hibernate-search-engine/6.2.0.Final/hibernate-search-engine-6.2.0.Final.jar ~/.m2/repository/org/hibernate/search/hibernate-search-util-common/6.2.0.Final/hibernate-search-util-common-6.2.0.Final.jar ~/.m2/repository/org/hibernate/validator/hibernate-validator/8.0.1.Final/hibernate-validator-8.0.1.Final.jar ~/.m2/repository/org/javassist/javassist/3.28.0-GA/javassist-3.28.0-GA.jar ~/.m2/repository/org/jboss/jandex/2.4.2.Final/jandex-2.4.2.Final.jar ~/.m2/repository/org/jboss/logging/jboss-logging/3.5.3.Final/jboss-logging-3.5.3.Final.jar ~/.m2/repository/org/jruby/dirgra/0.3/dirgra-0.3.jar ~/.m2/repository/org/jruby/jcodings/jcodings/1.0.57/jcodings-1.0.57.jar ~/.m2/repository/org/jruby/joni/joni/2.1.43/joni-2.1.43.jar ~/.m2/repository/org/jruby/jruby-base/9.3.8.0/jruby-base-9.3.8.0.jar ~/.m2/repository/org/jruby/jruby-stdlib/9.3.8.0/jruby-stdlib-9.3.8.0.jar ~/.m2/repository/org/jruby/jruby/9.3.8.0/jruby-9.3.8.0.jar ~/.m2/repository/org/json/json/20231013/json-20231013.jar ~/.m2/repository/org/latencyutils/LatencyUtils/2.0.3/LatencyUtils-2.0.3.jar ~/.m2/repository/org/mariadb/jdbc/mariadb-java-client/3.3.3/mariadb-java-client-3.3.3.jar ~/.m2/repository/org/ow2/asm/asm-analysis/9.2/asm-analysis-9.2.jar ~/.m2/repository/org/ow2/asm/asm-commons/9.2/asm-commons-9.2.jar ~/.m2/repository/org/ow2/asm/asm-tree/9.2/asm-tree-9.2.jar ~/.m2/repository/org/ow2/asm/asm-util/9.2/asm-util-9.2.jar ~/.m2/repository/org/ow2/asm/asm/9.6/asm-9.6.jar ~/.m2/repository/org/postgresql/postgresql/42.6.2/postgresql-42.6.2.jar ~/.m2/repository/org/reactivestreams/reactive-streams/1.0.4/reactive-streams-1.0.4.jar ~/.m2/repository/org/reflections/reflections/0.10.2/reflections-0.10.2.jar ~/.m2/repository/org/slf4j/jcl-over-slf4j/2.0.13/jcl-over-slf4j-2.0.13.jar ~/.m2/repository/org/slf4j/jul-to-slf4j/2.0.13/jul-to-slf4j-2.0.13.jar ~/.m2/repository/org/slf4j/slf4j-api/2.0.13/slf4j-api-2.0.13.jar ~/.m2/repository/org/springdoc/springdoc-openapi-common/1.6.15/springdoc-openapi-common-1.6.15.jar ~/.m2/repository/org/springdoc/springdoc-openapi-ui/1.6.15/springdoc-openapi-ui-1.6.15.jar ~/.m2/repository/org/springdoc/springdoc-openapi-webmvc-core/1.6.15/springdoc-openapi-webmvc-core-1.6.15.jar ~/.m2/repository/org/springframework/amqp/spring-amqp/3.1.4/spring-amqp-3.1.4.jar ~/.m2/repository/org/springframework/amqp/spring-rabbit/3.1.4/spring-rabbit-3.1.4.jar ~/.m2/repository/org/springframework/boot/spring-boot-actuator-autoconfigure/3.2.5/spring-boot-actuator-autoconfigure-3.2.5.jar ~/.m2/repository/org/springframework/boot/spring-boot-actuator/3.2.5/spring-boot-actuator-3.2.5.jar ~/.m2/repository/org/springframework/boot/spring-boot-autoconfigure/3.2.5/spring-boot-autoconfigure-3.2.5.jar ~/.m2/repository/org/springframework/boot/spring-boot/3.2.5/spring-boot-3.2.5.jar ~/.m2/repository/org/springframework/data/spring-data-commons/3.2.5/spring-data-commons-3.2.5.jar ~/.m2/repository/org/springframework/data/spring-data-jpa/3.2.5/spring-data-jpa-3.2.5.jar ~/.m2/repository/org/springframework/integration/spring-integration-core/6.2.4/spring-integration-core-6.2.4.jar ~/.m2/repository/org/springframework/restdocs/spring-restdocs-asciidoctor/3.0.1/spring-restdocs-asciidoctor-3.0.1.jar ~/.m2/repository/org/springframework/retry/spring-retry/2.0.5/spring-retry-2.0.5.jar ~/.m2/repository/org/springframework/security/spring-security-config/6.2.4/spring-security-config-6.2.4.jar ~/.m2/repository/org/springframework/security/spring-security-core/6.2.4/spring-security-core-6.2.4.jar ~/.m2/repository/org/springframework/security/spring-security-crypto/6.2.4/spring-security-crypto-6.2.4.jar ~/.m2/repository/org/springframework/security/spring-security-oauth2-client/6.2.4/spring-security-oauth2-client-6.2.4.jar ~/.m2/repository/org/springframework/security/spring-security-oauth2-core/6.2.4/spring-security-oauth2-core-6.2.4.jar ~/.m2/repository/org/springframework/security/spring-security-oauth2-jose/6.2.4/spring-security-oauth2-jose-6.2.4.jar ~/.m2/repository/org/springframework/security/spring-security-oauth2-resource-server/6.2.4/spring-security-oauth2-resource-server-6.2.4.jar ~/.m2/repository/org/springframework/security/spring-security-web/6.2.4/spring-security-web-6.2.4.jar ~/.m2/repository/org/springframework/spring-aop/6.1.6/spring-aop-6.1.6.jar ~/.m2/repository/org/springframework/spring-aspects/6.1.6/spring-aspects-6.1.6.jar ~/.m2/repository/org/springframework/spring-beans/6.1.6/spring-beans-6.1.6.jar ~/.m2/repository/org/springframework/spring-context/6.1.6/spring-context-6.1.6.jar ~/.m2/repository/org/springframework/spring-core/6.1.6/spring-core-6.1.6.jar ~/.m2/repository/org/springframework/spring-expression/6.1.6/spring-expression-6.1.6.jar ~/.m2/repository/org/springframework/spring-jcl/6.1.6/spring-jcl-6.1.6.jar ~/.m2/repository/org/springframework/spring-jdbc/6.1.6/spring-jdbc-6.1.6.jar ~/.m2/repository/org/springframework/spring-messaging/6.1.6/spring-messaging-6.1.6.jar ~/.m2/repository/org/springframework/spring-orm/6.1.6/spring-orm-6.1.6.jar ~/.m2/repository/org/springframework/spring-tx/6.1.6/spring-tx-6.1.6.jar ~/.m2/repository/org/springframework/spring-web/6.1.6/spring-web-6.1.6.jar ~/.m2/repository/org/springframework/spring-webmvc/6.1.6/spring-webmvc-6.1.6.jar ~/.m2/repository/org/webjars/swagger-ui/4.17.1/swagger-ui-4.17.1.jar ~/.m2/repository/org/webjars/webjars-locator-core/0.55/webjars-locator-core-0.55.jar ~/.m2/repository/org/yaml/snakeyaml/2.2/snakeyaml-2.2.jar
Er det kjent hvilke angrepsflater disse bibliotekene åpner mot Nikita som nett-tjeneste? Trengs virkelig alle disse 161 avhengighetene for å kjøre Nikita? For eksempel asciidoctor og jruby virker litt rart på meg. Hvorfor trengs både json og jsonsmart?
-- Vennlig hilsen Petter Reinholdtsen _______________________________________________ nikita-noark mailing list -- nikita-noark@nuug.no To unsubscribe send an email to nikita-noark-leave@nuug.no
[Thomas John Sødring]
mvn dependency:tree
for å se oppbygging av avhengigheter som et tre.
Ah, takk. Den var nyttig.
Hvorfor trengs både json og jsonsmart?
[INFO] +- org.json:json:jar:20231013:compile
Merkelig nok klarer jeg ikke finne ut hvorfor jsonsmart dras inn:
% mvn dependency:tree | grep -i json [INFO] | +- org.springframework.boot:spring-boot-starter-json:jar:3.2.5:compile [INFO] +- org.json:json:jar:20231013:compile [INFO] | +- com.jayway.jsonpath:json-path:jar:2.9.0:test [INFO] | +- net.minidev:json-smart:jar:2.5.1:compile [INFO] | +- org.skyscreamer:jsonassert:jar:1.5.1:test [INFO] | | - com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test
Å bruke litt tid på avhengigheter i spring prosjekter er alltid en god ide og noe vi bør bruke litt tid på her.
Godt.
Jeg tenkte skrive om til å kun bruke en json-avhengighet, men klarte ikke finne ut hvorfor begge var listet opp i classpath, så dropper det i denne omgang.
Jeg ser at Spring finnes fra Debian som pakker, så da er det kun de øvrige avhengighetene som mangler for å kunne basere oss på Debianpakker i Debian.
Hei Petter og Thomas!Det ser ut som Derehar en god forståelse av hvordan avhengigheter fungerer i Maven, men her er en nærmere titt på hvorfor både json og json-smart kan bli dratt inn, samt hva vi kan gjøre med det. Hvorfor både json og json-smart?
1. Direkte avhengighet: org.json:json er oppført som en direkte avhengighet i ditt prosjekt. Dette betyr at du (eller Thomas som vedlikeholder prosjektet) eksplisitt har lagt den til i pom.xml.
2. Transitivt avhengighetstrekk: json-smart (fra net.minidev) ser ut til å komme inn via en transitive avhengighet. Fra mvn dependency:tree ser det ut til at:
* spring-boot-starter-json kan trekke den inn. * com.jayway.jsonpath:json-path kan også være en mulig kilde til json-smart.
3. Overlapping: De to bibliotekene (json og json-smart) har overlappende funksjonalitet, men med ulike implementasjoner. Spring Framework bruker ofte forskjellige JSON-biblioteker for spesifikke bruksområder, som f.eks. JSON-serialisering, JSONPath-evaluering, eller JSON-datamanipulering. Hvordan finne ut hvilken avhengighet som trekker inn json-smart?
1. Bruk Maven's verktøy for å undersøke transitive avhengigheter: mvn dependency:tree -Dverbose -Dincludes=net.minidev:json-smart Dette vil vise nøyaktig hvem som trekker inn json-smart.
2. Hvis du vil undersøke hele treet, prøv: mvn dependency:tree -Dverbose
3. Filtrer etter spesifikke avhengigheter for å forstå hvor json-smart brukes: mvn dependency:tree | grep json-smart Løsning for å eliminere én JSON-avhengighet
Hvis du ønsker å fjerne en av dem (f.eks. json-smart), kan du bruke dependency exclusion i pom.xml. Eksempel: Hvis json-smart trekkes inn av com.jayway.jsonpath:json-path, kan du ekskludere det slik:
<dependency> <groupId>com.jayway.jsonpath</groupId> <artifactId>json-path</artifactId> <version>2.9.0</version> <exclusions> <exclusion> <groupId>net.minidev</groupId> <artifactId>json-smart</artifactId> </exclusion> </exclusions> </dependency> Debian-pakker og Spring Når du nevner Debian-pakker, er det verdt å merke seg:
* Spring-pakkene i Debian er vanligvis eldre versjoner. Hvis du bruker nyere Spring Boot, kan det bli utfordrende å opprettholde et oppdatert miljø basert på Debian-pakker alene. * Avhengighetene i Maven (f.eks. json-smart og json) er ofte mer oppdaterte og integrert med Spring Boot-økosystemet. Konklusjon
* Debug først: Bruk mvn dependency:tree -Dverbose for å finne ut hvem som trekker inn json-smart. * Eksluder om nødvendig: Hvis json-smart ikke trengs, ekskluder den eksplisitt. * Evaluer behov: Spring Boot er optimalisert for å bruke flere JSON-biblioteker for spesifikke formål. Hvis funksjonaliteten ikke overlapper praktisk, kan det være greit å beholde begge. Lykke til, og happy hacking! 😊
Mvh, Ole Den tirsdag 17. desember 2024 15.17.42 +01.00 skrev Petter Reinholdtsen pere@hungry.com:
[Thomas John Sødring]
mvn dependency:tree
for å se oppbygging av avhengigheter som et tre.
Ah, takk. Den var nyttig.
Hvorfor trengs både json og jsonsmart?
[INFO] +- org.json:json:jar:20231013:compile
Merkelig nok klarer jeg ikke finne ut hvorfor jsonsmart dras inn:
% mvn dependency:tree | grep -i json [INFO] | +- org.springframework.boot:spring-boot-starter-json:jar:3.2.5:compile [INFO] +- org.json:json:jar:20231013:compile [INFO] | +- com.jayway.jsonpath:json-path:jar:2.9.0:test [INFO] | +- net.minidev:json-smart:jar:2.5.1:compile [INFO] | +- org.skyscreamer:jsonassert:jar:1.5.1:test [INFO] | | - com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test
Å bruke litt tid på avhengigheter i spring prosjekter er alltid en god ide og noe vi bør bruke litt tid på her.
Godt.
Jeg tenkte skrive om til å kun bruke en json-avhengighet, men klarte ikke finne ut hvorfor begge var listet opp i classpath, så dropper det i denne omgang.
Jeg ser at Spring finnes fra Debian som pakker, så da er det kun de øvrige avhengighetene som mangler for å kunne basere oss på Debianpakker i Debian.
-- Happy hacking Petter Reinholdtsen _______________________________________________ nikita-noark mailing list -- nikita-noark@nuug.no To unsubscribe send an email to nikita-noark-leave@nuug.no