Merge branch 'trunk' into snyk-upgrade-a100f19ee99217f348844b928816bdcb

JGDMS/jgdms-jeri/src/main/java/net/jini/jeri/BasicInvocationHandler.java

@@ -250,7 +250,7 @@ private static boolean check(ObjectEndpoint oe){
 	return true;
     }
 
-    private static boolean check(GetArg arg) throws IOException{
+    private static boolean check(GetArg arg) throws IOException, ClassNotFoundException {
 	ObjectEndpoint oe = (ObjectEndpoint) arg.get("oe", null);
 	if (oe == null) throw new InvalidObjectException("null object endpoint");
 	Object clientConstraints = arg.get("clientConstraints", null);
@@ -264,7 +264,7 @@ private static boolean check(GetArg arg) throws IOException{
 	return true;
     }
 
-    public BasicInvocationHandler(GetArg arg) throws IOException {
+    public BasicInvocationHandler(GetArg arg) throws IOException, ClassNotFoundException{
 	this(check(arg),
 	    (ObjectEndpoint) arg.get("oe", null),
 	    (MethodConstraints) arg.get("clientConstraints", null),

JGDMS/jgdms-jeri/src/main/java/org/apache/river/jeri/internal/runtime/ImplRefManager.java

@@ -18,7 +18,6 @@
 
 package org.apache.river.jeri.internal.runtime;
 
-import org.apache.river.jeri.internal.runtime.Target;
 import org.apache.river.thread.NewThreadAction;
 import java.lang.ref.Reference;
 import java.lang.ref.ReferenceQueue;

JGDMS/jgdms-platform/src/main/java/net/jini/loader/package.html

@@ -46,6 +46,13 @@
 verification that the codebase URLs used to load classes provide
 content integrity.
 
+<p>{@link net.jini.loader.ProxyCodebaseSpi} has been provided to allow codebase
+    uri to be loaded into a ClassLoader, specific to the service proxy, where
+    class visibility is controlled by the ClassLoader, not any other mechanism,
+    such that codebase annotations are not required and will not cause issues.
+
+<p>Refer to {@link https://web.archive.org/web/20060514011913/http://research.sun.com/technical-reports/2006/smli_tr-2006-149.pdf}
+
 @since 2.0
 @version 2.0
 

JGDMS/jgdms-platform/src/main/java/org/apache/river/api/net/Uri.java

@@ -45,7 +45,7 @@
  * RFC3986.  A zone delimiter %, if present, must be represented in escaped %25
  * form as per RFC6874.
  * <p>
- * In addition to RFC3896 normalization, IPv6 host addresses will be normalized
+ * In addition to RFC3986 normalization, IPv6 host addresses will be normalized
  * to comply with RFC 5952 A Recommendation for IPv6 Address Text Representation. 
  * This is to ensure consistent equality between identical IPv6 addresses.
  * 

JGDMS/jgdms-platform/src/main/java/org/apache/river/api/security/CombinerSecurityManager.java

@@ -53,7 +53,6 @@
 import org.apache.river.concurrent.RC;
 import org.apache.river.concurrent.Ref;
 import org.apache.river.concurrent.Referrer;
-import org.apache.river.thread.NamedThreadFactory;
 
 /**
  * CombinerSecurityManager, is intended to be a highly scalable

JGDMS/jgdms-platform/src/main/java/org/apache/river/api/security/PolicyOnlySecurityManager.java

@@ -19,7 +19,7 @@
 import java.security.ProtectionDomain;
 
 /**
- * PolicyOnlySecurityManager allows the Principle of Lease Privilege to be used
+ * PolicyOnlySecurityManager allows the Principle of Least Privilege to be used
  * with a security Policy, while retaining scalability and performance.
  * <p>
  * ProtectionDomains created with the two argument constructor are static,

JGDMS/jgdms-pref-class-loader/suppression.xsd

@@ -4,7 +4,6 @@
       <notes><![CDATA[
       file name: jgdms-pref-class-loader-3.1.1-SNAPSHOT.jar
       ]]></notes>
-      <packageUrl regex="true">^pkg:maven/au\.net\.zeus\.jgdms/jgdms\-pref\-class\-loader@.*$</packageUrl>
       <cve>CVE-2010-1151</cve>
    </suppress>
 </suppressions>

JGDMS/pom.xml

@@ -115,7 +115,7 @@
 
   <properties>
     <github.repo.basename>pfirmstone</github.repo.basename>
-    <groovy.version>2.4.12</groovy.version>
+    <groovy.version>2.4.21</groovy.version>
     <gmaven.version>1.5</gmaven.version>
     <gmavenProviderSelection>2.0</gmavenProviderSelection>
     <junit.version>4.8.2</junit.version>
@@ -177,19 +177,19 @@
               <useDefaultManifestFile>true</useDefaultManifestFile>
           </configuration>
         </plugin>
-        <plugin>
+        <!--<plugin>
             <groupId>org.owasp</groupId>
             <artifactId>dependency-check-maven</artifactId>
             <version>8.0.2</version>
             <configuration>
                 <cveValidForHours>12</cveValidForHours>
                 <failBuildOnCVSS>4</failBuildOnCVSS>
             </configuration>
-        </plugin>
+        </plugin>-->
         <plugin>
             <groupId>biz.aQute.bnd</groupId>
             <artifactId>bnd-maven-plugin</artifactId>
-            <version>4.2.0</version>
+            <version>7.0.0</version>
         </plugin>
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>

JGDMS/service-starter/pom.xml

@@ -102,7 +102,10 @@
                     </execution>
                 </executions>
             </plugin>
-            <plugin>
+            <!-- Dependency check has been disabled for false positive with
+                 jgdms-pref-class-loader-3.1.1-SNAPSHOT.jar
+                 Suppression file not working            -->
+            <!--<plugin>
                 <groupId>org.owasp</groupId>
                 <artifactId>dependency-check-maven</artifactId>
                 <executions>
@@ -112,7 +115,7 @@
                         </goals>
                     </execution>
                 </executions>
-            </plugin> 
+            </plugin>-->
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-source-plugin</artifactId>

JGDMS/service-starter/suppression.xsd

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+   <suppress>
+      <notes><![CDATA[
+      file name: jgdms-pref-class-loader-3.1.1-SNAPSHOT.jar
+      ]]></notes>
+      <cve>CVE-2010-1151</cve>
+   </suppress>
+</suppressions>

JGDMS/tools/classdep/pom.xml

@@ -1,102 +1,102 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-~ Copyright (C) 2014 the original author or authors.
-~
-~ Licensed under the Apache License, Version 2.0 (the "License");
-~ you may not use this file except in compliance with the License.
-~ You may obtain a copy of the License at
-~
-~ http://www.apache.org/licenses/LICENSE-2.0
-~
-~ Unless required by applicable law or agreed to in writing, software
-~ distributed under the License is distributed on an "AS IS" BASIS,
-~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-~ See the License for the specific language governing permissions and
-~ limitations under the License.
--->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-
-    <parent>
-        <groupId>au.net.zeus.jgdms</groupId>
-        <artifactId>tools</artifactId>
-        <version>3.1.1-SNAPSHOT</version>
-    </parent>
-
-    <groupId>au.net.zeus.jgdms.tools</groupId>
-    <artifactId>classdep</artifactId>
-
-    <name>Tool :: ClassDep</name>
-    <description>Tool used to analyze a set of classes and determine on what other classes
-      they directly or indirectly depend. Typically this tool is used to
-      compute the necessary and sufficient set of classes to include in a JAR
-      file, for use in the class path of a client or service, or for use in the
-      codebase of a client or service. The tool starts with a set of "root"
-      classes and recursively computes a dependency graph, finding all of the
-      classes referenced directly by the root classes, finding all of the
-      classes referenced in turn by those classes, and so on, until no new
-      classes are found or until classes that are not of interest are
-      found. The normal output of the tool is a list of all of the classes in
-      the dependency graph. The output from this command can be used as input
-      to the jar tool, to create a JAR file containing precisely
-      those classes.
-    </description>
-
-    <dependencies>      
-        <dependency>
-            <groupId>org.ow2.asm</groupId>
-            <artifactId>asm</artifactId>
-            <version>9.7</version>
-        </dependency>
-        <dependency>
-            <groupId>org.ow2.asm</groupId>
-            <artifactId>asm-commons</artifactId>
-            <version>9.6</version>
-        </dependency>
-    </dependencies>
-
-    <build>
-        <plugins>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-jar-plugin</artifactId>
-                <configuration>
-                    <archive>                
-                        <manifestEntries>
-                            <Main-Class>org.apache.river.tool.ClassDep</Main-Class>
-                            <Implementation-Version>${project.version}</Implementation-Version>
-                            <Class-Path>asm-9.2.jar asm-commons-9.2.jar</Class-Path>
-                        </manifestEntries>
-                    </archive>
-                </configuration>
-            </plugin>  
-
-             <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-source-plugin</artifactId>
-                <executions>
-                    <execution>
-                        <id>attach-sources</id>
-                        <phase>verify</phase>
-                        <goals>
-                            <goal>jar-no-fork</goal>
-                        </goals>
-                    </execution>
-                </executions>
-            </plugin>
-            <plugin>
-                <artifactId>maven-compiler-plugin</artifactId>
-                <configuration>
-                        <source>8</source>
-                        <profile>compact1</profile>
-                        <target>8</target>
-                        <debug>true</debug>
-                        <optimize>true</optimize>
-                        <encoding>UTF-8</encoding>
-                        <meminitial>128m</meminitial>
-                        <maxmem>1024m</maxmem>
-                    </configuration>
-            </plugin>
-        </plugins>
-    </build>
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+~ Copyright (C) 2014 the original author or authors.
+~
+~ Licensed under the Apache License, Version 2.0 (the "License");
+~ you may not use this file except in compliance with the License.
+~ You may obtain a copy of the License at
+~
+~ http://www.apache.org/licenses/LICENSE-2.0
+~
+~ Unless required by applicable law or agreed to in writing, software
+~ distributed under the License is distributed on an "AS IS" BASIS,
+~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+~ See the License for the specific language governing permissions and
+~ limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>au.net.zeus.jgdms</groupId>
+        <artifactId>tools</artifactId>
+        <version>3.1.1-SNAPSHOT</version>
+    </parent>
+
+    <groupId>au.net.zeus.jgdms.tools</groupId>
+    <artifactId>classdep</artifactId>
+
+    <name>Tool :: ClassDep</name>
+    <description>Tool used to analyze a set of classes and determine on what other classes
+      they directly or indirectly depend. Typically this tool is used to
+      compute the necessary and sufficient set of classes to include in a JAR
+      file, for use in the class path of a client or service, or for use in the
+      codebase of a client or service. The tool starts with a set of "root"
+      classes and recursively computes a dependency graph, finding all of the
+      classes referenced directly by the root classes, finding all of the
+      classes referenced in turn by those classes, and so on, until no new
+      classes are found or until classes that are not of interest are
+      found. The normal output of the tool is a list of all of the classes in
+      the dependency graph. The output from this command can be used as input
+      to the jar tool, to create a JAR file containing precisely
+      those classes.
+    </description>
+
+    <dependencies>      
+        <dependency>
+            <groupId>org.ow2.asm</groupId>
+            <artifactId>asm</artifactId>
+            <version>9.7</version>
+        </dependency>
+        <dependency>
+            <groupId>org.ow2.asm</groupId>
+            <artifactId>asm-commons</artifactId>
+            <version>9.7</version>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-jar-plugin</artifactId>
+                <configuration>
+                    <archive>                
+                        <manifestEntries>
+                            <Main-Class>org.apache.river.tool.ClassDep</Main-Class>
+                            <Implementation-Version>${project.version}</Implementation-Version>
+                            <Class-Path>asm-9.2.jar asm-commons-9.2.jar</Class-Path>
+                        </manifestEntries>
+                    </archive>
+                </configuration>
+            </plugin>  
+
+             <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-source-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>attach-sources</id>
+                        <phase>verify</phase>
+                        <goals>
+                            <goal>jar-no-fork</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                        <source>8</source>
+                        <profile>compact1</profile>
+                        <target>8</target>
+                        <debug>true</debug>
+                        <optimize>true</optimize>
+                        <encoding>UTF-8</encoding>
+                        <meminitial>128m</meminitial>
+                        <maxmem>1024m</maxmem>
+                    </configuration>
+            </plugin>
+        </plugins>
+    </build>
 </project>

README.md

@@ -42,6 +42,11 @@ https://groups.google.com/forum/#!forum/river-secure-ipv6-discovery
 * Unnecessary DNS calls have been eliminated.
 * Hi performance lookup service method delays or avoids unnecessary codebase downloads.
 
-## A footnote on JEP411
+## For secuity reasons, Java 24 and later versions are not supported.
+* Authorization is a foundational component of JGDMS, required to limit privileges between cooperating, trusted but independant parties.  Just because you trust to do business with someone, doesn't mean you would allow them to access all your personal information.
+* We do not reccommend you run untrusted code (sandboxing), with JGDMS, you can ensure that users are only granted privileges using the code you intended them to use.
+* If you would like to assist maintaining a fork of Java that includes Authorization, please get in touch.
+
+## A footnote on JEP411 and JEP486
 In years to come, when Java deployments are sufferring from multiple vulnerabilities, the decision to remove Authorization from Java will be seen with hindsight as one of the biggest blunders made by the OpenJDK team.   Java might have avoided a number of vulnerabilities, had Java's trusted computing base remained small, had permission checks been made for enabling data parsing, and the work of Li Gong been properly maintained.  I strongly advise against running without a SecurityManager, JGDMS has for many years been run with the SecurityManager enabled.   Statments made on the JEP411 page, are simply incorrect.   The time will come when this footnote is proven correct.   
 * https://youtu.be/uVob-4aXbxY

common.xml

@@ -144,10 +144,10 @@
         <pathelement path="${river.classes.dir}"/>
     </path>
 
-    <!--<fileset id="asm.jars" dir="${root}/dep-libs/asm">
-        <include name="asm-5.0.1.jar" />
-        <include name="asm-commons-5.0.1.jar" />
-    </fileset>-->
+    <fileset id="asm.jars" dir="${root}/JGDMS/dist/target/JGDMS-3.1.1-SNAPSHOT/lib">
+        <include name="asm-9.5.jar" />
+        <include name="asm-commons-9.5.jar" />
+    </fileset>
 
     <path id="groovy.jars">
 		<fileset dir="${root}/dep-libs/groovy" includes="**/*.jar" />
@@ -177,9 +177,9 @@
     </path>-->
 
 
-    <!--<path id="asm.classpath">
+    <path id="asm.classpath">
         <fileset refid="asm.jars" />
-    </path>-->
+    </path>
 
     <path id="classdep.classes.classpath">
         <path refid="river.classes"/>
@@ -188,7 +188,7 @@
 
     <path id="classdep.jar.classpath">
         <pathelement location="${river.lib.dir}/classdep-3.1.1-SNAPSHOT.jar"/>
-        <!--<path refid="asm.classpath" />-->
+        <path refid="asm.classpath" />
     </path>
 
     <path id="classdep.classpath">