GitLab

Fixed: Builds fail due to unauthorized access to repo.spring.io/plugins-release (OFBIZ-12351) (#334)

Replaces repository syndication by rometools

Thanks Mart Naum for report

For now only description is shown. OOTB some categories have no description
We can easily fix that by showing more info. I suggest to add categoryName and
productCategoryId. That should be enough. There are then no blank lines since
productCategoryId always show.

This is anyway customisable by users

Currently OFBiz is broken and hard to fix. You can't even create an order !

Revert "Improved: visibility of expire button (OFBIZ-12362) (#331)"
This reverts commit e3b125ef.

Revert "(OFBIZ-5980) Improvement: PartyRole record(s) expiration/revocation (#330)"
This reverts commit a8ab2be5.

Revert "Improved: seed data (OFBIZ-12355) (#328)"
This reverts commit b204b867.

Revert "Reverted: Have the ability to revoke (expire) roles of a party (OFBIZ-5980)"
This reverts commit 85e066de.

Revert "Reverted: damn I did not revert the right push :/"
This reverts commit b867b2a8.

Revert "(OFBIZ-5980) Improvement: PartyRole record(s) expiration/revocation (#325)"
This reverts commit 8ed2252d.

Revert "Reverted: Have the ability to revoke (expire) roles of a party (OFBIZ-5980)"
This reverts commit 5b5e03f7.

Revert "Improved: Have the ability to revoke (expire) roles of a party (OFBIZ-5980)"
This reverts commit 46f7ee91.

Revert "Improved: seed data (OFBIZ-12353) (#324)"
This reverts commit fade92bb.

Fixes "A DOM text reinterpreted as HTML" issue in fieldlookup.js

GH CodeQL reports:
"A webpage with this vulnerability reads text from the DOM, and afterwards adds
the text as HTML to the DOM. Using text from the DOM as HTML effectively
unescapes the text, and thereby invalidates any escaping done on the text. If an
attacker is able to control the safe sanitized text, then this vulnerability can
be exploited to perform a cross-site scripting attack.

Recommendation
To guard against cross-site scripting, consider using contextual output
encoding/escaping before writing text to the page, or one of the other solutions
that are mentioned in the References section below.

Example
"Extracting text from a DOM node and interpreting it as HTML can lead to a
cross-site scripting vulnerability."

GH CodeQL suggest:
The above vulnerability can be fixed by using $.find instead of $. The $.find
function will only interpret target as a CSS selector and never as HTML,
thereby preventing an XSS attack.

At Gavin's request a non functional change to test Buildbot migration

No Java check for now, it'd irremediably fail because of a too large SARIF file

Run only when a Java or Javascript file has been modified.
Java will still fails OFBiz is too big and there are no ways to restrict the
files to check.

applied 'use-when' on field 'expire'

Try the simpler solution to test if it get other files than *.java

I forgot to put tasks.checkstyleMain.maxErrors at zero.
While at it now show new violations in console

added/changed/updated:
- added field definition for from and through date to the entity
- added service for expiration
- request-map for expiration
- appropriate forms to work with  added entity fields
- added groovy code to check existing when adding PartyRole record and call expiration service if needed
- adding fromDate value to seed, test and demo data

Name of the PartyRelationshipType

Reverts commit 46f7ee91

Reverted on Pierre Smits kindly asking for authoring by pushing a PR, not only a
thanks while committing his patch after testing it locally

Instead of reverting 46f7ee91 I reverted
c431f065 ie

added/changed/updated:
- added field definition for from and through date to the entity
- added service for expiration
- request-map for expiration
- appropriate forms to work with  added entity fields
- added groovy code to check existing when adding PartyRole record and call expiration service if needed
- adding fromDate value to seed, test and demo data

Reverts commit 46f7ee91

Reverted on Pierre Smits kindly asking for authoring by pushing a PR, not only a
thanks while committing his patch after testing it locally

removed: display attribute

Currently it only possible to delete a role. That can lead to potential error
messages, when a particular role is associated with records where the roleTypeId
is used as a foreign key in the entity-model/database and the user tries to
delete that role from the list.

In order to avoid such, it is better to revoke the PartyRole record by setting
an expiration date (end date) on the record.

Thanks: Pierre Smits

Improved: Try to reduce "Incomplete string escaping or encoding branch" issues reported by CodeQL (OFBIZ-12356)

GH CodeQL reports 556 "Incomplete string escaping or encoding branch" issues
(there are 588 issues at all).

Most of them are in jQuery-UI but not only. So this only an attempt to clarify
among the 23 pages reported by upgrading jQuery-UI to 1.13.0.

added: employer roletype

Forgot to save a comment

I just flushed my Gradle cache and observed that I am not able to build OFBiz
any longer due to unauthorized access to spring/plugins-release. The repository
seems to be required for com.springsource.com.sun.syndication, maven lists .
I reckon we are affected by the repo.spring.io permission changes.

Thanks: Mart Naum for report, Wiebke for temporary fix (downgrading)

Co-authored-by: Mohammad <mohammad@MacBook-Air.local>

(OFBIZ-)

Following
https://github.com/node-gradle/gradle-node-plugin/blob/master/docs/faq.md#how-do-i-use-npm-ci-instead-of-npm-install

I have tried the feature (see in the Jira issue).
I'm not sure it's currently quite useful in OFBiz.
Anyway it does not hurt to add this possibility, notably for specific CI cases

Note that when updating Gradle we may need to review that:
https://github.com/node-gradle/gradle-node-plugin/blob/master/docs/faq.md#is-this-plugin-compatible-with-centralized-repositories-declaration

As reported at https://markmail.org/message/uof5ldk4o3x2ya33 I did not spot that
I also needed to commit the checksum change.

There is maybe more to do related to using "npm ci" instead of "npm install",
I'll check it out.

Adds unused hashCode method to *ArtifactInfo and PackingSession classes
Makes final CmsEvents, ContactMechWorker and PartyWorker classes

There are no longer any checkstyle issues

Adds getter and setter to ScreenRenderer class
Adds unused hashCode method to ControllerRequestArtifactInfo class
Makes final UomWorker and ContactHelper classes

Only 10 checkstyle issues now

At https://markmail.org/message/3mhzlqew3igad3r2 I reported an issue that I was
not able to really qualify. After exchanging with a Checkstyle expert
(see markmail thread).

I was unable to find what in our checkstyle.xml file was wrongly throwing these
warnings. I decided that there was no reason to throw those warnings.

So I decided to put the SuppressionCommentFilter in our checkstyle.xml file and
use CHECKSTYLE_OFF: ALMOST_ALL/CHECKSTYLE_ON: ALMOST_ALL around
the concerned lines as documented here
https://checkstyle.sourceforge.io/config_filters.html#SuppressionCommentFilter_Examples

Fixes wrong methods names in EntityFunction class
Not sure why this one was missing (I used Eclipse refactoring and compilation
worked locally)

Fixes wrong methods names in EntityFunction class

This will be used to check vulnerability in Java and Js code. It's directly committed from GH

Dependabot installed at GH warned me about this vulnerability during pushing

Forgot change in build.gradle

We currently have 54 checkstyle errors, few are related to too long methods

Obviously nobody have currently time to work on this issue.

This commit increases the max MethodLength to 784 to hide all current related
errors. This reduces checkstyle errors to 48. It also allows to easier focus on
other errors.

It still possible to works on OFBIZ-12338 by temporary reverting this commit or
replacing max ParameterNumber by the number wanted (was 500, is 60 by default)

Upgrades to Apache Tomcat 9.0.54

Removed javascript for jQuery, jQuery Migrate, jQuery Browser and jQuery Validation from OFBiz sources. Instead these are now retrieved during the build as NPM packages using gradle-node-plugin.

Thanks: Aditya Sharma for implementation.

Prevents an useless inevitable warning by commenting out
RequestWrapper::getParameterNames and with it all the unused methods in
RequestWrapper class

Also better comments CacheFilter::doFilter by giving its real and only goal:
<<to prevent a post-auth security issue described in OFBIZ-12332>>