From 7c4833c3fd3545f8716c6337fd167d57ffd5f053 Mon Sep 17 00:00:00 2001 From: Bhanu Reddy Date: Thu, 24 Jul 2025 19:00:05 +0530 Subject: [PATCH 01/19] Fix jackson version security vulnerability (#407) --- build.gradle | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/build.gradle b/build.gradle index 025705ce..b800c09b 100644 --- a/build.gradle +++ b/build.gradle @@ -64,9 +64,9 @@ subprojects { } implementation 'commons-codec:commons-codec:1.13' implementation 'org.apache.commons:commons-lang3:3.12.0' - implementation 'com.fasterxml.jackson.core:jackson-core:2.14.1' - implementation 'com.fasterxml.jackson.core:jackson-databind:2.14.1' - implementation 'com.fasterxml.jackson.core:jackson-annotations:2.14.1' + implementation 'com.fasterxml.jackson.core:jackson-core:2.19.1' + implementation 'com.fasterxml.jackson.core:jackson-databind:2.19.1' + implementation 'com.fasterxml.jackson.core:jackson-annotations:2.19.1' api 'org.jfrog.filespecs:file-specs-java:1.1.1' } From 19e148ed504a67920463f7fa8569256d8f6cf1f3 Mon Sep 17 00:00:00 2001 From: Bhanu Reddy Date: Fri, 25 Jul 2025 12:47:04 +0530 Subject: [PATCH 02/19] Multiple security fixes --- build.gradle | 4 ++-- httpClient/build.gradle | 2 +- .../artifactory/client/httpClient/http/HttpBuilderBase.java | 2 +- services/build.gradle | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/build.gradle b/build.gradle index b800c09b..61a37026 100644 --- a/build.gradle +++ b/build.gradle @@ -63,11 +63,11 @@ subprojects { exclude group: 'commons-codec', module: 'commons-codec' } implementation 'commons-codec:commons-codec:1.13' - implementation 'org.apache.commons:commons-lang3:3.12.0' + implementation 'org.apache.commons:commons-lang3:3.18.0' implementation 'com.fasterxml.jackson.core:jackson-core:2.19.1' implementation 'com.fasterxml.jackson.core:jackson-databind:2.19.1' implementation 'com.fasterxml.jackson.core:jackson-annotations:2.19.1' - api 'org.jfrog.filespecs:file-specs-java:1.1.1' + api 'org.jfrog.filespecs:file-specs-java:1.1.2' } task sourcesJar(type: Jar, dependsOn: classes) { diff --git a/httpClient/build.gradle b/httpClient/build.gradle index 8c8dd627..7e4deeec 100644 --- a/httpClient/build.gradle +++ b/httpClient/build.gradle @@ -8,5 +8,5 @@ repositories { dependencies { testImplementation group: 'org.testng', name: 'testng', version: '7.5.1' - testImplementation group: 'com.github.tomakehurst', name: 'wiremock-jre8', version: '2.35.1' + testImplementation group: 'com.github.tomakehurst', name: 'wiremock-jre8', version: '3.0.1' } \ No newline at end of file diff --git a/httpClient/src/main/java/org/jfrog/artifactory/client/httpClient/http/HttpBuilderBase.java b/httpClient/src/main/java/org/jfrog/artifactory/client/httpClient/http/HttpBuilderBase.java index 349eb872..5be76fde 100644 --- a/httpClient/src/main/java/org/jfrog/artifactory/client/httpClient/http/HttpBuilderBase.java +++ b/httpClient/src/main/java/org/jfrog/artifactory/client/httpClient/http/HttpBuilderBase.java @@ -399,7 +399,7 @@ private SSLContext buildSslContext() { sslContext = sslBuilder.build(); } } catch (Exception e) { - e.printStackTrace(); + throw new RuntimeException("Error building SSLContext: " + e.getMessage(), e); } return sslContext != null ? sslContext : SSLContexts.createDefault(); } diff --git a/services/build.gradle b/services/build.gradle index 85d5b40f..d0ac6486 100644 --- a/services/build.gradle +++ b/services/build.gradle @@ -15,7 +15,7 @@ dependencies { * https://github.com/jfrog/artifactory-client-java/issues/43 * https://github.com/jfrog/artifactory-client-java/issues/232 */ - testRuntimeOnly group: 'ch.qos.logback', name: 'logback-classic', version: '1.2.9' + testRuntimeOnly group: 'ch.qos.logback', name: 'logback-classic', version: '1.3.15' } task createReleasePropertiesFile(type: Exec) { From bce211d95c202fef9847ebf6d4445392c5e9c767 Mon Sep 17 00:00:00 2001 From: Bhanu Reddy Date: Fri, 25 Jul 2025 16:14:27 +0530 Subject: [PATCH 03/19] Revert the version which is not available for java8 --- httpClient/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/httpClient/build.gradle b/httpClient/build.gradle index 7e4deeec..de6d80c6 100644 --- a/httpClient/build.gradle +++ b/httpClient/build.gradle @@ -8,5 +8,5 @@ repositories { dependencies { testImplementation group: 'org.testng', name: 'testng', version: '7.5.1' - testImplementation group: 'com.github.tomakehurst', name: 'wiremock-jre8', version: '3.0.1' + testImplementation group: 'com.github.tomakehurst', name: 'wiremock-jre8', version: '2.35.0' } \ No newline at end of file From 443bbd93c71929b0ae10bd3cf5147736d402a7f6 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Mon, 28 Jul 2025 13:46:03 +0530 Subject: [PATCH 04/19] "adding script to ensure artifactory running" --- .github/workflows/tests.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 6ebd25ec..24b4ab18 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -43,5 +43,18 @@ jobs: java-version: "8" distribution: "zulu" + - name: Wait for Artifactory + run: | + for i in {1..30}; do + if curl -sf http://localhost:8081/artifactory/api/system/ping; then + echo "Artifactory is up!" + exit 0 + fi + echo "Waiting for Artifactory..." + sleep 10 + done + echo "Artifactory did not start in time" + exit 1 + - name: Run tests run: ./gradlew${{ matrix.gradlewSuffix }} clean test From 68e1a02ba1f5b6993489f23796b3cc06886ffa53 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Mon, 4 Aug 2025 22:15:45 +0530 Subject: [PATCH 05/19] "fix for the failed test cases" --- .../client/model/builder/RemoteRepositoryBuilder.java | 4 ++++ build.gradle | 1 + .../org/jfrog/artifactory/client/BaseRepositoryTests.groovy | 2 ++ .../artifactory/client/GemsPackageTypeRepositoryTests.groovy | 2 +- .../client/TerraformPackageTypeRepositoryTests.groovy | 1 + 5 files changed, 9 insertions(+), 1 deletion(-) diff --git a/api/src/main/java/org/jfrog/artifactory/client/model/builder/RemoteRepositoryBuilder.java b/api/src/main/java/org/jfrog/artifactory/client/model/builder/RemoteRepositoryBuilder.java index ea3f04be..9940ee5c 100644 --- a/api/src/main/java/org/jfrog/artifactory/client/model/builder/RemoteRepositoryBuilder.java +++ b/api/src/main/java/org/jfrog/artifactory/client/model/builder/RemoteRepositoryBuilder.java @@ -102,4 +102,8 @@ public interface RemoteRepositoryBuilder extends NonVirtualRepositoryBuilder customProperties protected Boolean storeArtifactsLocallyInRemoteRepo + protected Boolean fetchContentOnCreate protected String remoteRepoUrl = "https://github.com" public static final REPO_NAME_PREFIX = "rt-client-java" @@ -140,6 +141,7 @@ abstract class BaseRepositoryTests extends ArtifactoryTestsBase { .shareConfiguration(rnd.nextBoolean()) .socketTimeoutMillis(rnd.nextInt()) .storeArtifactsLocally(ObjectUtils.defaultIfNull(storeArtifactsLocallyInRemoteRepo, rnd.nextBoolean())) + .fetchContentOnCreate(ObjectUtils.defaultIfNull(fetchContentOnCreate, rnd.nextBoolean())) .synchronizeProperties(rnd.nextBoolean()) .unusedArtifactsCleanupPeriodHours(Math.abs(rnd.nextInt())) .url(remoteRepoUrl) diff --git a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy index 44232fd7..bc9ffaef 100644 --- a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy +++ b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy @@ -14,7 +14,7 @@ import org.testng.annotations.Test class GemsPackageTypeRepositoryTests extends BaseRepositoryTests { GemsPackageTypeRepositoryTests() { - remoteRepoUrl = "https://rubygems.org" + fetchContentOnCreate = false } @Override diff --git a/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy b/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy index 1072b295..025919bf 100644 --- a/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy +++ b/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy @@ -15,6 +15,7 @@ class TerraformPackageTypeRepositoryTests extends BaseRepositoryTests { TerraformPackageTypeRepositoryTests() { remoteRepoUrl = "https://github.com" + storeArtifactsLocallyInRemoteRepo = true } @Override From 027d5b66f17611500d55bead3be660c672795f00 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Mon, 4 Aug 2025 22:29:17 +0530 Subject: [PATCH 06/19] Revert ""adding script to ensure artifactory running"" This reverts commit 443bbd93c71929b0ae10bd3cf5147736d402a7f6. --- .github/workflows/tests.yml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 24b4ab18..6ebd25ec 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -43,18 +43,5 @@ jobs: java-version: "8" distribution: "zulu" - - name: Wait for Artifactory - run: | - for i in {1..30}; do - if curl -sf http://localhost:8081/artifactory/api/system/ping; then - echo "Artifactory is up!" - exit 0 - fi - echo "Waiting for Artifactory..." - sleep 10 - done - echo "Artifactory did not start in time" - exit 1 - - name: Run tests run: ./gradlew${{ matrix.gradlewSuffix }} clean test From d54df2e1a7da3e71cecfaecd683abea9b08ab767 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Mon, 4 Aug 2025 22:32:16 +0530 Subject: [PATCH 07/19] Revert ""fix for the failed test cases"" This reverts commit 68e1a02ba1f5b6993489f23796b3cc06886ffa53. --- .../client/model/builder/RemoteRepositoryBuilder.java | 4 ---- build.gradle | 1 - .../org/jfrog/artifactory/client/BaseRepositoryTests.groovy | 2 -- .../artifactory/client/GemsPackageTypeRepositoryTests.groovy | 2 +- .../client/TerraformPackageTypeRepositoryTests.groovy | 1 - 5 files changed, 1 insertion(+), 9 deletions(-) diff --git a/api/src/main/java/org/jfrog/artifactory/client/model/builder/RemoteRepositoryBuilder.java b/api/src/main/java/org/jfrog/artifactory/client/model/builder/RemoteRepositoryBuilder.java index 9940ee5c..ea3f04be 100644 --- a/api/src/main/java/org/jfrog/artifactory/client/model/builder/RemoteRepositoryBuilder.java +++ b/api/src/main/java/org/jfrog/artifactory/client/model/builder/RemoteRepositoryBuilder.java @@ -102,8 +102,4 @@ public interface RemoteRepositoryBuilder extends NonVirtualRepositoryBuilder customProperties protected Boolean storeArtifactsLocallyInRemoteRepo - protected Boolean fetchContentOnCreate protected String remoteRepoUrl = "https://github.com" public static final REPO_NAME_PREFIX = "rt-client-java" @@ -141,7 +140,6 @@ abstract class BaseRepositoryTests extends ArtifactoryTestsBase { .shareConfiguration(rnd.nextBoolean()) .socketTimeoutMillis(rnd.nextInt()) .storeArtifactsLocally(ObjectUtils.defaultIfNull(storeArtifactsLocallyInRemoteRepo, rnd.nextBoolean())) - .fetchContentOnCreate(ObjectUtils.defaultIfNull(fetchContentOnCreate, rnd.nextBoolean())) .synchronizeProperties(rnd.nextBoolean()) .unusedArtifactsCleanupPeriodHours(Math.abs(rnd.nextInt())) .url(remoteRepoUrl) diff --git a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy index bc9ffaef..44232fd7 100644 --- a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy +++ b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy @@ -14,7 +14,7 @@ import org.testng.annotations.Test class GemsPackageTypeRepositoryTests extends BaseRepositoryTests { GemsPackageTypeRepositoryTests() { - fetchContentOnCreate = false + remoteRepoUrl = "https://rubygems.org" } @Override diff --git a/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy b/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy index 025919bf..1072b295 100644 --- a/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy +++ b/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy @@ -15,7 +15,6 @@ class TerraformPackageTypeRepositoryTests extends BaseRepositoryTests { TerraformPackageTypeRepositoryTests() { remoteRepoUrl = "https://github.com" - storeArtifactsLocallyInRemoteRepo = true } @Override From 3b01c28919975aae2e0dd759ac0fad6a2275a21e Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Mon, 4 Aug 2025 22:33:37 +0530 Subject: [PATCH 08/19] "adding wait for artifactory" --- .github/workflows/tests.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 6ebd25ec..d80adf92 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -43,5 +43,18 @@ jobs: java-version: "8" distribution: "zulu" + - name: Wait for Artifactory + run: | + for i in {1..30}; do + if curl -sf http://localhost:8081/artifactory/api/system/ping; then + echo "Artifactory is up!" + exit 0 + fi + echo "Waiting for Artifactory..." + sleep 10 + done + echo "Artifactory did not start in time" + exit 1 + - name: Run tests run: ./gradlew${{ matrix.gradlewSuffix }} clean test From f815c7d937109eefaa0164f78801261fdd7ea049 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Mon, 4 Aug 2025 23:11:54 +0530 Subject: [PATCH 09/19] "check with new implementation" --- services/build.gradle | 1 + .../artifactory/client/BaseRepositoryTests.groovy | 10 +++++----- .../client/TerraformPackageTypeRepositoryTests.groovy | 1 + 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/services/build.gradle b/services/build.gradle index d0ac6486..b5bf0d58 100644 --- a/services/build.gradle +++ b/services/build.gradle @@ -8,6 +8,7 @@ dependencies { implementation addSlf4J('log4j-over-slf4j') implementation addSlf4J('jcl-over-slf4j') implementation 'commons-io:commons-io:2.17.0' + implementation 'org.slf4j:slf4j-simple:2.0.9' testImplementation group: 'org.hamcrest', name: 'hamcrest-core', version: '2.2' testImplementation group: 'org.testng', name: 'testng', version: '7.5.1' /* diff --git a/services/src/test/groovy/org/jfrog/artifactory/client/BaseRepositoryTests.groovy b/services/src/test/groovy/org/jfrog/artifactory/client/BaseRepositoryTests.groovy index 911dd282..fbda097c 100644 --- a/services/src/test/groovy/org/jfrog/artifactory/client/BaseRepositoryTests.groovy +++ b/services/src/test/groovy/org/jfrog/artifactory/client/BaseRepositoryTests.groovy @@ -174,12 +174,12 @@ abstract class BaseRepositoryTests extends ArtifactoryTestsBase { @AfterMethod protected void tearDown() { - // Invoking sequence is important! - deleteRepoIfExists(genericRepo?.getKey()) - deleteRepoIfExists(localRepo?.getKey()) - deleteRepoIfExists(remoteRepo?.getKey()) + // Invoking sequence is important! Delete in reverse dependency order + deleteRepoIfExists(virtualRepo?.getKey()) // Delete virtual repo first (depends on generic) deleteRepoIfExists(federatedRepo?.getKey()) - deleteRepoIfExists(virtualRepo?.getKey()) + deleteRepoIfExists(remoteRepo?.getKey()) + deleteRepoIfExists(localRepo?.getKey()) + deleteRepoIfExists(genericRepo?.getKey()) // Delete generic repo last (after dependents) repoUniqueId++ } diff --git a/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy b/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy index 1072b295..025919bf 100644 --- a/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy +++ b/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy @@ -15,6 +15,7 @@ class TerraformPackageTypeRepositoryTests extends BaseRepositoryTests { TerraformPackageTypeRepositoryTests() { remoteRepoUrl = "https://github.com" + storeArtifactsLocallyInRemoteRepo = true } @Override From 674d609c1b2e5946f18010b8d5e10f69a277c01d Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Tue, 5 Aug 2025 10:07:41 +0530 Subject: [PATCH 10/19] "disable remote indexing for gems for bypassing lock" --- .../client/GemsPackageTypeRepositoryTests.groovy | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy index 44232fd7..54c92ed6 100644 --- a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy +++ b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy @@ -2,6 +2,7 @@ package org.jfrog.artifactory.client import org.hamcrest.CoreMatchers import org.jfrog.artifactory.client.model.RepositoryType +import org.jfrog.artifactory.client.model.impl.RepositoryTypeImpl import org.jfrog.artifactory.client.model.repository.settings.RepositorySettings import org.jfrog.artifactory.client.model.repository.settings.impl.GemsRepositorySettingsImpl import org.testng.annotations.Test @@ -22,8 +23,12 @@ class GemsPackageTypeRepositoryTests extends BaseRepositoryTests { def settings = new GemsRepositorySettingsImpl() settings.with { - // remote - listRemoteFolderItems = rnd.nextBoolean() + // remote - Use false for REMOTE repos to prevent rubygems.org indexing that causes locks + if (repositoryType == RepositoryTypeImpl.REMOTE) { + listRemoteFolderItems = false // Prevent background indexing of rubygems.org + } else { + listRemoteFolderItems = rnd.nextBoolean() // Maintain test coverage for other types + } } return settings From e61b761d523eae5d2dd1e69e6815e4bdd53d374b Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Tue, 5 Aug 2025 10:19:37 +0530 Subject: [PATCH 11/19] "fixing the slf4j warning" --- build.gradle | 13 +++++++++++++ services/build.gradle | 1 - 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 61a37026..e6918d2f 100644 --- a/build.gradle +++ b/build.gradle @@ -133,4 +133,17 @@ subprojects { useInMemoryPgpKeys(signingKey, signingPassword) sign publishing.publications.main } + + configurations { + all { + // Exclude multiple SLF4J implementations to prevent binding conflicts + exclude group: 'org.slf4j', module: 'slf4j-simple' + exclude group: 'org.slf4j', module: 'slf4j-log4j12' + exclude group: 'org.slf4j', module: 'slf4j-jdk14' + exclude group: 'org.slf4j', module: 'slf4j-reload4j' + // Exclude old logging frameworks + exclude group: 'log4j', module: 'log4j' + exclude group: 'commons-logging', module: 'commons-logging' + } + } } diff --git a/services/build.gradle b/services/build.gradle index b5bf0d58..d0ac6486 100644 --- a/services/build.gradle +++ b/services/build.gradle @@ -8,7 +8,6 @@ dependencies { implementation addSlf4J('log4j-over-slf4j') implementation addSlf4J('jcl-over-slf4j') implementation 'commons-io:commons-io:2.17.0' - implementation 'org.slf4j:slf4j-simple:2.0.9' testImplementation group: 'org.hamcrest', name: 'hamcrest-core', version: '2.2' testImplementation group: 'org.testng', name: 'testng', version: '7.5.1' /* From 21da70c2e8afbfca191050a1ee70fb135c566fa3 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Tue, 5 Aug 2025 10:49:31 +0530 Subject: [PATCH 12/19] "removing commons-logging from the exclusion" --- build.gradle | 1 - 1 file changed, 1 deletion(-) diff --git a/build.gradle b/build.gradle index e6918d2f..9af24666 100644 --- a/build.gradle +++ b/build.gradle @@ -143,7 +143,6 @@ subprojects { exclude group: 'org.slf4j', module: 'slf4j-reload4j' // Exclude old logging frameworks exclude group: 'log4j', module: 'log4j' - exclude group: 'commons-logging', module: 'commons-logging' } } } From bddb4128a10e780f6d42d7e0997a3c795f42166c Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Tue, 5 Aug 2025 11:16:13 +0530 Subject: [PATCH 13/19] "making it list remote item false for all the repository for gems" --- build.gradle | 12 ------------ .../client/GemsPackageTypeRepositoryTests.groovy | 8 ++------ 2 files changed, 2 insertions(+), 18 deletions(-) diff --git a/build.gradle b/build.gradle index 9af24666..61a37026 100644 --- a/build.gradle +++ b/build.gradle @@ -133,16 +133,4 @@ subprojects { useInMemoryPgpKeys(signingKey, signingPassword) sign publishing.publications.main } - - configurations { - all { - // Exclude multiple SLF4J implementations to prevent binding conflicts - exclude group: 'org.slf4j', module: 'slf4j-simple' - exclude group: 'org.slf4j', module: 'slf4j-log4j12' - exclude group: 'org.slf4j', module: 'slf4j-jdk14' - exclude group: 'org.slf4j', module: 'slf4j-reload4j' - // Exclude old logging frameworks - exclude group: 'log4j', module: 'log4j' - } - } } diff --git a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy index 54c92ed6..144e4cfb 100644 --- a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy +++ b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy @@ -23,12 +23,8 @@ class GemsPackageTypeRepositoryTests extends BaseRepositoryTests { def settings = new GemsRepositorySettingsImpl() settings.with { - // remote - Use false for REMOTE repos to prevent rubygems.org indexing that causes locks - if (repositoryType == RepositoryTypeImpl.REMOTE) { - listRemoteFolderItems = false // Prevent background indexing of rubygems.org - } else { - listRemoteFolderItems = rnd.nextBoolean() // Maintain test coverage for other types - } + // Ensure listRemoteFolderItems is false only for Gems tests to avoid indexing issues + listRemoteFolderItems = false } return settings From 6215d5ce115eaa4b2a5fd90a2dd316459622a290 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Tue, 5 Aug 2025 11:30:12 +0530 Subject: [PATCH 14/19] "only using remote item false for remote repository in gems" --- .../client/GemsPackageTypeRepositoryTests.groovy | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy index 144e4cfb..14d197de 100644 --- a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy +++ b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy @@ -22,11 +22,10 @@ class GemsPackageTypeRepositoryTests extends BaseRepositoryTests { RepositorySettings getRepositorySettings(RepositoryType repositoryType) { def settings = new GemsRepositorySettingsImpl() - settings.with { - // Ensure listRemoteFolderItems is false only for Gems tests to avoid indexing issues - listRemoteFolderItems = false + // Only set listRemoteFolderItems for remote repositories such that no indexing happens + if (repositoryType == org.jfrog.artifactory.client.model.impl.RepositoryTypeImpl.REMOTE) { + settings.listRemoteFolderItems = false } - return settings } From c263cba826279c791c69108342e53e0208d5f539 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Tue, 5 Aug 2025 11:51:40 +0530 Subject: [PATCH 15/19] "defining different artifactory home for all the os" --- .github/workflows/tests.yml | 6 +++++- .../client/GemsPackageTypeRepositoryTests.groovy | 7 ++++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index d80adf92..b2559230 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -29,6 +29,10 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} + + - name: Set unique Artifactory home + run: echo "ARTIFACTORY_HOME=$(mktemp -d)" >> $GITHUB_ENV + - name: Setup Go with cache uses: jfrog/.github/actions/install-go-with-cache@main @@ -55,6 +59,6 @@ jobs: done echo "Artifactory did not start in time" exit 1 - + - name: Run tests run: ./gradlew${{ matrix.gradlewSuffix }} clean test diff --git a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy index 14d197de..9ee3e345 100644 --- a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy +++ b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy @@ -22,10 +22,11 @@ class GemsPackageTypeRepositoryTests extends BaseRepositoryTests { RepositorySettings getRepositorySettings(RepositoryType repositoryType) { def settings = new GemsRepositorySettingsImpl() - // Only set listRemoteFolderItems for remote repositories such that no indexing happens - if (repositoryType == org.jfrog.artifactory.client.model.impl.RepositoryTypeImpl.REMOTE) { - settings.listRemoteFolderItems = false + settings.with { + // remote + listRemoteFolderItems = rnd.nextBoolean() } + return settings } From a2d697c84af96088f8f34fa0ed690b4de79444a5 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Tue, 5 Aug 2025 11:53:31 +0530 Subject: [PATCH 16/19] "removing unused import" --- .../artifactory/client/GemsPackageTypeRepositoryTests.groovy | 1 - 1 file changed, 1 deletion(-) diff --git a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy index 9ee3e345..44232fd7 100644 --- a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy +++ b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy @@ -2,7 +2,6 @@ package org.jfrog.artifactory.client import org.hamcrest.CoreMatchers import org.jfrog.artifactory.client.model.RepositoryType -import org.jfrog.artifactory.client.model.impl.RepositoryTypeImpl import org.jfrog.artifactory.client.model.repository.settings.RepositorySettings import org.jfrog.artifactory.client.model.repository.settings.impl.GemsRepositorySettingsImpl import org.testng.annotations.Test From 48fe2b8b8ea17f561dfead6d311ba2370f413618 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Tue, 5 Aug 2025 12:36:22 +0530 Subject: [PATCH 17/19] "deleting the repository with retries" --- .github/workflows/tests.yml | 3 -- .../client/BaseRepositoryTests.groovy | 11 +++---- .../client/ArtifactoryTestsBase.java | 29 ++++++++++++++++++- 3 files changed, 34 insertions(+), 9 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index b2559230..6567a38f 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -30,9 +30,6 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} - - name: Set unique Artifactory home - run: echo "ARTIFACTORY_HOME=$(mktemp -d)" >> $GITHUB_ENV - - name: Setup Go with cache uses: jfrog/.github/actions/install-go-with-cache@main diff --git a/services/src/test/groovy/org/jfrog/artifactory/client/BaseRepositoryTests.groovy b/services/src/test/groovy/org/jfrog/artifactory/client/BaseRepositoryTests.groovy index fbda097c..c495bd5e 100644 --- a/services/src/test/groovy/org/jfrog/artifactory/client/BaseRepositoryTests.groovy +++ b/services/src/test/groovy/org/jfrog/artifactory/client/BaseRepositoryTests.groovy @@ -57,6 +57,7 @@ abstract class BaseRepositoryTests extends ArtifactoryTestsBase { @BeforeMethod protected void setUp() { String id = Long.toString(repoUniqueId) + println "[SETUP] Starting test setup for repo id: $id at ${new Date()}" if (prepareGenericRepo) { RepositorySettings settings = getRepositorySettings(RepositoryTypeImpl.LOCAL) @@ -175,11 +176,11 @@ abstract class BaseRepositoryTests extends ArtifactoryTestsBase { @AfterMethod protected void tearDown() { // Invoking sequence is important! Delete in reverse dependency order - deleteRepoIfExists(virtualRepo?.getKey()) // Delete virtual repo first (depends on generic) - deleteRepoIfExists(federatedRepo?.getKey()) - deleteRepoIfExists(remoteRepo?.getKey()) - deleteRepoIfExists(localRepo?.getKey()) - deleteRepoIfExists(genericRepo?.getKey()) // Delete generic repo last (after dependents) + deleteRepoWithRetry(virtualRepo?.getKey()) // Delete virtual repo first (depends on generic) + deleteRepoWithRetry(federatedRepo?.getKey()) + deleteRepoWithRetry(remoteRepo?.getKey()) + deleteRepoWithRetry(localRepo?.getKey()) + deleteRepoWithRetry(genericRepo?.getKey()) // Delete generic repo last (after dependents) repoUniqueId++ } diff --git a/services/src/test/java/org/jfrog/artifactory/client/ArtifactoryTestsBase.java b/services/src/test/java/org/jfrog/artifactory/client/ArtifactoryTestsBase.java index 1401e0d7..18c58d0d 100644 --- a/services/src/test/java/org/jfrog/artifactory/client/ArtifactoryTestsBase.java +++ b/services/src/test/java/org/jfrog/artifactory/client/ArtifactoryTestsBase.java @@ -208,6 +208,32 @@ protected String textFrom(InputStream is) throws IOException { } } + protected void deleteRepoWithRetry(String repoKey) { + for (int attempt = 1; attempt <= 3; attempt++) { + try { + deleteRepoIfExists(repoKey); + return; + } catch (RuntimeException e) { + Throwable cause = e.getCause(); + if (cause instanceof HttpResponseException && + ((HttpResponseException) cause).getStatusCode() == 500 && + cause.getMessage() != null && cause.getMessage().contains("Lock on LockEntryId")) { + + if (attempt < 3) { + try { + Thread.sleep(5000); + } catch (InterruptedException ie) { + Thread.currentThread().interrupt(); + return; + } + } + } else { + return; // Non-lock error, don't retry + } + } + } + } + protected String deleteRepoIfExists(String repoName) { if (isEmpty(repoName)) { return null; @@ -220,7 +246,8 @@ protected String deleteRepoIfExists(String repoName) { //if repo wasn't found - that's ok. return e.getMessage(); } else { - throw e; + // Wrap checked exception in a RuntimeException to avoid signature changes + throw new RuntimeException(e); } } } From dd84324da5fb74b2c2739376959a7722c96911c4 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Thu, 7 Aug 2025 13:35:28 +0530 Subject: [PATCH 18/19] "fixing the vulnerable dependencies" --- build.gradle | 32 ++++++++++++++++++++++++++++++++ services/build.gradle | 2 +- 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 61a37026..f5860799 100644 --- a/build.gradle +++ b/build.gradle @@ -58,6 +58,38 @@ subprojects { sourceCompatibility = 1.8 targetCompatibility = 1.8 + // Force secure versions to fix vulnerabilities + configurations.all { + resolutionStrategy { + // Use latest confirmed available Jetty 9.4.x versions + force 'org.eclipse.jetty:jetty-server:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-servlets:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-http:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-util:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-io:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-client:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-security:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-servlet:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-webapp:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-proxy:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-continuation:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-util-ajax:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-xml:9.4.56.v20240826' + force 'org.eclipse.jetty.http2:http2-server:9.4.56.v20240826' + force 'org.eclipse.jetty.http2:http2-common:9.4.56.v20240826' + force 'org.eclipse.jetty.http2:http2-hpack:9.4.56.v20240826' + // Latest secure versions + force 'commons-io:commons-io:2.18.0' + force 'net.minidev:json-smart:2.5.2' + force 'com.jayway.jsonpath:json-path:2.9.0' + force 'com.google.guava:guava:33.4.0-jre' + force 'org.xmlunit:xmlunit-core:2.10.0' + } + + // Exclude problematic dependencies + exclude group: 'commons-fileupload', module: 'commons-fileupload' + } + dependencies { implementation('org.apache.httpcomponents:httpclient:4.5.13') { exclude group: 'commons-codec', module: 'commons-codec' diff --git a/services/build.gradle b/services/build.gradle index d0ac6486..86500c2f 100644 --- a/services/build.gradle +++ b/services/build.gradle @@ -7,7 +7,7 @@ dependencies { implementation addSlf4J('slf4j-api') implementation addSlf4J('log4j-over-slf4j') implementation addSlf4J('jcl-over-slf4j') - implementation 'commons-io:commons-io:2.17.0' + implementation 'commons-io:commons-io:2.18.0' testImplementation group: 'org.hamcrest', name: 'hamcrest-core', version: '2.2' testImplementation group: 'org.testng', name: 'testng', version: '7.5.1' /* From ad74e9252bde8bf7cbc7c8ff49bdcb3d440d8671 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Thu, 7 Aug 2025 13:43:08 +0530 Subject: [PATCH 19/19] "adding the loggers as mentioned in the pr " --- .../jfrog/artifactory/client/ArtifactoryTestsBase.java | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/services/src/test/java/org/jfrog/artifactory/client/ArtifactoryTestsBase.java b/services/src/test/java/org/jfrog/artifactory/client/ArtifactoryTestsBase.java index 18c58d0d..804ecfda 100644 --- a/services/src/test/java/org/jfrog/artifactory/client/ArtifactoryTestsBase.java +++ b/services/src/test/java/org/jfrog/artifactory/client/ArtifactoryTestsBase.java @@ -26,6 +26,7 @@ import java.util.Arrays; import java.util.Collection; import java.util.Properties; +import java.util.logging.Logger; import static org.apache.commons.codec.binary.Base64.encodeBase64; import static org.apache.commons.lang3.StringUtils.isEmpty; @@ -55,6 +56,7 @@ public abstract class ArtifactoryTestsBase { protected VirtualRepository virtualRepository; protected RemoteRepository remoteRepository; protected String federationUrl; + private static final Logger logger = Logger.getLogger(ArtifactoryTestsBase.class.getName()); @BeforeClass public void init() throws IOException { @@ -211,23 +213,31 @@ protected String textFrom(InputStream is) throws IOException { protected void deleteRepoWithRetry(String repoKey) { for (int attempt = 1; attempt <= 3; attempt++) { try { + logger.info("Attempt " + attempt + " to delete repo: " + repoKey); deleteRepoIfExists(repoKey); + logger.info("Successfully deleted repo: " + repoKey + " on attempt " + attempt); return; } catch (RuntimeException e) { Throwable cause = e.getCause(); + logger.warning("Attempt " + attempt + " failed to delete repo: " + repoKey + ". Reason: " + e.getMessage()); if (cause instanceof HttpResponseException && ((HttpResponseException) cause).getStatusCode() == 500 && cause.getMessage() != null && cause.getMessage().contains("Lock on LockEntryId")) { if (attempt < 3) { + logger.info("Lock detected. Retrying after 5 seconds..."); try { Thread.sleep(5000); } catch (InterruptedException ie) { Thread.currentThread().interrupt(); + logger.warning("Retry interrupted while waiting to retry repo deletion: " + repoKey); return; } + } else { + logger.severe("Failed to delete repo after 3 attempts due to lock: " + repoKey); } } else { + logger.severe("Non-lock error occurred. Not retrying. Repo: " + repoKey); return; // Non-lock error, don't retry } }