-
Notifications
You must be signed in to change notification settings - Fork 124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Patch release v2.2.3 for recent security fixes #617
Comments
Could be done. We can just create a new branch from the last tag and port ONLY the required fixes there. Netty + CI stuff probably. Can you confirm the only requirement is netty please? But keep in mind netty is used for the preview features of the plugin to publish the converted docs in a local server. Nothing to do with the actual conversion process. I can imagine some CVE scanner flagging the plugin, but in a normal CI pipeline netty is not used at all.
I understand it's important to keep the build clean of security alerts, but I don't see how the plugin version affects the release. Users don't see the plugins used during the build, especially for docs right? |
Ok, i will have a look at the migration guide. On the other hand, I had some things in mind that should go into the next major release and I don't want to wait for 4.0.0... ;-) For the Patch Release, this would be very nice: You are right, in most cases the document generation is an internal thing, but in MicroProfile it's differnt. There we have the MicroProfile Parent project, which defines the default build config to be used in MicroProfile component specs. So, there it is the parent dependency to them and versioning should follow the Semantic Versioning conventions. I can create a wish list for the patch release, as the version overwrites sometimes can confuse people - so if we have a chance to get current defaults, usage would be simpler. Yes, the security scanners might be the most significant reason for patching this, in the current MP Parent there are more open issues, that could not make it into the last release (3.0) in time - but the MP 6.0 umbrella spec covers them already (except the last two). |
Just create the issues, no one is in a hurry for v3, and we could add more stuff. |
I reviewed the commits and we'd need to port the following changes. Nothing risky or too complicated.
Other TODOs
|
Made a test branch with quick-dirty changes and everything is fine https://github.com/asciidoctor/asciidoctor-maven-plugin/tree/v2.2.3-fix-release. |
Thanks a lot so far! Adding to your list, I would suggest the following versions:
I am a little bit unsure regarding the following changes, that might require further research:
BTW:
|
Thanks for the feedback!
Check! ✅ The branch uses netty That's not going in, and it should not be an issue. The minimal version will still be 3.0.5 as the other 2.x versions, but it's a formality, in practice, it doesn't change anything thanks to how super-stable Maven APIs are. No one ever reported the plugin not working on v3.x maven cli. These are minor (in semantic versioning sense) bumps to keep main and 2.2.3-fix branch aligned. If you are not using the maven-site integration, and even in that scenario, versions should be compatible. They only do major changes in major versions. TLDR; I understand we are all set, I will see to leave the branch clean tomorrow and Saturday I can release. What scanner are you using? I am familiar with trivy and grype and I can do a run myself. |
That's perfect!
I am fine with this - even when the Enforcer Plugin prevents execution with lower Maven versions, the attack can be successful before - this only would force somebody to update and breakes things.
I am not scannin b myself at the moment - I use the results shown on https//mvnrepository.com, but I plan to set up a GitLab instance and start with the default set of scanners and used Clair in the past. Thanks a lot, I will be in the JavaLand next week, but may be can do some patches in between, when a patch release is available. If it takes some additional days, it's not a problem too. |
Release "done", files should be available soon, Interesting the new report Sonatype sends you in an email The High vulnerabilities are because the plugin still uses Maven 3.0.x dependencies, but in a real scenario uses, whatever Maven is in the machine or Maven wrapper in the consuming project. |
It's available already 🎉 https://central.sonatype.com/artifact/org.asciidoctor/asciidoctor-maven-plugin/2.2.3 I am closing this issue as completed, but please do let us know if there's anything else. |
Thank you for taking your time to talk with us!
What is this issue about?
Description
Is it possible to cut a patch release (like v2.2.3), that contains the already merged recent security fixes from dependencies?
Especially the following should be covered:
Other patch level updates (and optionally feature enhancements, but no breaking changes) might be included too.
It looks like the plugin is heading for a major release, but we are using it for the generation of specification documents in Jakarta EE and MicroProfile a lot and need to fix it with patch level releases there - so a new major version will break Semantic Versioning then, especially when there are break changes included, that affect us.
Details can be found in these vulnerability reports:
Meanwhile, I created a workaround PR for the asciidoc-asciidoctor-maven-examples:
I can refactor that back, when a patched plugin version is released.
Environment information
The text was updated successfully, but these errors were encountered: