maven-core fails to build

  • Done
  • quality assurance status badge
Details
5 participants
  • Andrew Tropin
  • Dr. Arne Babenhauserheide
  • Julien Lepiller
  • Remco van 't Veer
  • Steve George
Owner
unassigned
Submitted by
Dr. Arne Babenhauserheide
Severity
normal
D
D
Dr. Arne Babenhauserheide wrote on 3 Jun 2022 08:05
(address . bug-guix@gnu.org)
87sfomwaa6.fsf@web.de
Hi,

I currently cannot get maven, because maven-core fails to build. To reproduce:

guix shell maven

Log:

[mkdir] Created dir: /tmp/guix-build-maven-core-3.8.5.drv-0/apache-maven-3.8.5/maven-core/build/jar
[jar] Building jar: /tmp/guix-build-maven-core-3.8.5.drv-0/apache-maven-3.8.5/maven-core/build/jar/maven-core.jar

BUILD SUCCESSFUL
Total time: 1 second
phase `build' succeeded after 2.3 seconds
starting phase `generate-metadata'
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
[INFO] Discovered 58 component descriptors(s)
Problem executing command line.
Error stacktrace:
java.io.IOException: Invalid input descriptor for merge: /tmp/plexus-metadata3957336728290309540xml --> http://xml.org/sax/features/external-general-entitiesfeature http://xml.org/sax/features/external-general-entities not supported for SAX driver org.codehaus.plexus.metadata.merge.Driver
at org.codehaus.plexus.metadata.merge.AbstractMerger.mergeDescriptors(Unknown Source)
at org.codehaus.plexus.metadata.DefaultMetadataGenerator.generateDescriptor(Unknown Source)
at org.codehaus.plexus.metadata.PlexusMetadataGeneratorCli.invokePlexusComponent(Unknown Source)
at org.codehaus.plexus.tools.cli.AbstractCli.execute(Unknown Source)
at org.codehaus.plexus.tools.cli.AbstractCli.execute(Unknown Source)
at org.codehaus.plexus.metadata.PlexusMetadataGeneratorCli.main(Unknown Source)
error: in phase 'generate-metadata': uncaught exception:
system-error "open-file" "~A: ~S" ("No such file or directory" "build/classes/META-INF/plexus/components.t.xml") (2)
phase `generate-metadata' failed after 0.8 seconds
Backtrace:
12 (primitive-load "/gnu/store/ndhm39px4lh3jrcqpkaa3ykwgji…")
In guix/build/gnu-build-system.scm:
906:2 11 (gnu-build #:source _ #:outputs _ #:inputs _ #:phases . #)
In ice-9/boot-9.scm:
1752:10 10 (with-exception-handler _ _ #:unwind? _ # _)
In srfi/srfi-1.scm:
634:9 9 (for-each #<procedure 7ffff034be20 at guix/build/gnu-b…> …)
In ice-9/boot-9.scm:
1752:10 8 (with-exception-handler _ _ #:unwind? _ # _)
In guix/build/gnu-build-system.scm:
927:23 7 (_)
In ice-9/eval.scm:
619:8 6 (_ #(#(#(#<directory (guile-user) 7ffff1fd3c80>) (…)) #))
311:34 5 (_ #(#(#(#<directory (guile-user) 7ffff1fd3c80>) (…)) #))
293:34 4 (_ #(#(#<directory (guile-user) 7ffff1fd3c80>) "build…"))
In ice-9/ports.scm:
450:11 3 (call-with-input-file "build/classes/META-INF/plexus/c…" …)
In unknown file:
2 (open-file "build/classes/META-INF/plexus/components.t…" …)
In ice-9/boot-9.scm:
1685:16 1 (raise-exception _ #:continuable? _)
1685:16 0 (raise-exception _ #:continuable? _)

ice-9/boot-9.scm:1685:16: In procedure raise-exception:
In procedure open-file: No such file or directory: "build/classes/META-INF/plexus/components.t.xml"

Best wishes,
Arne
--
Unpolitisch sein
heißt politisch sein,
ohne es zu merken.
draketo.de
-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEE801qEjXQSQPNItXAE++NRSQDw+sFAmKZpPIQHGFybmVfYmFi
QHdlYi5kZQAKCRAT741FJAPD60XTD/9+fOj0hcNBXk2DXHIyqQ32Qz5iB+i6mfyT
WiFgUXSgEwORjucnW8boGqcm1PhQRv2VsrM4ydulVyUH/jtGvHI89GQwI8S0qslC
sEHMtBs5Yx1PXQyhE5qf8YeVnbpQem+Bj6S5uWIxKCVwd38kg/VHmGVUId76wFbz
sE5qfchIhfVmL8Lhp0SMCK8VCSk6mVut4ZPxBQA/FRQWBrRqjem3q2a6LdX0hWKb
CC1eWEJZhMajuc4qjc3rNNmo7DlSRAk0OPZKMr/9f1bq8RZ3JxdTa+XwipKRVbvC
3ZLz+IPbB8A9mmmX2KYyxev7H2O0Hch5NezR1nxT3ZWYGaY+GqTyMvEhT0xMnIp6
Clruq9QyyMFpYnpE1aZ4jWXrXrrlDxP/o3CdHQAbsupCv2R0HDLm8nqaDsws7Buy
LLwtV3Wn/wKh15l006FqN/Y+r4GqdAeiGJwMostjl13oaYwFCvX9fMdfYaR3gPF7
1Hd/ViQ5+IcI3RZSUECzwmn1FOkkxgUS449Drlh6u1+GBXP3ZcpNpICq7cJGa/oT
JvTYje5PIzPxkhFU+nqDFw6C/QEskM/PNg1+9D/JXgIY5i8d3AQ3rypCrAcqF+aA
7BB9uUrJM9foKVlqry/x8USsBbaq633F9BzU+yTV2UpQXyVh18K2iap/6tf6FEmP
wf+oes2fCIjEBAEBCAAuFiEE3Si95tmHXKvOSosd3M8NswvBBUgFAmKZpPQQHGFy
bmVfYmFiQHdlYi5kZQAKCRDczw2zC8EFSCTIA/9MQs+4rKdD9H7NRSZWqAnLUqVw
JeYsdcg9cgVg76BfhiibFnBpQAQIU2Eiiy6xIFl8wC3kkLQurmJDFIMH+4/49gK+
RT+enninAFLLcnPx+mQf2wqmnYjkqvGxlP+USc9GAIoIV3kFlAk2PEO0DLq3uDxb
3YDR+tU319j0q0TELQ==
=MLHT
-----END PGP SIGNATURE-----

R
R
Remco van 't Veer wrote on 4 Jun 2022 12:25
(address . 55776@debbugs.gnu.org)(name . Dr. Arne Babenhauserheide)(address . arne_bab@web.de)
87wndwn2su.fsf@remworks.net
I did some digging and found this regression is caused by commit:

6068b83b82475566acd4162467bcf54270f338f9
"gnu: java-jdom: Update to 2.0.6.1 [fixes CVE-2021-33813]."

Apparently the fix for this issue causes jdom to be very strict;

Toggle quote (6 lines)
> java.io.IOException: Invalid input descriptor for merge:
> /tmp/plexus-metadata3957336728290309540xml -->
> http://xml.org/sax/features/external-general-entities feature
> http://xml.org/sax/features/external-general-entities not supported
> for SAX driver org.codehaus.plexus.metadata.merge.Driver

Which sound familiar when looking at that CVE

Toggle quote (6 lines)
> An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to
> cause a denial of service via a crafted HTTP request. At this time
> there is not released fixed version of JDOM. As a workaround, to avoid
> external entities being expanded, one can call
> builder.setExpandEntities(false) and they won't be expanded.

I dunno how to fix this though, I'm just a curious guixer. Easiest path
seems to be to make a new java-jdom-2.0.6 var and use that as a
native-input for maven. Would that be an acceptable solution?

Cheers,
Remco
J
J
Julien Lepiller wrote on 4 Jun 2022 15:47
(name . Remco van 't Veer)(address . remco@remworks.net)
20220604154707.099a3679@sybil.lepiller.eu
Le Sat, 04 Jun 2022 12:25:21 +0200,
Remco van 't Veer <remco@remworks.net> a écrit :

Toggle quote (30 lines)
> I did some digging and found this regression is caused by commit:
>
> 6068b83b82475566acd4162467bcf54270f338f9
> "gnu: java-jdom: Update to 2.0.6.1 [fixes CVE-2021-33813]."
>
> Apparently the fix for this issue causes jdom to be very strict;
>
> > java.io.IOException: Invalid input descriptor for merge:
> > /tmp/plexus-metadata3957336728290309540xml -->
> > http://xml.org/sax/features/external-general-entities feature
> > http://xml.org/sax/features/external-general-entities not supported
> > for SAX driver org.codehaus.plexus.metadata.merge.Driver
>
> Which sound familiar when looking at that CVE
> (https://github.com/advisories/GHSA-2363-cqg2-863c):
>
> > An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to
> > cause a denial of service via a crafted HTTP request. At this time
> > there is not released fixed version of JDOM. As a workaround, to
> > avoid external entities being expanded, one can call
> > builder.setExpandEntities(false) and they won't be expanded.
>
> I dunno how to fix this though, I'm just a curious guixer. Easiest
> path seems to be to make a new java-jdom-2.0.6 var and use that as a
> native-input for maven. Would that be an acceptable solution?
>
> Cheers,
> Remco
>

Like you say, the issue is with the new jdom. Believe it or not, but
between 2.0.6 and 2.0.6.1 there's some breakage (and > 1 year of
changes, too)!

So I figured I could fix java-plexus-component-metadata that we use to
generate some xml files during the build of maven. jdom is one of its
inputs. Adding another jdom to the native inputs would probably not fix
the issue.

What I did instead is, since jdom wants to set more features than
supported in the driver, to add dummy support for all these additional
features by just not throwing the exception. It's not very satisfying,
but it works and we don't keep a vulnerable jdom around. With the
attached patch, I built up to maven.
From 2523b6c6b3f81f8a86b7c768dfed9dae97978e93 Mon Sep 17 00:00:00 2001
From: Julien Lepiller <julien@lepiller.eu>
Date: Sat, 4 Jun 2022 15:41:41 +0200
Subject: [PATCH] gnu: java-plexus-component-metadata: Fix package.

* gnu/packages/java.scm (java-plexus-component-metadat): Apply fix for
newer jdom.
---
gnu/packages/java.scm | 8 ++++++++
1 file changed, 8 insertions(+)

Toggle diff (21 lines)
diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
index 336e84e3e5..f475f7c270 100644
--- a/gnu/packages/java.scm
+++ b/gnu/packages/java.scm
@@ -4537,6 +4537,14 @@ (define-public java-plexus-component-metadata-1.7
(copy-recursively "src/main/resources"
"build/classes/")
#t))
+ (add-before 'build 'fix-jdom
+ (lambda _
+ ;; The newer version of jdom now sets multiple features by default
+ ;; that are not supported.
+ ;; Skip these features
+ (substitute* "src/main/java/org/codehaus/plexus/metadata/merge/MXParser.java"
+ (("throw new XmlPullParserException\\(\"unsupporte feature \"\\+name\\);")
+ "// skip"))))
(add-before 'check 'fix-test-location
(lambda _
(substitute* '("src/test/java/org/codehaus/plexus/metadata/DefaultComponentDescriptorWriterTest.java"
--
2.35.1
R
R
Remco van 't Veer wrote on 4 Jun 2022 16:25
(name . Julien Lepiller)(address . julien@lepiller.eu)
87ilpgmros.fsf@remworks.net
2022/06/04 15:47, Julien Lepiller:

Toggle quote (5 lines)
> So I figured I could fix java-plexus-component-metadata that we use to
> generate some xml files during the build of maven. jdom is one of its
> inputs. Adding another jdom to the native inputs would probably not fix
> the issue.

Reverting the jdom upgrade patch, I did get mave-core to build. I admit
I did not try running it. My interest in maven is as a dependency to
clojure-tools, I don't really know how to test maven is actually working
by itself.

Toggle quote (6 lines)
> What I did instead is, since jdom wants to set more features than
> supported in the driver, to add dummy support for all these additional
> features by just not throwing the exception. It's not very satisfying,
> but it works and we don't keep a vulnerable jdom around. With the
> attached patch, I built up to maven.

Smart! I look forward to seeing your patch land in the main branch.

Cheers,
Remco
D
D
Dr. Arne Babenhauserheide wrote on 4 Jun 2022 17:00
(name . Julien Lepiller)(address . julien@lepiller.eu)
874k10wjzo.fsf@web.de
Julien Lepiller <julien@lepiller.eu> writes:
Toggle quote (6 lines)
> What I did instead is, since jdom wants to set more features than
> supported in the driver, to add dummy support for all these additional
> features by just not throwing the exception. It's not very satisfying,
> but it works and we don't keep a vulnerable jdom around. With the
> attached patch, I built up to maven.

Thank you!

The patch looks clear enough — will you push it?

Best wishes,
Arne
--
Unpolitisch sein
heißt politisch sein,
ohne es zu merken.
draketo.de
-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEE801qEjXQSQPNItXAE++NRSQDw+sFAmKbc84QHGFybmVfYmFi
QHdlYi5kZQAKCRAT741FJAPD66+aD/9SDSDPtF7IUW0YkR61OPe2YhD6Igjr6xP9
tsepi77lvFvg0o8yrJZ9Q0J8dr3Tyx6Qeal5FqvLjl9QsoazxRTHVmrxbtoTBCxH
3XXrJvWuCG1EwQvIqtoYcC7ZuXP5dJl5tDzF/eL7BELFePsGdfxSfZFhdWl+QJSr
Wsj+xnyMtgbLVWj38mhZ6AKCu/7afoQLYmw11UyI6AdkeqRYqxyAUh0EeO34y3oT
glE/ycpgV9bfRPiEEwR0yWgec9WVkRK34tuDq4PsRcELv+q6OIp0qdb8cKNXtdkq
1DBJWa6t0ChJP6olblyTLg3Gd+qwDz+z/5spzklnRmId0gvTA1KFuIHiPZ6y4qWX
koZOTnxkofGITvJJ+LjoLlNbHm3p27MZ22jdi20HqURFqORQ7VVkh1+YQv6/w0Ro
pnX1otsHFx0dOlfa0nkmSKw4S+hSeXckdmn3aeS0M2b0e7iktvnrMNRxRUDFeNut
g27tK9/s7OkD0mHv78mEZXFkKCpdT+GDPp4oL76YN4otFCi/XL0tOKuIKrevKeKn
Fc7IjFX1UXeHDN09h50AO5xkZOqSEdFHH2UKPixoTAv0Kk8ihIDsxdYcJKdx30at
TWlHhJGPJA6dSFlZGeRYDuk2DJkYP0BJrYgVUKTqQ0BM7QQr1GcHvmjV9dEcDXJX
+zF+yswPrYjEBAEBCAAuFiEE3Si95tmHXKvOSosd3M8NswvBBUgFAmKbc84QHGFy
bmVfYmFiQHdlYi5kZQAKCRDczw2zC8EFSKWQA/4wNLk21LzFn33OAMa0zl5KTWC3
bAtS5eX8DRcDYz9+nvJNCG4Fmi2xu5Pi3lDC5lZGC2Pq5M2j6rG19AamIEBP4Sv1
gZdJwdphR/sjSvwyV6hi74eX6UkXc3Wk3Ls8aEjCybO45zReDRFvNOuvgCjS6fur
XkSEgJewhy7hqPf1/w==
=3IXP
-----END PGP SIGNATURE-----

S
S
Steve George wrote on 7 Jun 2022 12:32
RE: maven-core fails to build
(address . 55776@debbugs.gnu.org)
22246d27-ce50-4361-4bb9-cd5065c76269@futurile.net
Hi,

I was able to build java-plexus-component-metadata using this patch, and
from there maven to clojure-tools.

Cheers,

Futurile
A
A
Andrew Tropin wrote on 8 Jun 2022 17:35
Re: bug#55776: maven-core fails to build
87k09r9nhh.fsf@trop.in
On 2022-06-04 15:47, Julien Lepiller wrote:

Toggle quote (78 lines)
> Le Sat, 04 Jun 2022 12:25:21 +0200,
> Remco van 't Veer <remco@remworks.net> a écrit :
>
>> I did some digging and found this regression is caused by commit:
>>
>> 6068b83b82475566acd4162467bcf54270f338f9
>> "gnu: java-jdom: Update to 2.0.6.1 [fixes CVE-2021-33813]."
>>
>> Apparently the fix for this issue causes jdom to be very strict;
>>
>> > java.io.IOException: Invalid input descriptor for merge:
>> > /tmp/plexus-metadata3957336728290309540xml -->
>> > http://xml.org/sax/features/external-general-entities feature
>> > http://xml.org/sax/features/external-general-entities not supported
>> > for SAX driver org.codehaus.plexus.metadata.merge.Driver
>>
>> Which sound familiar when looking at that CVE
>> (https://github.com/advisories/GHSA-2363-cqg2-863c):
>>
>> > An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to
>> > cause a denial of service via a crafted HTTP request. At this time
>> > there is not released fixed version of JDOM. As a workaround, to
>> > avoid external entities being expanded, one can call
>> > builder.setExpandEntities(false) and they won't be expanded.
>>
>> I dunno how to fix this though, I'm just a curious guixer. Easiest
>> path seems to be to make a new java-jdom-2.0.6 var and use that as a
>> native-input for maven. Would that be an acceptable solution?
>>
>> Cheers,
>> Remco
>>
>
> Like you say, the issue is with the new jdom. Believe it or not, but
> between 2.0.6 and 2.0.6.1 there's some breakage (and > 1 year of
> changes, too)!
>
> So I figured I could fix java-plexus-component-metadata that we use to
> generate some xml files during the build of maven. jdom is one of its
> inputs. Adding another jdom to the native inputs would probably not fix
> the issue.
>
> What I did instead is, since jdom wants to set more features than
> supported in the driver, to add dummy support for all these additional
> features by just not throwing the exception. It's not very satisfying,
> but it works and we don't keep a vulnerable jdom around. With the
> attached patch, I built up to maven.
> From 2523b6c6b3f81f8a86b7c768dfed9dae97978e93 Mon Sep 17 00:00:00 2001
> From: Julien Lepiller <julien@lepiller.eu>
> Date: Sat, 4 Jun 2022 15:41:41 +0200
> Subject: [PATCH] gnu: java-plexus-component-metadata: Fix package.
>
> * gnu/packages/java.scm (java-plexus-component-metadat): Apply fix for
> newer jdom.
> ---
> gnu/packages/java.scm | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/gnu/packages/java.scm b/gnu/packages/java.scm
> index 336e84e3e5..f475f7c270 100644
> --- a/gnu/packages/java.scm
> +++ b/gnu/packages/java.scm
> @@ -4537,6 +4537,14 @@ (define-public java-plexus-component-metadata-1.7
> (copy-recursively "src/main/resources"
> "build/classes/")
> #t))
> + (add-before 'build 'fix-jdom
> + (lambda _
> + ;; The newer version of jdom now sets multiple features by default
> + ;; that are not supported.
> + ;; Skip these features
> + (substitute* "src/main/java/org/codehaus/plexus/metadata/merge/MXParser.java"
> + (("throw new XmlPullParserException\\(\"unsupporte feature \"\\+name\\);")
> + "// skip"))))
> (add-before 'check 'fix-test-location
> (lambda _
> (substitute* '("src/test/java/org/codehaus/plexus/metadata/DefaultComponentDescriptorWriterTest.java"

Work for me as well. Probably can be merged to master?

--
Best regards,
Andrew Tropin
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKEGaxlA4dEDH6S/6IgjSCVjB3rAFAmKgwdoACgkQIgjSCVjB
3rDO6BAAgMtp7Te99O5ICVD+/T9IhnRlc26T4TfBPgzTyzeS1Lgl7rFsFMNJsaUa
MiOyA1Dg3xoi6XD/CTtoYmTNfrn/J//sspwbZGlt5vyhZOU65OKeuNltPe2RtNzX
KNmgVMN9HUwK7srXVSQmcmsU9MX5Vpdtt8QRg8P3hCI9pdH5o4DUUByLhyR4lITF
3/v2jdHVeKHe1cJy7s+imSFw/A9xJeyFDqhUx8r+AQwHHFby6RLhEYTDgrSQluE9
B7C/jpBs62uFQ2YPyTit2oZ2G9nTKUivs6CLDkOdi/dgNKkqI0LY1R6IraTdK7+H
ArSwxJhf+1EiR7JLqHbWJc0+z567+1VayHZrQiF2UGgTOQ4psPwIgDl9AxJyRQfn
qQ5lzDyJx+q0FgvTbLuhK3QwbY72Agq5vGYQBuofBSiekvl5FiM8wg5n154hjvCh
fm1pW9RZPoTj5d0cI8Hg0UT61lIEM9JWCMnqIuFE6/WHgPJUFVIdi2UofiPmlir0
CtOOKdrPikI1V3pX98VubWcJsOyotw4YcfSaOna6SEpIHNf17yGc6K5B9Fd2ulVo
2kNTMImi2eUHsvj/VssFXs2oc6Bkd16aCI4CcZC/ptX7ulIiPP6WdEE/rORrJnRQ
Va2RxCMSr8+vRkA0IaUPLzCGEb5faa1XSU8DSc9E4tZ0ljPt4KQ=
=I+wN
-----END PGP SIGNATURE-----

J
J
Julien Lepiller wrote on 8 Jun 2022 20:36
(name . Dr. Arne Babenhauserheide)(address . arne_bab@web.de)
20220608203627.724d3682@sybil.lepiller.eu
Le Sat, 04 Jun 2022 17:00:15 +0200,
"Dr. Arne Babenhauserheide" <arne_bab@web.de> a écrit :

Toggle quote (14 lines)
> Julien Lepiller <julien@lepiller.eu> writes:
> > What I did instead is, since jdom wants to set more features than
> > supported in the driver, to add dummy support for all these
> > additional features by just not throwing the exception. It's not
> > very satisfying, but it works and we don't keep a vulnerable jdom
> > around. With the attached patch, I built up to maven.
>
> Thank you!
>
> The patch looks clear enough — will you push it?
>
> Best wishes,
> Arne

Pushed to master as f0d9248267dabd2feb5c004d6e4610cbdf3e5b87, thanks
for testing it :)
Closed
?