This addresses CVE-2022-40151 and CVE-2022-41966, see:
https://x-stream.github.io/changes.html#1.4.20
This version also fixes an issue with closing streams so the workaround in GenerateDefaultTranslationsMojoTest is no longer needed.
Signed-off-by: Wouter Born <github@maindrain.net>
This service provides add-on information when debugging in Eclipse so it is possible to add Things based on the installed bindings and configure installed add-ons in the UI.
Replaces the Sample Add-on Service.
Also shows the "Add-on Management" configuration which allows for configuring if incompatible add-ons are included.
Signed-off-by: Wouter Born <github@maindrain.net>
* Sync runtime dependencies with Karaf 4.4.3, most notably:
* Jetty 9.4.50.v20221201
* Pax Logging 2.2.0
* Pax Web 8.0.15
* Use OSGi R8 as compile dependency
* Rework Servlets to use Http Whiteboard annotations in favor of proprietary `org.openhab.core.io.http.servlet` classes
* Resolve itest runbundles
Also-by: Jan N. Klug <github@klug.nrw>
Signed-off-by: Wouter Born <github@maindrain.net>
* Raise source level to Java 17 (except for model classes)
* Remove Nashorn script engine
* Upgrade spotless and add jvm options
See https://github.com/diffplug/spotless/issues/834
* Add suppression for findBugs false positive error
* Upgrade xtext to 2.29.0
* Adjust JNA
* Resolve itests
Signed-off-by: Jan N. Klug <github@klug.nrw>
* Bump commons-net from 3.7.2 to 3.9.0 in /bom/runtime
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Wouter Born <github@maindrain.net>
This fixes a security issue in commons-io 1.4. According to the release-notes of commons-io version 1.4 and 2.x are binary compatible and (mostly) source-compatible. I check that openhab-addons compiles with these changes and successfully runs all itests.
Signed-off-by: Jan N. Klug <github@klug.nrw>
The `jackson-databind` bundle contains a vulnerability that is fixed in version 2.12.6.1. This version is only available for that bundle, all other bundles are still available as 2.12.6.
Signed-off-by: Jan N. Klug <github@klug.nrw>
Uses an openHAB 5.2.1.OH1 build based on the latest changes in the nrjavaserial master branch (7aa21d1dc8).
When there is an official release containing those changes we can upgrade to that.
Most importantly this fixes a file descriptor leak when checking lock dir permissions.
It also adds FreeBSD aarch64 (ARM64) support.
Fixes#1842
Signed-off-by: Wouter Born <github@maindrain.net>
This prevents deprecation warnings when running the itests with Java 17:
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by org.eclipse.osgi.internal.framework.SystemBundleActivator (file:org.openhab.core.tests/target/test/tmp/testing/itest/cnf/cache/6.2.0/org.openhab.core.bom.runtime-index/org.eclipse.osgi-3.16.300.v20210525-1715.jar)
WARNING: Please consider reporting this to the maintainers of org.eclipse.osgi.internal.framework.SystemBundleActivator
WARNING: System::setSecurityManager will be removed in a future release
See: https://bugs.eclipse.org/bugs/show_bug.cgi?id=574729
Signed-off-by: Wouter Born <github@maindrain.net>
It causes unneccessary bundle refreshes whenever add-ons are installed/uninstalled.
As a result the UI does not get properly notified of installation changes.
Fixes#2580
Reverts the Aries JAX-RS Whiteboard upgrade of #2532
Signed-off-by: Wouter Born <github@maindrain.net>
Looks like only the POM dependencies are used by the indexer, so the JAR is unused and useless as this warning correctly indicates when you build them:
```
[WARNING] JAR will be empty - no content was marked for inclusion!
```
Signed-off-by: Wouter Born <github@maindrain.net>
* Add ser2net mDNS USB serial discovery
* Add support for using multiple UsbSerialDiscovery services
* Add Ser2NetUsbSerialDiscovery that can use mDNS to discover ser2net RFC2217 serial ports
* Use discovered USB ports in SerialConfigOptionProvider
mDNS discovery is supported in ser2net 4.3.0 and newer.
E.g. you can install a ser2net version that provides this using APT in Ubuntu 21.04 and Debian 11.
Example ser2net YAML configuration that allows a serial port to be discovered using mDNS discovery:
%YAML 1.1
---
connection: &con01
accepter: telnet(rfc2217),tcp,2222
connector: serialdev,/dev/ttyUSB0
options:
mdns: true
mdns-sysattrs: true
mdns-name: devicename
Closes#1511
Signed-off-by: Wouter Born <github@maindrain.net>
There should only be one SLF4J binding used for logging and we already use slf4j-simple.
This fixes the following warning when running unit tests:
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/home/wouter/.m2/repository/org/slf4j/slf4j-simple/1.7.32/slf4j-simple-1.7.32.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/home/wouter/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.SimpleLoggerFactory]
Signed-off-by: Wouter Born <github@maindrain.net>
* Exclude JUnit 4 from Whiteboard and update imports to JUnit 5
Excludes the transitive JUnit 4 dependency from the Aries JAX-RS Whiteboard.
The Whiteboard should not have a compile scope dependency on JUnit so I've created https://github.com/apache/aries-jax-rs-whiteboard/pull/135 to fix this.
The wrong scope has resulted in some tests using JUnit 4 imports which is also fixed in this PR.
Signed-off-by: Wouter Born <github@maindrain.net>
* Add commonly used JUnit 4 classes to forbidden packages
Signed-off-by: Wouter Born <github@maindrain.net>
Upgrades XStream from 1.4.15 to 1.4.17
Prevents the following vulnerabilities when using XStream instances with an uninitialized security framework:
* CVE-2021-21341
* CVE-2021-21342
* CVE-2021-21343
* CVE-2021-21344
* CVE-2021-21345
* CVE-2021-21346
* CVE-2021-21347
* CVE-2021-21348
* CVE-2021-21349
* CVE-2021-21350
* CVE-2021-21351
* CVE-2021-29505
See: http://x-stream.github.io/changes.html#1.4.17
Related to: #2250, #2251
Signed-off-by: Wouter Born <github@maindrain.net>
Upgrades UoM dependencies to:
* javax.measure 2.1.2
* si-units 2.0.1
* indriya 2.1.2
An openHAB OSGi-ified si-units bundle is used as runtime dependency, because the latest si-units release is still missing proper OSGi manifest headers.
Notable changes:
* Quantity not longer implements an `equals` method, so the unit tests had to be adjusted. This should have any impact outside of the unit tests though since the rest of openHAB should be using QuantityType instead.
* RationalConverter is not package private, so instances of it much be created through the MultiplyConverter static functions.
* Quantities.getQuantity can no longer parse values without units like `100`. A workaround has been implemented.
* The unicode greek `mu` letter is now returned for unit prefixes instead of the unicode `micro` character. These characters are visually identical but the unit tests had to be adjusted. The new library seems to parse both types just fine.
Also-by: Connor Petty <mistercpp2000+gitsignoff@gmail.com>
Signed-off-by: Wouter Born <github@maindrain.net>
* Aligns compile dependencies with OSGi R7
* Aligns runtime dependencies with Karaf 4.3.1
* Fixes issues due to dependency changes:
* AudioServletTest never ending due to Jetty upgrade
* Feature resolution failing due to Karaf activation-api no longer visible
* Uses Pax Logging as runtime dependency instead of Felix Log
This dependency change makes itests and Demo App behave more like the actual distro
To change the log level in itests, change the value of org.ops4j.pax.logging.DefaultServiceLog.level in itest-include.bndrun
* Adds --add-opens and nashorn.args in itest-include.bndrun to prevent some warnings being logged in itests
Related to openhab/openhab-distro#1167
Signed-off-by: Wouter Born <github@maindrain.net>
There was already a transitive commons-lang3:3.9 compile dependency used by several add-ons.
This is a transitive dependency of pax-web-jetty and swagger-core.
Signed-off-by: Wouter Born <github@maindrain.net>
* Exclude commons-net from core dependencies so it is no longer automatically a transitive compile dependency
* Update nrjavaserial compile dependency to a version that no longer includes commons-net packages
* Define and use commons.net.version property
* Rework features so commons-net is only installed when required
Signed-off-by: Wouter Born <github@maindrain.net>
* Fixes bugs (vulnerabilities/performance issues)
* Supports OSGi better
* Prevents illegal reflective access warnings on newer Java versions
* Supports java.time converters
For XStream release notes see: https://x-stream.github.io/changes.html
The XmlDocumentReader which uses XStream has also been modified to configure XStream security to prevent "Security framework of XStream not initialized, XStream is probably vulnerable" warnings.
Signed-off-by: Wouter Born <github@maindrain.net>
Upgrades to:
* Xtext 2.23.0
* Xtend 2.23.0
* LSP 0.9.0
For Xtext release notes see: https://www.eclipse.org/Xtext/releasenotes.html#/releasenotes/2020/09/01/version-2-23-0
The Xtext dependencies are now managed using their BOM which makes it easier to keep them in sync.
Because Xtext depends on a newer ASM version some runtime dependencies were also upgraded:
* ASM 8.0.1
* Pax Web 7.2.15
* XBean 4.17.0
Signed-off-by: Wouter Born <github@maindrain.net>
With some excludes and the upgraded JAXB I got the most recent Jollyday version working.
The integration tests also succeed again on Java 11.
Signed-off-by: Wouter Born <github@maindrain.net>
Upgrades the compiler and its dependencies so the compiler results of Maven builds are more similar to those generated in recent Eclipse versions.
To fix compilation issues in Eclipse for add-ons using classes from javax.xml.stream several dependencies were upgraded/excluded.
Signed-off-by: Wouter Born <github@maindrain.net>
