-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade to latest Guava (v30) and Solr (v8) to resolve security alerts #3020
Conversation
Strangely, in this (draft) PR, the ITs are failing because of this error: #2989 (at least that's the error logged in the test logs over and over again for each failing test). The changes in this PR are entirely unrelated to that issue, but perhaps that error was somehow being "swallowed" prior to the changes in this PR. Either that, or maybe a different underlying error is being hidden/swallowed while only the ClassCastException is shown. In any case, this PR might be dependent on first finding a fix for #2989. This PR works in manual testing. Server webapp works. OAI-PMH works, and |
39e25d7
to
3ac3ff7
Compare
6048e4d
to
dd9641a
Compare
a67b8fa
to
c75265e
Compare
This PR is now ready for review/testing. I've scheduled it for Beta 5 in order to ensure it can be added prior to Testathon & 7.0 final. |
@mwoodiupui : Would you be interested in giving this a review and/or test? I'd appreciate your feedback here since you did the last Solr upgrade. In addition, your feedback would be useful in the follow-up PR #3126 (where I've attempted to cleanup/remove old Solr configs that seem unused/unnecessary) |
dspace-api/src/main/java/org/dspace/discovery/indexobject/IndexFactoryImpl.java
Outdated
Show resolved
Hide resolved
dspace-api/src/main/java/org/dspace/discovery/indexobject/IndexFactoryImpl.java
Outdated
Show resolved
Hide resolved
b45652a
to
2ac127c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 by inspection. This all looks reasonable to me. (I did not give much attention to the Docker portions since I have so little contact with Docker.)
dspace-api/src/main/java/org/dspace/discovery/indexobject/IndexFactoryImpl.java
Outdated
Show resolved
Hide resolved
fa7f446
to
48f628f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @tdonohue thanks for this important work. Everything looks good to me so I'm +1 with merging it.
I would suggest to update to version 8.8.1 that is the latest stable and it seems perfectly compatible with what we already have (I have tested this PR against a local 8.8.1 installation without noting major issues). The switch to 8.8.1 can be done in the second PR #3126
…est-support which used old guava version.
…upServiceInitializer as Flyway runs callbacks alphabetically
…ng EmbeddedSolrServer always uses GET instead of POST
…o MockSolrServer for Solr 8 compatibility
… Use Tika directly for parsing instead of ContentStreamUpdateRequest (which results in "URI is too large >8192" errors in Solr v8)
…Exception warnings from Spring Boot during startup
…r v8, and all the examples show to use docker-compose directly with official image.
e4b5def
to
4394d4b
Compare
References
This PR resolves 3 security alerts by upgrading Guava:
This PR also moves us off an EOL version of Solr, resolving https://jira.lyrasis.org/browse/DS-4497
Description
Upgrades the following dependencies:
guava
from v19.0 to v30.0-jre. This resolves the security alerts listed above.guava
upgrade, as I was unable to get the latest version ofguava
to work with Solr v7 (because of Java API changes in guava).Code changes required by Guava upgrade:
builder-commons
&test-support
dependencies (fromdspace-oai
module classes). These old Lyncode dependencies brought in a very old version of guava & were causing a headache in terms of dependency convergence. It was easiest to completely remove them & replace them with updated code that did the same thing.PipelineTest
, and I found replacement code in our existingQDCXslTest
class which does a similar test without using Lyncode's test-support.Code changes required by Solr upgrade:
SolrSearchCore
andSolrServiceImpl
to useGET
requests when theEmbeddedSolrServer
is in use (during integration test execution).POST
requests withEmbeddedSolrServer
: https://issues.apache.org/jira/browse/SOLR-12858IndexFactoryImpl
to no longer useContentStreamUpdateRequest
for indexing full text. Instead, it has been refactored to use Apache Tika directly. Also introduced a newdiscovery.solr.fulltext.charLimit
configuration to allow for more control over Tika's default character limit indexing settings.ContentStreamUpdateRequest
which are best described in this ticket https://issues.apache.org/jira/browse/SOLR-12798ContentStreamUpdateRequest
resulted in frequent errors during full text indexing (o.e.j.h.HttpParser URI is too large >8192
) because theContentStreamUpdateRequest
class no longer supports multipart post well & was sending all fields as URL parameters.solrconfig.xml
files to ensure they are aligned with Solr v8.7.0 default settings. (Some whitespace changes occurred here too that were automated by my IDE)Additional minor changes:
DatabaseRegistryUpdater
toRegistryUpdater
. This ensures it comes alphabetically after theGroupServiceInitializer
and therefore is always run after Groups are created (as Flyway defaults to running Callbacks alphabetically). I stumbled on this problem when starting with a fresh database...as the RegistryUpdater depends on the GroupServiceInitializer.Instructions for Reviewers
./dspace index-discovery -b
)(NOTE: I've tested & verified all of the above and found no remaining issues.)
Checklist
pom.xml
), I've made sure their licenses align with the DSpace BSD License based on the Licensing of Contributions documentation.