Skip to content

Geonetwork on Spring 6 codesprint June 2023

Jump to bottom Edit New page
François Prunayre edited this page Jun 19, 2023 · 35 revisions

Participants

  • Jose
  • Francois
  • ...

Sponsors

Agenda

The main goal of this sprint is to evaluate the update of GeoNetwork to Java 11, Java 17, identify issues, and try to limit the number of critical security vulnerabilities that can be fixed by library updates.

  • Java 11 runtime tests
  • Java 17 runtime tests
  • Spring 5 and hibernate 5 update
  • Spring 6 and hibernate 6 evaluation

Java 11 runtime tests

Based on https://github.com/geonetwork/core-geonetwork/pull/6276, the application is starting up with:

  • mvn jetty:run
  • from the release build
  • from Intellij

Issues

Failed to startup in Intellij while using maven 3.8.1. Fixed with maven 3.8.7.

One runtime issue identified:

HTTP ERROR 500 java.lang.reflect.InaccessibleObjectException: 
Unable to make public long
 com.sun.management.internal.OperatingSystemImpl.getOpenFileDescriptorCount() accessible: 
module jdk.management does not "opens com.sun.management.internal" 
to unnamed module @4f7f59dd

Fixed by

--add-opens jdk.management/com.sun.management.internal=ALL-UNNAMED

Conclusion

GeoNetwork on Java 11 looks to be usable. Question:

  • Do we keep the possibility to build with Java 8 ? or we just move to Java 11 and add a warning if Java >11.
  • Raise an error if > Java11 ?

Java 17 or 20 runtime tests

Issues on startup

Java package access

This type of issue is related to the fact that JDK17 does not provide illegal-access option and the default is like JDK11 --illegal-access=deny

  • java.lang
module java.base does not "opens java.lang" to unnamed module

fixed by

--add-opens java.base/java.lang=ALL-UNNAMED

javax.annotation

  • javax.annotation
Error creating bean with name 'translationPackBuilder' defined in file 
[classes/org/fao/geonet/api/tools/i18n/TranslationPackBuilder.class]: 
Post-processing of merged bean definition failed; nested exception is 
java.lang.NoSuchMethodError: 'java.lang.String javax.annotation.Resource.lookup()'

Moving to jakarta EE9+ as done by Spring 6+

Tested with https://docs.openrewrite.org/recipes/java/migrate/jakarta/javaxannotationmigrationtojakartaannotation:

mvn -U org.openrewrite.maven:rewrite-maven-plugin:run \
  -Drewrite.recipeArtifactCoordinates=org.openrewrite.recipe:rewrite-migrate-java:RELEASE  \
  -Drewrite.activeRecipes=org.openrewrite.java.migrate.jakarta.JavaxAnnotationMigrationToJakartaAnnotation

org.codehaus.groovy.vmplugin.v7.Java7

From the release

java.lang.NoClassDefFoundError: Could not initialize class org.codehaus.groovy.vmplugin.v7.Java7

?

Conclusion

In order to run on Java 17+, Spring 6 migration is required (and Spring 6 requires Java 17 and Jakarta EE9).

So it probably means that GeoNetwork will then require at least (to be confirmed):

  • maven 3.8.7+
  • Java 17
  • Tomcat 10
  • Jetty 11 and also require that all dependencies used also moved to Jakarta EE9, Spring 6

Spring 5 update

Update to latest version:

  • Spring, Hibernate 5
  • Jetty 9

Branch https://github.com/geonetwork/core-geonetwork/tree/lib-spring5

Questions:

  • GN 4.4.0 ?
  • Java 8 and 11 or only 11 support ?
  • Need for warning message when running Java >11 ?
  • Doc update (JVM config, max version of Jetty/Tomcat)

Spring 6 migration evaluation?

Evaluate Spring 6 migration.

Related documents:

"Spring Framework 6 and Spring Boot 3 based applications will require a minimum of JDK 17 at runtime, as well as a minimum of Tomcat 10 / Jetty 11"

At build time, libraries to add/update:

Branch https://github.com/fxprunayre/core-geonetwork/tree/lib-spring6

Startup or build warning

[WARNING] The POM for com.sun.xml.bind:jaxb-impl:jar:2.2.11 is invalid, transitive dependencies (if any) will not be available, enable debug logging for more details

Security vulnerability

One goal is to also update libraries which have CRITICIAL vulnerabilities reported.

  • Check github security alerts
  • Trivy

Scan the application with trivy

cd core-geonetwork
docker pull aquasec/trivy:latest
  
docker run -v $PWD:/core-geonetwork aquasec/trivy fs --cache-dir /core-geonetwork/.trivycache/  --download-java-db-only
docker run -v $PWD:/core-geonetwork aquasec/trivy fs --cache-dir /core-geonetwork/.trivycache/  --download-db-only
docker run -v $PWD:/core-geonetwork aquasec/trivy \
  rootfs --cache-dir /core-geonetwork/.trivycache/ \
  --vuln-type library --skip-db-update --scanners vuln --severity CRITICAL \
  /core-geonetwork/web/target/geonetwork


# Scanning docker image
docker run -v $PWD:/core-geonetwork aquasec/trivy image --cache-dir /core-geonetwork/.trivycache/   --vuln-type library --skip-db-update --scanners vuln --severity HIGH,CRITICAL geonetwork:4.2.4

Spring 5 branch analysis

org.springframework:spring-web (spring-web-5.3.27.jar) 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000027
https://github.com/spring-projects/spring-framework/blob/v5.3.27/src/docs/asciidoc/integration.adoc#remoting-httpinvoker

org.jyaml:jyaml (jyaml-1.3.jar)
https://mvnrepository.com/artifact/org.jyaml/jyaml 
= No more recent version available

org.mapfish.print:print-lib (print-lib-2.2.0.jar)
https://github.com/mapfish/mapfish-print/security/advisories/GHSA-vjv6-gq77-3mjw - Does this apply to v2?

org.apache.cxf:cxf-core (cxf-core-3.0.12.jar) 
OpenCMIS https://mvnrepository.com/artifact/org.apache.chemistry.opencmis/chemistry-opencmis-client-api
= No more recent version available
= Add a module to exclude CMIS from build?
    
snakeyaml
org.springdoc:springdoc-openapi-common 
https://mvnrepository.com/artifact/org.springdoc/springdoc-openapi-common/1.7.0

Related work

If you have some comments, start a discussion, raise an issue or use one of our other communication channels to talk to us.

Welcome to the GeoNetwork project!

Project Steering Committee

How to contribute

GeoNetwork cheat sheet

GeoNetwork website (external)

GN3 public implementations

Clone this wiki locally