From 16fc8ee8c0df6ade9321094968cbb4433d255c5a Mon Sep 17 00:00:00 2001 From: JFrog Pipelines Step Date: Thu, 15 May 2025 10:45:32 +0000 Subject: [PATCH 01/29] [artifactory-release] Next development version [skipRun] --- gradle.properties | 2 +- .../src/main/resources/artifactory.client.release.properties | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/gradle.properties b/gradle.properties index 9a3c541f..02daae36 100644 --- a/gradle.properties +++ b/gradle.properties @@ -1 +1 @@ -currentVersion=2.20.0 +currentVersion=2.20.x-SNAPSHOT diff --git a/services/src/main/resources/artifactory.client.release.properties b/services/src/main/resources/artifactory.client.release.properties index 3ead0606..381eea34 100644 --- a/services/src/main/resources/artifactory.client.release.properties +++ b/services/src/main/resources/artifactory.client.release.properties @@ -1 +1 @@ -version=2.19.x-SNAPSHOT \ No newline at end of file +version=2.20.0 \ No newline at end of file From 6069030ea146e46d45c71f028756f1a1b8e18d27 Mon Sep 17 00:00:00 2001 From: Bhanu Reddy Date: Thu, 24 Jul 2025 19:00:05 +0530 Subject: [PATCH 02/29] Fix jackson version security vulnerability (#407) --- build.gradle | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/build.gradle b/build.gradle index 025705ce..b800c09b 100644 --- a/build.gradle +++ b/build.gradle @@ -64,9 +64,9 @@ subprojects { } implementation 'commons-codec:commons-codec:1.13' implementation 'org.apache.commons:commons-lang3:3.12.0' - implementation 'com.fasterxml.jackson.core:jackson-core:2.14.1' - implementation 'com.fasterxml.jackson.core:jackson-databind:2.14.1' - implementation 'com.fasterxml.jackson.core:jackson-annotations:2.14.1' + implementation 'com.fasterxml.jackson.core:jackson-core:2.19.1' + implementation 'com.fasterxml.jackson.core:jackson-databind:2.19.1' + implementation 'com.fasterxml.jackson.core:jackson-annotations:2.19.1' api 'org.jfrog.filespecs:file-specs-java:1.1.1' } From 7c4833c3fd3545f8716c6337fd167d57ffd5f053 Mon Sep 17 00:00:00 2001 From: Bhanu Reddy Date: Thu, 24 Jul 2025 19:00:05 +0530 Subject: [PATCH 03/29] Fix jackson version security vulnerability (#407) --- build.gradle | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/build.gradle b/build.gradle index 025705ce..b800c09b 100644 --- a/build.gradle +++ b/build.gradle @@ -64,9 +64,9 @@ subprojects { } implementation 'commons-codec:commons-codec:1.13' implementation 'org.apache.commons:commons-lang3:3.12.0' - implementation 'com.fasterxml.jackson.core:jackson-core:2.14.1' - implementation 'com.fasterxml.jackson.core:jackson-databind:2.14.1' - implementation 'com.fasterxml.jackson.core:jackson-annotations:2.14.1' + implementation 'com.fasterxml.jackson.core:jackson-core:2.19.1' + implementation 'com.fasterxml.jackson.core:jackson-databind:2.19.1' + implementation 'com.fasterxml.jackson.core:jackson-annotations:2.19.1' api 'org.jfrog.filespecs:file-specs-java:1.1.1' } From 19e148ed504a67920463f7fa8569256d8f6cf1f3 Mon Sep 17 00:00:00 2001 From: Bhanu Reddy Date: Fri, 25 Jul 2025 12:47:04 +0530 Subject: [PATCH 04/29] Multiple security fixes --- build.gradle | 4 ++-- httpClient/build.gradle | 2 +- .../artifactory/client/httpClient/http/HttpBuilderBase.java | 2 +- services/build.gradle | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/build.gradle b/build.gradle index b800c09b..61a37026 100644 --- a/build.gradle +++ b/build.gradle @@ -63,11 +63,11 @@ subprojects { exclude group: 'commons-codec', module: 'commons-codec' } implementation 'commons-codec:commons-codec:1.13' - implementation 'org.apache.commons:commons-lang3:3.12.0' + implementation 'org.apache.commons:commons-lang3:3.18.0' implementation 'com.fasterxml.jackson.core:jackson-core:2.19.1' implementation 'com.fasterxml.jackson.core:jackson-databind:2.19.1' implementation 'com.fasterxml.jackson.core:jackson-annotations:2.19.1' - api 'org.jfrog.filespecs:file-specs-java:1.1.1' + api 'org.jfrog.filespecs:file-specs-java:1.1.2' } task sourcesJar(type: Jar, dependsOn: classes) { diff --git a/httpClient/build.gradle b/httpClient/build.gradle index 8c8dd627..7e4deeec 100644 --- a/httpClient/build.gradle +++ b/httpClient/build.gradle @@ -8,5 +8,5 @@ repositories { dependencies { testImplementation group: 'org.testng', name: 'testng', version: '7.5.1' - testImplementation group: 'com.github.tomakehurst', name: 'wiremock-jre8', version: '2.35.1' + testImplementation group: 'com.github.tomakehurst', name: 'wiremock-jre8', version: '3.0.1' } \ No newline at end of file diff --git a/httpClient/src/main/java/org/jfrog/artifactory/client/httpClient/http/HttpBuilderBase.java b/httpClient/src/main/java/org/jfrog/artifactory/client/httpClient/http/HttpBuilderBase.java index 349eb872..5be76fde 100644 --- a/httpClient/src/main/java/org/jfrog/artifactory/client/httpClient/http/HttpBuilderBase.java +++ b/httpClient/src/main/java/org/jfrog/artifactory/client/httpClient/http/HttpBuilderBase.java @@ -399,7 +399,7 @@ private SSLContext buildSslContext() { sslContext = sslBuilder.build(); } } catch (Exception e) { - e.printStackTrace(); + throw new RuntimeException("Error building SSLContext: " + e.getMessage(), e); } return sslContext != null ? sslContext : SSLContexts.createDefault(); } diff --git a/services/build.gradle b/services/build.gradle index 85d5b40f..d0ac6486 100644 --- a/services/build.gradle +++ b/services/build.gradle @@ -15,7 +15,7 @@ dependencies { * https://github.com/jfrog/artifactory-client-java/issues/43 * https://github.com/jfrog/artifactory-client-java/issues/232 */ - testRuntimeOnly group: 'ch.qos.logback', name: 'logback-classic', version: '1.2.9' + testRuntimeOnly group: 'ch.qos.logback', name: 'logback-classic', version: '1.3.15' } task createReleasePropertiesFile(type: Exec) { From bce211d95c202fef9847ebf6d4445392c5e9c767 Mon Sep 17 00:00:00 2001 From: Bhanu Reddy Date: Fri, 25 Jul 2025 16:14:27 +0530 Subject: [PATCH 05/29] Revert the version which is not available for java8 --- httpClient/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/httpClient/build.gradle b/httpClient/build.gradle index 7e4deeec..de6d80c6 100644 --- a/httpClient/build.gradle +++ b/httpClient/build.gradle @@ -8,5 +8,5 @@ repositories { dependencies { testImplementation group: 'org.testng', name: 'testng', version: '7.5.1' - testImplementation group: 'com.github.tomakehurst', name: 'wiremock-jre8', version: '3.0.1' + testImplementation group: 'com.github.tomakehurst', name: 'wiremock-jre8', version: '2.35.0' } \ No newline at end of file From 443bbd93c71929b0ae10bd3cf5147736d402a7f6 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Mon, 28 Jul 2025 13:46:03 +0530 Subject: [PATCH 06/29] "adding script to ensure artifactory running" --- .github/workflows/tests.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 6ebd25ec..24b4ab18 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -43,5 +43,18 @@ jobs: java-version: "8" distribution: "zulu" + - name: Wait for Artifactory + run: | + for i in {1..30}; do + if curl -sf http://localhost:8081/artifactory/api/system/ping; then + echo "Artifactory is up!" + exit 0 + fi + echo "Waiting for Artifactory..." + sleep 10 + done + echo "Artifactory did not start in time" + exit 1 + - name: Run tests run: ./gradlew${{ matrix.gradlewSuffix }} clean test From 68e1a02ba1f5b6993489f23796b3cc06886ffa53 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Mon, 4 Aug 2025 22:15:45 +0530 Subject: [PATCH 07/29] "fix for the failed test cases" --- .../client/model/builder/RemoteRepositoryBuilder.java | 4 ++++ build.gradle | 1 + .../org/jfrog/artifactory/client/BaseRepositoryTests.groovy | 2 ++ .../artifactory/client/GemsPackageTypeRepositoryTests.groovy | 2 +- .../client/TerraformPackageTypeRepositoryTests.groovy | 1 + 5 files changed, 9 insertions(+), 1 deletion(-) diff --git a/api/src/main/java/org/jfrog/artifactory/client/model/builder/RemoteRepositoryBuilder.java b/api/src/main/java/org/jfrog/artifactory/client/model/builder/RemoteRepositoryBuilder.java index ea3f04be..9940ee5c 100644 --- a/api/src/main/java/org/jfrog/artifactory/client/model/builder/RemoteRepositoryBuilder.java +++ b/api/src/main/java/org/jfrog/artifactory/client/model/builder/RemoteRepositoryBuilder.java @@ -102,4 +102,8 @@ public interface RemoteRepositoryBuilder extends NonVirtualRepositoryBuilder customProperties protected Boolean storeArtifactsLocallyInRemoteRepo + protected Boolean fetchContentOnCreate protected String remoteRepoUrl = "https://github.com" public static final REPO_NAME_PREFIX = "rt-client-java" @@ -140,6 +141,7 @@ abstract class BaseRepositoryTests extends ArtifactoryTestsBase { .shareConfiguration(rnd.nextBoolean()) .socketTimeoutMillis(rnd.nextInt()) .storeArtifactsLocally(ObjectUtils.defaultIfNull(storeArtifactsLocallyInRemoteRepo, rnd.nextBoolean())) + .fetchContentOnCreate(ObjectUtils.defaultIfNull(fetchContentOnCreate, rnd.nextBoolean())) .synchronizeProperties(rnd.nextBoolean()) .unusedArtifactsCleanupPeriodHours(Math.abs(rnd.nextInt())) .url(remoteRepoUrl) diff --git a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy index 44232fd7..bc9ffaef 100644 --- a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy +++ b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy @@ -14,7 +14,7 @@ import org.testng.annotations.Test class GemsPackageTypeRepositoryTests extends BaseRepositoryTests { GemsPackageTypeRepositoryTests() { - remoteRepoUrl = "https://rubygems.org" + fetchContentOnCreate = false } @Override diff --git a/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy b/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy index 1072b295..025919bf 100644 --- a/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy +++ b/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy @@ -15,6 +15,7 @@ class TerraformPackageTypeRepositoryTests extends BaseRepositoryTests { TerraformPackageTypeRepositoryTests() { remoteRepoUrl = "https://github.com" + storeArtifactsLocallyInRemoteRepo = true } @Override From 027d5b66f17611500d55bead3be660c672795f00 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Mon, 4 Aug 2025 22:29:17 +0530 Subject: [PATCH 08/29] Revert ""adding script to ensure artifactory running"" This reverts commit 443bbd93c71929b0ae10bd3cf5147736d402a7f6. --- .github/workflows/tests.yml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 24b4ab18..6ebd25ec 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -43,18 +43,5 @@ jobs: java-version: "8" distribution: "zulu" - - name: Wait for Artifactory - run: | - for i in {1..30}; do - if curl -sf http://localhost:8081/artifactory/api/system/ping; then - echo "Artifactory is up!" - exit 0 - fi - echo "Waiting for Artifactory..." - sleep 10 - done - echo "Artifactory did not start in time" - exit 1 - - name: Run tests run: ./gradlew${{ matrix.gradlewSuffix }} clean test From d54df2e1a7da3e71cecfaecd683abea9b08ab767 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Mon, 4 Aug 2025 22:32:16 +0530 Subject: [PATCH 09/29] Revert ""fix for the failed test cases"" This reverts commit 68e1a02ba1f5b6993489f23796b3cc06886ffa53. --- .../client/model/builder/RemoteRepositoryBuilder.java | 4 ---- build.gradle | 1 - .../org/jfrog/artifactory/client/BaseRepositoryTests.groovy | 2 -- .../artifactory/client/GemsPackageTypeRepositoryTests.groovy | 2 +- .../client/TerraformPackageTypeRepositoryTests.groovy | 1 - 5 files changed, 1 insertion(+), 9 deletions(-) diff --git a/api/src/main/java/org/jfrog/artifactory/client/model/builder/RemoteRepositoryBuilder.java b/api/src/main/java/org/jfrog/artifactory/client/model/builder/RemoteRepositoryBuilder.java index 9940ee5c..ea3f04be 100644 --- a/api/src/main/java/org/jfrog/artifactory/client/model/builder/RemoteRepositoryBuilder.java +++ b/api/src/main/java/org/jfrog/artifactory/client/model/builder/RemoteRepositoryBuilder.java @@ -102,8 +102,4 @@ public interface RemoteRepositoryBuilder extends NonVirtualRepositoryBuilder customProperties protected Boolean storeArtifactsLocallyInRemoteRepo - protected Boolean fetchContentOnCreate protected String remoteRepoUrl = "https://github.com" public static final REPO_NAME_PREFIX = "rt-client-java" @@ -141,7 +140,6 @@ abstract class BaseRepositoryTests extends ArtifactoryTestsBase { .shareConfiguration(rnd.nextBoolean()) .socketTimeoutMillis(rnd.nextInt()) .storeArtifactsLocally(ObjectUtils.defaultIfNull(storeArtifactsLocallyInRemoteRepo, rnd.nextBoolean())) - .fetchContentOnCreate(ObjectUtils.defaultIfNull(fetchContentOnCreate, rnd.nextBoolean())) .synchronizeProperties(rnd.nextBoolean()) .unusedArtifactsCleanupPeriodHours(Math.abs(rnd.nextInt())) .url(remoteRepoUrl) diff --git a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy index bc9ffaef..44232fd7 100644 --- a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy +++ b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy @@ -14,7 +14,7 @@ import org.testng.annotations.Test class GemsPackageTypeRepositoryTests extends BaseRepositoryTests { GemsPackageTypeRepositoryTests() { - fetchContentOnCreate = false + remoteRepoUrl = "https://rubygems.org" } @Override diff --git a/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy b/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy index 025919bf..1072b295 100644 --- a/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy +++ b/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy @@ -15,7 +15,6 @@ class TerraformPackageTypeRepositoryTests extends BaseRepositoryTests { TerraformPackageTypeRepositoryTests() { remoteRepoUrl = "https://github.com" - storeArtifactsLocallyInRemoteRepo = true } @Override From 3b01c28919975aae2e0dd759ac0fad6a2275a21e Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Mon, 4 Aug 2025 22:33:37 +0530 Subject: [PATCH 10/29] "adding wait for artifactory" --- .github/workflows/tests.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 6ebd25ec..d80adf92 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -43,5 +43,18 @@ jobs: java-version: "8" distribution: "zulu" + - name: Wait for Artifactory + run: | + for i in {1..30}; do + if curl -sf http://localhost:8081/artifactory/api/system/ping; then + echo "Artifactory is up!" + exit 0 + fi + echo "Waiting for Artifactory..." + sleep 10 + done + echo "Artifactory did not start in time" + exit 1 + - name: Run tests run: ./gradlew${{ matrix.gradlewSuffix }} clean test From f815c7d937109eefaa0164f78801261fdd7ea049 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Mon, 4 Aug 2025 23:11:54 +0530 Subject: [PATCH 11/29] "check with new implementation" --- services/build.gradle | 1 + .../artifactory/client/BaseRepositoryTests.groovy | 10 +++++----- .../client/TerraformPackageTypeRepositoryTests.groovy | 1 + 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/services/build.gradle b/services/build.gradle index d0ac6486..b5bf0d58 100644 --- a/services/build.gradle +++ b/services/build.gradle @@ -8,6 +8,7 @@ dependencies { implementation addSlf4J('log4j-over-slf4j') implementation addSlf4J('jcl-over-slf4j') implementation 'commons-io:commons-io:2.17.0' + implementation 'org.slf4j:slf4j-simple:2.0.9' testImplementation group: 'org.hamcrest', name: 'hamcrest-core', version: '2.2' testImplementation group: 'org.testng', name: 'testng', version: '7.5.1' /* diff --git a/services/src/test/groovy/org/jfrog/artifactory/client/BaseRepositoryTests.groovy b/services/src/test/groovy/org/jfrog/artifactory/client/BaseRepositoryTests.groovy index 911dd282..fbda097c 100644 --- a/services/src/test/groovy/org/jfrog/artifactory/client/BaseRepositoryTests.groovy +++ b/services/src/test/groovy/org/jfrog/artifactory/client/BaseRepositoryTests.groovy @@ -174,12 +174,12 @@ abstract class BaseRepositoryTests extends ArtifactoryTestsBase { @AfterMethod protected void tearDown() { - // Invoking sequence is important! - deleteRepoIfExists(genericRepo?.getKey()) - deleteRepoIfExists(localRepo?.getKey()) - deleteRepoIfExists(remoteRepo?.getKey()) + // Invoking sequence is important! Delete in reverse dependency order + deleteRepoIfExists(virtualRepo?.getKey()) // Delete virtual repo first (depends on generic) deleteRepoIfExists(federatedRepo?.getKey()) - deleteRepoIfExists(virtualRepo?.getKey()) + deleteRepoIfExists(remoteRepo?.getKey()) + deleteRepoIfExists(localRepo?.getKey()) + deleteRepoIfExists(genericRepo?.getKey()) // Delete generic repo last (after dependents) repoUniqueId++ } diff --git a/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy b/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy index 1072b295..025919bf 100644 --- a/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy +++ b/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy @@ -15,6 +15,7 @@ class TerraformPackageTypeRepositoryTests extends BaseRepositoryTests { TerraformPackageTypeRepositoryTests() { remoteRepoUrl = "https://github.com" + storeArtifactsLocallyInRemoteRepo = true } @Override From 674d609c1b2e5946f18010b8d5e10f69a277c01d Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Tue, 5 Aug 2025 10:07:41 +0530 Subject: [PATCH 12/29] "disable remote indexing for gems for bypassing lock" --- .../client/GemsPackageTypeRepositoryTests.groovy | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy index 44232fd7..54c92ed6 100644 --- a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy +++ b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy @@ -2,6 +2,7 @@ package org.jfrog.artifactory.client import org.hamcrest.CoreMatchers import org.jfrog.artifactory.client.model.RepositoryType +import org.jfrog.artifactory.client.model.impl.RepositoryTypeImpl import org.jfrog.artifactory.client.model.repository.settings.RepositorySettings import org.jfrog.artifactory.client.model.repository.settings.impl.GemsRepositorySettingsImpl import org.testng.annotations.Test @@ -22,8 +23,12 @@ class GemsPackageTypeRepositoryTests extends BaseRepositoryTests { def settings = new GemsRepositorySettingsImpl() settings.with { - // remote - listRemoteFolderItems = rnd.nextBoolean() + // remote - Use false for REMOTE repos to prevent rubygems.org indexing that causes locks + if (repositoryType == RepositoryTypeImpl.REMOTE) { + listRemoteFolderItems = false // Prevent background indexing of rubygems.org + } else { + listRemoteFolderItems = rnd.nextBoolean() // Maintain test coverage for other types + } } return settings From e61b761d523eae5d2dd1e69e6815e4bdd53d374b Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Tue, 5 Aug 2025 10:19:37 +0530 Subject: [PATCH 13/29] "fixing the slf4j warning" --- build.gradle | 13 +++++++++++++ services/build.gradle | 1 - 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 61a37026..e6918d2f 100644 --- a/build.gradle +++ b/build.gradle @@ -133,4 +133,17 @@ subprojects { useInMemoryPgpKeys(signingKey, signingPassword) sign publishing.publications.main } + + configurations { + all { + // Exclude multiple SLF4J implementations to prevent binding conflicts + exclude group: 'org.slf4j', module: 'slf4j-simple' + exclude group: 'org.slf4j', module: 'slf4j-log4j12' + exclude group: 'org.slf4j', module: 'slf4j-jdk14' + exclude group: 'org.slf4j', module: 'slf4j-reload4j' + // Exclude old logging frameworks + exclude group: 'log4j', module: 'log4j' + exclude group: 'commons-logging', module: 'commons-logging' + } + } } diff --git a/services/build.gradle b/services/build.gradle index b5bf0d58..d0ac6486 100644 --- a/services/build.gradle +++ b/services/build.gradle @@ -8,7 +8,6 @@ dependencies { implementation addSlf4J('log4j-over-slf4j') implementation addSlf4J('jcl-over-slf4j') implementation 'commons-io:commons-io:2.17.0' - implementation 'org.slf4j:slf4j-simple:2.0.9' testImplementation group: 'org.hamcrest', name: 'hamcrest-core', version: '2.2' testImplementation group: 'org.testng', name: 'testng', version: '7.5.1' /* From 21da70c2e8afbfca191050a1ee70fb135c566fa3 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Tue, 5 Aug 2025 10:49:31 +0530 Subject: [PATCH 14/29] "removing commons-logging from the exclusion" --- build.gradle | 1 - 1 file changed, 1 deletion(-) diff --git a/build.gradle b/build.gradle index e6918d2f..9af24666 100644 --- a/build.gradle +++ b/build.gradle @@ -143,7 +143,6 @@ subprojects { exclude group: 'org.slf4j', module: 'slf4j-reload4j' // Exclude old logging frameworks exclude group: 'log4j', module: 'log4j' - exclude group: 'commons-logging', module: 'commons-logging' } } } From bddb4128a10e780f6d42d7e0997a3c795f42166c Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Tue, 5 Aug 2025 11:16:13 +0530 Subject: [PATCH 15/29] "making it list remote item false for all the repository for gems" --- build.gradle | 12 ------------ .../client/GemsPackageTypeRepositoryTests.groovy | 8 ++------ 2 files changed, 2 insertions(+), 18 deletions(-) diff --git a/build.gradle b/build.gradle index 9af24666..61a37026 100644 --- a/build.gradle +++ b/build.gradle @@ -133,16 +133,4 @@ subprojects { useInMemoryPgpKeys(signingKey, signingPassword) sign publishing.publications.main } - - configurations { - all { - // Exclude multiple SLF4J implementations to prevent binding conflicts - exclude group: 'org.slf4j', module: 'slf4j-simple' - exclude group: 'org.slf4j', module: 'slf4j-log4j12' - exclude group: 'org.slf4j', module: 'slf4j-jdk14' - exclude group: 'org.slf4j', module: 'slf4j-reload4j' - // Exclude old logging frameworks - exclude group: 'log4j', module: 'log4j' - } - } } diff --git a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy index 54c92ed6..144e4cfb 100644 --- a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy +++ b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy @@ -23,12 +23,8 @@ class GemsPackageTypeRepositoryTests extends BaseRepositoryTests { def settings = new GemsRepositorySettingsImpl() settings.with { - // remote - Use false for REMOTE repos to prevent rubygems.org indexing that causes locks - if (repositoryType == RepositoryTypeImpl.REMOTE) { - listRemoteFolderItems = false // Prevent background indexing of rubygems.org - } else { - listRemoteFolderItems = rnd.nextBoolean() // Maintain test coverage for other types - } + // Ensure listRemoteFolderItems is false only for Gems tests to avoid indexing issues + listRemoteFolderItems = false } return settings From 6215d5ce115eaa4b2a5fd90a2dd316459622a290 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Tue, 5 Aug 2025 11:30:12 +0530 Subject: [PATCH 16/29] "only using remote item false for remote repository in gems" --- .../client/GemsPackageTypeRepositoryTests.groovy | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy index 144e4cfb..14d197de 100644 --- a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy +++ b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy @@ -22,11 +22,10 @@ class GemsPackageTypeRepositoryTests extends BaseRepositoryTests { RepositorySettings getRepositorySettings(RepositoryType repositoryType) { def settings = new GemsRepositorySettingsImpl() - settings.with { - // Ensure listRemoteFolderItems is false only for Gems tests to avoid indexing issues - listRemoteFolderItems = false + // Only set listRemoteFolderItems for remote repositories such that no indexing happens + if (repositoryType == org.jfrog.artifactory.client.model.impl.RepositoryTypeImpl.REMOTE) { + settings.listRemoteFolderItems = false } - return settings } From c263cba826279c791c69108342e53e0208d5f539 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Tue, 5 Aug 2025 11:51:40 +0530 Subject: [PATCH 17/29] "defining different artifactory home for all the os" --- .github/workflows/tests.yml | 6 +++++- .../client/GemsPackageTypeRepositoryTests.groovy | 7 ++++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index d80adf92..b2559230 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -29,6 +29,10 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} + + - name: Set unique Artifactory home + run: echo "ARTIFACTORY_HOME=$(mktemp -d)" >> $GITHUB_ENV + - name: Setup Go with cache uses: jfrog/.github/actions/install-go-with-cache@main @@ -55,6 +59,6 @@ jobs: done echo "Artifactory did not start in time" exit 1 - + - name: Run tests run: ./gradlew${{ matrix.gradlewSuffix }} clean test diff --git a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy index 14d197de..9ee3e345 100644 --- a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy +++ b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy @@ -22,10 +22,11 @@ class GemsPackageTypeRepositoryTests extends BaseRepositoryTests { RepositorySettings getRepositorySettings(RepositoryType repositoryType) { def settings = new GemsRepositorySettingsImpl() - // Only set listRemoteFolderItems for remote repositories such that no indexing happens - if (repositoryType == org.jfrog.artifactory.client.model.impl.RepositoryTypeImpl.REMOTE) { - settings.listRemoteFolderItems = false + settings.with { + // remote + listRemoteFolderItems = rnd.nextBoolean() } + return settings } From a2d697c84af96088f8f34fa0ed690b4de79444a5 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Tue, 5 Aug 2025 11:53:31 +0530 Subject: [PATCH 18/29] "removing unused import" --- .../artifactory/client/GemsPackageTypeRepositoryTests.groovy | 1 - 1 file changed, 1 deletion(-) diff --git a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy index 9ee3e345..44232fd7 100644 --- a/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy +++ b/services/src/test/groovy/org/jfrog/artifactory/client/GemsPackageTypeRepositoryTests.groovy @@ -2,7 +2,6 @@ package org.jfrog.artifactory.client import org.hamcrest.CoreMatchers import org.jfrog.artifactory.client.model.RepositoryType -import org.jfrog.artifactory.client.model.impl.RepositoryTypeImpl import org.jfrog.artifactory.client.model.repository.settings.RepositorySettings import org.jfrog.artifactory.client.model.repository.settings.impl.GemsRepositorySettingsImpl import org.testng.annotations.Test From 48fe2b8b8ea17f561dfead6d311ba2370f413618 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Tue, 5 Aug 2025 12:36:22 +0530 Subject: [PATCH 19/29] "deleting the repository with retries" --- .github/workflows/tests.yml | 3 -- .../client/BaseRepositoryTests.groovy | 11 +++---- .../client/ArtifactoryTestsBase.java | 29 ++++++++++++++++++- 3 files changed, 34 insertions(+), 9 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index b2559230..6567a38f 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -30,9 +30,6 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} - - name: Set unique Artifactory home - run: echo "ARTIFACTORY_HOME=$(mktemp -d)" >> $GITHUB_ENV - - name: Setup Go with cache uses: jfrog/.github/actions/install-go-with-cache@main diff --git a/services/src/test/groovy/org/jfrog/artifactory/client/BaseRepositoryTests.groovy b/services/src/test/groovy/org/jfrog/artifactory/client/BaseRepositoryTests.groovy index fbda097c..c495bd5e 100644 --- a/services/src/test/groovy/org/jfrog/artifactory/client/BaseRepositoryTests.groovy +++ b/services/src/test/groovy/org/jfrog/artifactory/client/BaseRepositoryTests.groovy @@ -57,6 +57,7 @@ abstract class BaseRepositoryTests extends ArtifactoryTestsBase { @BeforeMethod protected void setUp() { String id = Long.toString(repoUniqueId) + println "[SETUP] Starting test setup for repo id: $id at ${new Date()}" if (prepareGenericRepo) { RepositorySettings settings = getRepositorySettings(RepositoryTypeImpl.LOCAL) @@ -175,11 +176,11 @@ abstract class BaseRepositoryTests extends ArtifactoryTestsBase { @AfterMethod protected void tearDown() { // Invoking sequence is important! Delete in reverse dependency order - deleteRepoIfExists(virtualRepo?.getKey()) // Delete virtual repo first (depends on generic) - deleteRepoIfExists(federatedRepo?.getKey()) - deleteRepoIfExists(remoteRepo?.getKey()) - deleteRepoIfExists(localRepo?.getKey()) - deleteRepoIfExists(genericRepo?.getKey()) // Delete generic repo last (after dependents) + deleteRepoWithRetry(virtualRepo?.getKey()) // Delete virtual repo first (depends on generic) + deleteRepoWithRetry(federatedRepo?.getKey()) + deleteRepoWithRetry(remoteRepo?.getKey()) + deleteRepoWithRetry(localRepo?.getKey()) + deleteRepoWithRetry(genericRepo?.getKey()) // Delete generic repo last (after dependents) repoUniqueId++ } diff --git a/services/src/test/java/org/jfrog/artifactory/client/ArtifactoryTestsBase.java b/services/src/test/java/org/jfrog/artifactory/client/ArtifactoryTestsBase.java index 1401e0d7..18c58d0d 100644 --- a/services/src/test/java/org/jfrog/artifactory/client/ArtifactoryTestsBase.java +++ b/services/src/test/java/org/jfrog/artifactory/client/ArtifactoryTestsBase.java @@ -208,6 +208,32 @@ protected String textFrom(InputStream is) throws IOException { } } + protected void deleteRepoWithRetry(String repoKey) { + for (int attempt = 1; attempt <= 3; attempt++) { + try { + deleteRepoIfExists(repoKey); + return; + } catch (RuntimeException e) { + Throwable cause = e.getCause(); + if (cause instanceof HttpResponseException && + ((HttpResponseException) cause).getStatusCode() == 500 && + cause.getMessage() != null && cause.getMessage().contains("Lock on LockEntryId")) { + + if (attempt < 3) { + try { + Thread.sleep(5000); + } catch (InterruptedException ie) { + Thread.currentThread().interrupt(); + return; + } + } + } else { + return; // Non-lock error, don't retry + } + } + } + } + protected String deleteRepoIfExists(String repoName) { if (isEmpty(repoName)) { return null; @@ -220,7 +246,8 @@ protected String deleteRepoIfExists(String repoName) { //if repo wasn't found - that's ok. return e.getMessage(); } else { - throw e; + // Wrap checked exception in a RuntimeException to avoid signature changes + throw new RuntimeException(e); } } } From dd84324da5fb74b2c2739376959a7722c96911c4 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Thu, 7 Aug 2025 13:35:28 +0530 Subject: [PATCH 20/29] "fixing the vulnerable dependencies" --- build.gradle | 32 ++++++++++++++++++++++++++++++++ services/build.gradle | 2 +- 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 61a37026..f5860799 100644 --- a/build.gradle +++ b/build.gradle @@ -58,6 +58,38 @@ subprojects { sourceCompatibility = 1.8 targetCompatibility = 1.8 + // Force secure versions to fix vulnerabilities + configurations.all { + resolutionStrategy { + // Use latest confirmed available Jetty 9.4.x versions + force 'org.eclipse.jetty:jetty-server:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-servlets:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-http:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-util:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-io:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-client:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-security:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-servlet:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-webapp:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-proxy:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-continuation:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-util-ajax:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-xml:9.4.56.v20240826' + force 'org.eclipse.jetty.http2:http2-server:9.4.56.v20240826' + force 'org.eclipse.jetty.http2:http2-common:9.4.56.v20240826' + force 'org.eclipse.jetty.http2:http2-hpack:9.4.56.v20240826' + // Latest secure versions + force 'commons-io:commons-io:2.18.0' + force 'net.minidev:json-smart:2.5.2' + force 'com.jayway.jsonpath:json-path:2.9.0' + force 'com.google.guava:guava:33.4.0-jre' + force 'org.xmlunit:xmlunit-core:2.10.0' + } + + // Exclude problematic dependencies + exclude group: 'commons-fileupload', module: 'commons-fileupload' + } + dependencies { implementation('org.apache.httpcomponents:httpclient:4.5.13') { exclude group: 'commons-codec', module: 'commons-codec' diff --git a/services/build.gradle b/services/build.gradle index d0ac6486..86500c2f 100644 --- a/services/build.gradle +++ b/services/build.gradle @@ -7,7 +7,7 @@ dependencies { implementation addSlf4J('slf4j-api') implementation addSlf4J('log4j-over-slf4j') implementation addSlf4J('jcl-over-slf4j') - implementation 'commons-io:commons-io:2.17.0' + implementation 'commons-io:commons-io:2.18.0' testImplementation group: 'org.hamcrest', name: 'hamcrest-core', version: '2.2' testImplementation group: 'org.testng', name: 'testng', version: '7.5.1' /* From ad74e9252bde8bf7cbc7c8ff49bdcb3d440d8671 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Thu, 7 Aug 2025 13:43:08 +0530 Subject: [PATCH 21/29] "adding the loggers as mentioned in the pr " --- .../jfrog/artifactory/client/ArtifactoryTestsBase.java | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/services/src/test/java/org/jfrog/artifactory/client/ArtifactoryTestsBase.java b/services/src/test/java/org/jfrog/artifactory/client/ArtifactoryTestsBase.java index 18c58d0d..804ecfda 100644 --- a/services/src/test/java/org/jfrog/artifactory/client/ArtifactoryTestsBase.java +++ b/services/src/test/java/org/jfrog/artifactory/client/ArtifactoryTestsBase.java @@ -26,6 +26,7 @@ import java.util.Arrays; import java.util.Collection; import java.util.Properties; +import java.util.logging.Logger; import static org.apache.commons.codec.binary.Base64.encodeBase64; import static org.apache.commons.lang3.StringUtils.isEmpty; @@ -55,6 +56,7 @@ public abstract class ArtifactoryTestsBase { protected VirtualRepository virtualRepository; protected RemoteRepository remoteRepository; protected String federationUrl; + private static final Logger logger = Logger.getLogger(ArtifactoryTestsBase.class.getName()); @BeforeClass public void init() throws IOException { @@ -211,23 +213,31 @@ protected String textFrom(InputStream is) throws IOException { protected void deleteRepoWithRetry(String repoKey) { for (int attempt = 1; attempt <= 3; attempt++) { try { + logger.info("Attempt " + attempt + " to delete repo: " + repoKey); deleteRepoIfExists(repoKey); + logger.info("Successfully deleted repo: " + repoKey + " on attempt " + attempt); return; } catch (RuntimeException e) { Throwable cause = e.getCause(); + logger.warning("Attempt " + attempt + " failed to delete repo: " + repoKey + ". Reason: " + e.getMessage()); if (cause instanceof HttpResponseException && ((HttpResponseException) cause).getStatusCode() == 500 && cause.getMessage() != null && cause.getMessage().contains("Lock on LockEntryId")) { if (attempt < 3) { + logger.info("Lock detected. Retrying after 5 seconds..."); try { Thread.sleep(5000); } catch (InterruptedException ie) { Thread.currentThread().interrupt(); + logger.warning("Retry interrupted while waiting to retry repo deletion: " + repoKey); return; } + } else { + logger.severe("Failed to delete repo after 3 attempts due to lock: " + repoKey); } } else { + logger.severe("Non-lock error occurred. Not retrying. Repo: " + repoKey); return; // Non-lock error, don't retry } } From 8a5c7924ee9a46bd531b8280dbe8e235a35dcd2f Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Wed, 13 Aug 2025 11:35:39 +0530 Subject: [PATCH 22/29] Vulnerability fix and Test fixed (#412) integration test fix and security fixes * Multiple security fixes * "adding wait for artifactory" * "removing unused import" * "introducing retries in case of failure to delete the repository" --------- Co-authored-by: Bhanu Reddy --- .github/workflows/tests.yml | 14 +++++++ build.gradle | 36 ++++++++++++++++- httpClient/build.gradle | 2 +- .../httpClient/http/HttpBuilderBase.java | 2 +- services/build.gradle | 4 +- .../client/BaseRepositoryTests.groovy | 13 ++++--- ...TerraformPackageTypeRepositoryTests.groovy | 1 + .../client/ArtifactoryTestsBase.java | 39 ++++++++++++++++++- 8 files changed, 98 insertions(+), 13 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 6ebd25ec..6567a38f 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -29,6 +29,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} + - name: Setup Go with cache uses: jfrog/.github/actions/install-go-with-cache@main @@ -43,5 +44,18 @@ jobs: java-version: "8" distribution: "zulu" + - name: Wait for Artifactory + run: | + for i in {1..30}; do + if curl -sf http://localhost:8081/artifactory/api/system/ping; then + echo "Artifactory is up!" + exit 0 + fi + echo "Waiting for Artifactory..." + sleep 10 + done + echo "Artifactory did not start in time" + exit 1 + - name: Run tests run: ./gradlew${{ matrix.gradlewSuffix }} clean test diff --git a/build.gradle b/build.gradle index b800c09b..f5860799 100644 --- a/build.gradle +++ b/build.gradle @@ -58,16 +58,48 @@ subprojects { sourceCompatibility = 1.8 targetCompatibility = 1.8 + // Force secure versions to fix vulnerabilities + configurations.all { + resolutionStrategy { + // Use latest confirmed available Jetty 9.4.x versions + force 'org.eclipse.jetty:jetty-server:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-servlets:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-http:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-util:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-io:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-client:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-security:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-servlet:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-webapp:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-proxy:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-continuation:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-util-ajax:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-xml:9.4.56.v20240826' + force 'org.eclipse.jetty.http2:http2-server:9.4.56.v20240826' + force 'org.eclipse.jetty.http2:http2-common:9.4.56.v20240826' + force 'org.eclipse.jetty.http2:http2-hpack:9.4.56.v20240826' + // Latest secure versions + force 'commons-io:commons-io:2.18.0' + force 'net.minidev:json-smart:2.5.2' + force 'com.jayway.jsonpath:json-path:2.9.0' + force 'com.google.guava:guava:33.4.0-jre' + force 'org.xmlunit:xmlunit-core:2.10.0' + } + + // Exclude problematic dependencies + exclude group: 'commons-fileupload', module: 'commons-fileupload' + } + dependencies { implementation('org.apache.httpcomponents:httpclient:4.5.13') { exclude group: 'commons-codec', module: 'commons-codec' } implementation 'commons-codec:commons-codec:1.13' - implementation 'org.apache.commons:commons-lang3:3.12.0' + implementation 'org.apache.commons:commons-lang3:3.18.0' implementation 'com.fasterxml.jackson.core:jackson-core:2.19.1' implementation 'com.fasterxml.jackson.core:jackson-databind:2.19.1' implementation 'com.fasterxml.jackson.core:jackson-annotations:2.19.1' - api 'org.jfrog.filespecs:file-specs-java:1.1.1' + api 'org.jfrog.filespecs:file-specs-java:1.1.2' } task sourcesJar(type: Jar, dependsOn: classes) { diff --git a/httpClient/build.gradle b/httpClient/build.gradle index 8c8dd627..de6d80c6 100644 --- a/httpClient/build.gradle +++ b/httpClient/build.gradle @@ -8,5 +8,5 @@ repositories { dependencies { testImplementation group: 'org.testng', name: 'testng', version: '7.5.1' - testImplementation group: 'com.github.tomakehurst', name: 'wiremock-jre8', version: '2.35.1' + testImplementation group: 'com.github.tomakehurst', name: 'wiremock-jre8', version: '2.35.0' } \ No newline at end of file diff --git a/httpClient/src/main/java/org/jfrog/artifactory/client/httpClient/http/HttpBuilderBase.java b/httpClient/src/main/java/org/jfrog/artifactory/client/httpClient/http/HttpBuilderBase.java index 349eb872..5be76fde 100644 --- a/httpClient/src/main/java/org/jfrog/artifactory/client/httpClient/http/HttpBuilderBase.java +++ b/httpClient/src/main/java/org/jfrog/artifactory/client/httpClient/http/HttpBuilderBase.java @@ -399,7 +399,7 @@ private SSLContext buildSslContext() { sslContext = sslBuilder.build(); } } catch (Exception e) { - e.printStackTrace(); + throw new RuntimeException("Error building SSLContext: " + e.getMessage(), e); } return sslContext != null ? sslContext : SSLContexts.createDefault(); } diff --git a/services/build.gradle b/services/build.gradle index 85d5b40f..86500c2f 100644 --- a/services/build.gradle +++ b/services/build.gradle @@ -7,7 +7,7 @@ dependencies { implementation addSlf4J('slf4j-api') implementation addSlf4J('log4j-over-slf4j') implementation addSlf4J('jcl-over-slf4j') - implementation 'commons-io:commons-io:2.17.0' + implementation 'commons-io:commons-io:2.18.0' testImplementation group: 'org.hamcrest', name: 'hamcrest-core', version: '2.2' testImplementation group: 'org.testng', name: 'testng', version: '7.5.1' /* @@ -15,7 +15,7 @@ dependencies { * https://github.com/jfrog/artifactory-client-java/issues/43 * https://github.com/jfrog/artifactory-client-java/issues/232 */ - testRuntimeOnly group: 'ch.qos.logback', name: 'logback-classic', version: '1.2.9' + testRuntimeOnly group: 'ch.qos.logback', name: 'logback-classic', version: '1.3.15' } task createReleasePropertiesFile(type: Exec) { diff --git a/services/src/test/groovy/org/jfrog/artifactory/client/BaseRepositoryTests.groovy b/services/src/test/groovy/org/jfrog/artifactory/client/BaseRepositoryTests.groovy index 911dd282..c495bd5e 100644 --- a/services/src/test/groovy/org/jfrog/artifactory/client/BaseRepositoryTests.groovy +++ b/services/src/test/groovy/org/jfrog/artifactory/client/BaseRepositoryTests.groovy @@ -57,6 +57,7 @@ abstract class BaseRepositoryTests extends ArtifactoryTestsBase { @BeforeMethod protected void setUp() { String id = Long.toString(repoUniqueId) + println "[SETUP] Starting test setup for repo id: $id at ${new Date()}" if (prepareGenericRepo) { RepositorySettings settings = getRepositorySettings(RepositoryTypeImpl.LOCAL) @@ -174,12 +175,12 @@ abstract class BaseRepositoryTests extends ArtifactoryTestsBase { @AfterMethod protected void tearDown() { - // Invoking sequence is important! - deleteRepoIfExists(genericRepo?.getKey()) - deleteRepoIfExists(localRepo?.getKey()) - deleteRepoIfExists(remoteRepo?.getKey()) - deleteRepoIfExists(federatedRepo?.getKey()) - deleteRepoIfExists(virtualRepo?.getKey()) + // Invoking sequence is important! Delete in reverse dependency order + deleteRepoWithRetry(virtualRepo?.getKey()) // Delete virtual repo first (depends on generic) + deleteRepoWithRetry(federatedRepo?.getKey()) + deleteRepoWithRetry(remoteRepo?.getKey()) + deleteRepoWithRetry(localRepo?.getKey()) + deleteRepoWithRetry(genericRepo?.getKey()) // Delete generic repo last (after dependents) repoUniqueId++ } diff --git a/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy b/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy index 1072b295..025919bf 100644 --- a/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy +++ b/services/src/test/groovy/org/jfrog/artifactory/client/TerraformPackageTypeRepositoryTests.groovy @@ -15,6 +15,7 @@ class TerraformPackageTypeRepositoryTests extends BaseRepositoryTests { TerraformPackageTypeRepositoryTests() { remoteRepoUrl = "https://github.com" + storeArtifactsLocallyInRemoteRepo = true } @Override diff --git a/services/src/test/java/org/jfrog/artifactory/client/ArtifactoryTestsBase.java b/services/src/test/java/org/jfrog/artifactory/client/ArtifactoryTestsBase.java index 1401e0d7..804ecfda 100644 --- a/services/src/test/java/org/jfrog/artifactory/client/ArtifactoryTestsBase.java +++ b/services/src/test/java/org/jfrog/artifactory/client/ArtifactoryTestsBase.java @@ -26,6 +26,7 @@ import java.util.Arrays; import java.util.Collection; import java.util.Properties; +import java.util.logging.Logger; import static org.apache.commons.codec.binary.Base64.encodeBase64; import static org.apache.commons.lang3.StringUtils.isEmpty; @@ -55,6 +56,7 @@ public abstract class ArtifactoryTestsBase { protected VirtualRepository virtualRepository; protected RemoteRepository remoteRepository; protected String federationUrl; + private static final Logger logger = Logger.getLogger(ArtifactoryTestsBase.class.getName()); @BeforeClass public void init() throws IOException { @@ -208,6 +210,40 @@ protected String textFrom(InputStream is) throws IOException { } } + protected void deleteRepoWithRetry(String repoKey) { + for (int attempt = 1; attempt <= 3; attempt++) { + try { + logger.info("Attempt " + attempt + " to delete repo: " + repoKey); + deleteRepoIfExists(repoKey); + logger.info("Successfully deleted repo: " + repoKey + " on attempt " + attempt); + return; + } catch (RuntimeException e) { + Throwable cause = e.getCause(); + logger.warning("Attempt " + attempt + " failed to delete repo: " + repoKey + ". Reason: " + e.getMessage()); + if (cause instanceof HttpResponseException && + ((HttpResponseException) cause).getStatusCode() == 500 && + cause.getMessage() != null && cause.getMessage().contains("Lock on LockEntryId")) { + + if (attempt < 3) { + logger.info("Lock detected. Retrying after 5 seconds..."); + try { + Thread.sleep(5000); + } catch (InterruptedException ie) { + Thread.currentThread().interrupt(); + logger.warning("Retry interrupted while waiting to retry repo deletion: " + repoKey); + return; + } + } else { + logger.severe("Failed to delete repo after 3 attempts due to lock: " + repoKey); + } + } else { + logger.severe("Non-lock error occurred. Not retrying. Repo: " + repoKey); + return; // Non-lock error, don't retry + } + } + } + } + protected String deleteRepoIfExists(String repoName) { if (isEmpty(repoName)) { return null; @@ -220,7 +256,8 @@ protected String deleteRepoIfExists(String repoName) { //if repo wasn't found - that's ok. return e.getMessage(); } else { - throw e; + // Wrap checked exception in a RuntimeException to avoid signature changes + throw new RuntimeException(e); } } } From 264fa46136ea09681dbf50d15fd4df0feebefeff Mon Sep 17 00:00:00 2001 From: Bhanu Reddy Date: Thu, 24 Jul 2025 19:00:05 +0530 Subject: [PATCH 23/29] Fix jackson version security vulnerability (#407) --- build.gradle | 42 +++++------------------------------------- 1 file changed, 5 insertions(+), 37 deletions(-) diff --git a/build.gradle b/build.gradle index f5860799..025705ce 100644 --- a/build.gradle +++ b/build.gradle @@ -58,48 +58,16 @@ subprojects { sourceCompatibility = 1.8 targetCompatibility = 1.8 - // Force secure versions to fix vulnerabilities - configurations.all { - resolutionStrategy { - // Use latest confirmed available Jetty 9.4.x versions - force 'org.eclipse.jetty:jetty-server:9.4.56.v20240826' - force 'org.eclipse.jetty:jetty-servlets:9.4.56.v20240826' - force 'org.eclipse.jetty:jetty-http:9.4.56.v20240826' - force 'org.eclipse.jetty:jetty-util:9.4.56.v20240826' - force 'org.eclipse.jetty:jetty-io:9.4.56.v20240826' - force 'org.eclipse.jetty:jetty-client:9.4.56.v20240826' - force 'org.eclipse.jetty:jetty-security:9.4.56.v20240826' - force 'org.eclipse.jetty:jetty-servlet:9.4.56.v20240826' - force 'org.eclipse.jetty:jetty-webapp:9.4.56.v20240826' - force 'org.eclipse.jetty:jetty-proxy:9.4.56.v20240826' - force 'org.eclipse.jetty:jetty-continuation:9.4.56.v20240826' - force 'org.eclipse.jetty:jetty-util-ajax:9.4.56.v20240826' - force 'org.eclipse.jetty:jetty-xml:9.4.56.v20240826' - force 'org.eclipse.jetty.http2:http2-server:9.4.56.v20240826' - force 'org.eclipse.jetty.http2:http2-common:9.4.56.v20240826' - force 'org.eclipse.jetty.http2:http2-hpack:9.4.56.v20240826' - // Latest secure versions - force 'commons-io:commons-io:2.18.0' - force 'net.minidev:json-smart:2.5.2' - force 'com.jayway.jsonpath:json-path:2.9.0' - force 'com.google.guava:guava:33.4.0-jre' - force 'org.xmlunit:xmlunit-core:2.10.0' - } - - // Exclude problematic dependencies - exclude group: 'commons-fileupload', module: 'commons-fileupload' - } - dependencies { implementation('org.apache.httpcomponents:httpclient:4.5.13') { exclude group: 'commons-codec', module: 'commons-codec' } implementation 'commons-codec:commons-codec:1.13' - implementation 'org.apache.commons:commons-lang3:3.18.0' - implementation 'com.fasterxml.jackson.core:jackson-core:2.19.1' - implementation 'com.fasterxml.jackson.core:jackson-databind:2.19.1' - implementation 'com.fasterxml.jackson.core:jackson-annotations:2.19.1' - api 'org.jfrog.filespecs:file-specs-java:1.1.2' + implementation 'org.apache.commons:commons-lang3:3.12.0' + implementation 'com.fasterxml.jackson.core:jackson-core:2.14.1' + implementation 'com.fasterxml.jackson.core:jackson-databind:2.14.1' + implementation 'com.fasterxml.jackson.core:jackson-annotations:2.14.1' + api 'org.jfrog.filespecs:file-specs-java:1.1.1' } task sourcesJar(type: Jar, dependsOn: classes) { From 42aeed468c49f1a36631e4443b6ec08b96ff8d92 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Wed, 13 Aug 2025 12:42:58 +0530 Subject: [PATCH 24/29] "fixing vulnerability for jetty" --- build.gradle | 42 +++++++++++++++++++++++++++++++++++++----- 1 file changed, 37 insertions(+), 5 deletions(-) diff --git a/build.gradle b/build.gradle index 025705ce..f5860799 100644 --- a/build.gradle +++ b/build.gradle @@ -58,16 +58,48 @@ subprojects { sourceCompatibility = 1.8 targetCompatibility = 1.8 + // Force secure versions to fix vulnerabilities + configurations.all { + resolutionStrategy { + // Use latest confirmed available Jetty 9.4.x versions + force 'org.eclipse.jetty:jetty-server:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-servlets:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-http:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-util:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-io:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-client:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-security:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-servlet:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-webapp:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-proxy:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-continuation:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-util-ajax:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-xml:9.4.56.v20240826' + force 'org.eclipse.jetty.http2:http2-server:9.4.56.v20240826' + force 'org.eclipse.jetty.http2:http2-common:9.4.56.v20240826' + force 'org.eclipse.jetty.http2:http2-hpack:9.4.56.v20240826' + // Latest secure versions + force 'commons-io:commons-io:2.18.0' + force 'net.minidev:json-smart:2.5.2' + force 'com.jayway.jsonpath:json-path:2.9.0' + force 'com.google.guava:guava:33.4.0-jre' + force 'org.xmlunit:xmlunit-core:2.10.0' + } + + // Exclude problematic dependencies + exclude group: 'commons-fileupload', module: 'commons-fileupload' + } + dependencies { implementation('org.apache.httpcomponents:httpclient:4.5.13') { exclude group: 'commons-codec', module: 'commons-codec' } implementation 'commons-codec:commons-codec:1.13' - implementation 'org.apache.commons:commons-lang3:3.12.0' - implementation 'com.fasterxml.jackson.core:jackson-core:2.14.1' - implementation 'com.fasterxml.jackson.core:jackson-databind:2.14.1' - implementation 'com.fasterxml.jackson.core:jackson-annotations:2.14.1' - api 'org.jfrog.filespecs:file-specs-java:1.1.1' + implementation 'org.apache.commons:commons-lang3:3.18.0' + implementation 'com.fasterxml.jackson.core:jackson-core:2.19.1' + implementation 'com.fasterxml.jackson.core:jackson-databind:2.19.1' + implementation 'com.fasterxml.jackson.core:jackson-annotations:2.19.1' + api 'org.jfrog.filespecs:file-specs-java:1.1.2' } task sourcesJar(type: Jar, dependsOn: classes) { From 8c6a32b2d2c7349799d69952ed2a22a576cc68c2 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Wed, 13 Aug 2025 13:44:16 +0530 Subject: [PATCH 25/29] "introducing the environmental variable for jf audit" --- release/pipelines.release.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/release/pipelines.release.yml b/release/pipelines.release.yml index db0b35fa..a76412b4 100644 --- a/release/pipelines.release.yml +++ b/release/pipelines.release.yml @@ -12,6 +12,7 @@ pipelines: readOnly: NEXT_VERSION: 0.0.0 NEXT_DEVELOPMENT_VERSION: 0.0.x-SNAPSHOT + SKIP_AUDIT: false steps: - name: Release @@ -54,7 +55,7 @@ pipelines: - git merge origin/dev # Run audit - - jf audit + - if [ "$SKIP_AUDIT" != "true" ]; then jf audit; fi # Update version - sed -i "s/\(currentVersion=\).*\$/\1${NEXT_VERSION}/" gradle.properties From 12036a8ffc344e7a7663ec0f6cfe45325f3d1c16 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Wed, 13 Aug 2025 13:57:26 +0530 Subject: [PATCH 26/29] "updating the workflow" --- .github/workflows/tests.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 6567a38f..8260849b 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -45,6 +45,7 @@ jobs: distribution: "zulu" - name: Wait for Artifactory + shell: bash run: | for i in {1..30}; do if curl -sf http://localhost:8081/artifactory/api/system/ping; then From 2b59c8f5b700f79e297fb5f93b9732f5654a5f02 Mon Sep 17 00:00:00 2001 From: Bhanu Reddy Date: Thu, 24 Jul 2025 19:00:05 +0530 Subject: [PATCH 27/29] Fix jackson version security vulnerability (#407) --- build.gradle | 42 +++++------------------------------------- 1 file changed, 5 insertions(+), 37 deletions(-) diff --git a/build.gradle b/build.gradle index f5860799..025705ce 100644 --- a/build.gradle +++ b/build.gradle @@ -58,48 +58,16 @@ subprojects { sourceCompatibility = 1.8 targetCompatibility = 1.8 - // Force secure versions to fix vulnerabilities - configurations.all { - resolutionStrategy { - // Use latest confirmed available Jetty 9.4.x versions - force 'org.eclipse.jetty:jetty-server:9.4.56.v20240826' - force 'org.eclipse.jetty:jetty-servlets:9.4.56.v20240826' - force 'org.eclipse.jetty:jetty-http:9.4.56.v20240826' - force 'org.eclipse.jetty:jetty-util:9.4.56.v20240826' - force 'org.eclipse.jetty:jetty-io:9.4.56.v20240826' - force 'org.eclipse.jetty:jetty-client:9.4.56.v20240826' - force 'org.eclipse.jetty:jetty-security:9.4.56.v20240826' - force 'org.eclipse.jetty:jetty-servlet:9.4.56.v20240826' - force 'org.eclipse.jetty:jetty-webapp:9.4.56.v20240826' - force 'org.eclipse.jetty:jetty-proxy:9.4.56.v20240826' - force 'org.eclipse.jetty:jetty-continuation:9.4.56.v20240826' - force 'org.eclipse.jetty:jetty-util-ajax:9.4.56.v20240826' - force 'org.eclipse.jetty:jetty-xml:9.4.56.v20240826' - force 'org.eclipse.jetty.http2:http2-server:9.4.56.v20240826' - force 'org.eclipse.jetty.http2:http2-common:9.4.56.v20240826' - force 'org.eclipse.jetty.http2:http2-hpack:9.4.56.v20240826' - // Latest secure versions - force 'commons-io:commons-io:2.18.0' - force 'net.minidev:json-smart:2.5.2' - force 'com.jayway.jsonpath:json-path:2.9.0' - force 'com.google.guava:guava:33.4.0-jre' - force 'org.xmlunit:xmlunit-core:2.10.0' - } - - // Exclude problematic dependencies - exclude group: 'commons-fileupload', module: 'commons-fileupload' - } - dependencies { implementation('org.apache.httpcomponents:httpclient:4.5.13') { exclude group: 'commons-codec', module: 'commons-codec' } implementation 'commons-codec:commons-codec:1.13' - implementation 'org.apache.commons:commons-lang3:3.18.0' - implementation 'com.fasterxml.jackson.core:jackson-core:2.19.1' - implementation 'com.fasterxml.jackson.core:jackson-databind:2.19.1' - implementation 'com.fasterxml.jackson.core:jackson-annotations:2.19.1' - api 'org.jfrog.filespecs:file-specs-java:1.1.2' + implementation 'org.apache.commons:commons-lang3:3.12.0' + implementation 'com.fasterxml.jackson.core:jackson-core:2.14.1' + implementation 'com.fasterxml.jackson.core:jackson-databind:2.14.1' + implementation 'com.fasterxml.jackson.core:jackson-annotations:2.14.1' + api 'org.jfrog.filespecs:file-specs-java:1.1.1' } task sourcesJar(type: Jar, dependsOn: classes) { From e26d917eda0933331afa28e5d6b298778cc19662 Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Wed, 13 Aug 2025 14:17:16 +0530 Subject: [PATCH 28/29] "fixing vulnerability for jetty" --- build.gradle | 42 +++++++++++++++++++++++++++++++++++++----- 1 file changed, 37 insertions(+), 5 deletions(-) diff --git a/build.gradle b/build.gradle index 025705ce..f5860799 100644 --- a/build.gradle +++ b/build.gradle @@ -58,16 +58,48 @@ subprojects { sourceCompatibility = 1.8 targetCompatibility = 1.8 + // Force secure versions to fix vulnerabilities + configurations.all { + resolutionStrategy { + // Use latest confirmed available Jetty 9.4.x versions + force 'org.eclipse.jetty:jetty-server:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-servlets:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-http:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-util:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-io:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-client:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-security:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-servlet:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-webapp:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-proxy:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-continuation:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-util-ajax:9.4.56.v20240826' + force 'org.eclipse.jetty:jetty-xml:9.4.56.v20240826' + force 'org.eclipse.jetty.http2:http2-server:9.4.56.v20240826' + force 'org.eclipse.jetty.http2:http2-common:9.4.56.v20240826' + force 'org.eclipse.jetty.http2:http2-hpack:9.4.56.v20240826' + // Latest secure versions + force 'commons-io:commons-io:2.18.0' + force 'net.minidev:json-smart:2.5.2' + force 'com.jayway.jsonpath:json-path:2.9.0' + force 'com.google.guava:guava:33.4.0-jre' + force 'org.xmlunit:xmlunit-core:2.10.0' + } + + // Exclude problematic dependencies + exclude group: 'commons-fileupload', module: 'commons-fileupload' + } + dependencies { implementation('org.apache.httpcomponents:httpclient:4.5.13') { exclude group: 'commons-codec', module: 'commons-codec' } implementation 'commons-codec:commons-codec:1.13' - implementation 'org.apache.commons:commons-lang3:3.12.0' - implementation 'com.fasterxml.jackson.core:jackson-core:2.14.1' - implementation 'com.fasterxml.jackson.core:jackson-databind:2.14.1' - implementation 'com.fasterxml.jackson.core:jackson-annotations:2.14.1' - api 'org.jfrog.filespecs:file-specs-java:1.1.1' + implementation 'org.apache.commons:commons-lang3:3.18.0' + implementation 'com.fasterxml.jackson.core:jackson-core:2.19.1' + implementation 'com.fasterxml.jackson.core:jackson-databind:2.19.1' + implementation 'com.fasterxml.jackson.core:jackson-annotations:2.19.1' + api 'org.jfrog.filespecs:file-specs-java:1.1.2' } task sourcesJar(type: Jar, dependsOn: classes) { From 01f4caad1b1c2832e9f8f1dc68b2f2239d3ff66c Mon Sep 17 00:00:00 2001 From: nitinp19 Date: Wed, 13 Aug 2025 14:55:49 +0530 Subject: [PATCH 29/29] "Introduce AUDIT_FAIL environment variable for jf audit" --- release/pipelines.release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/release/pipelines.release.yml b/release/pipelines.release.yml index a76412b4..2a76d4b6 100644 --- a/release/pipelines.release.yml +++ b/release/pipelines.release.yml @@ -12,7 +12,7 @@ pipelines: readOnly: NEXT_VERSION: 0.0.0 NEXT_DEVELOPMENT_VERSION: 0.0.x-SNAPSHOT - SKIP_AUDIT: false + AUDIT_FAIL: false steps: - name: Release @@ -55,7 +55,7 @@ pipelines: - git merge origin/dev # Run audit - - if [ "$SKIP_AUDIT" != "true" ]; then jf audit; fi + - jf audit --fail=${AUDIT_FAIL:-false} # Update version - sed -i "s/\(currentVersion=\).*\$/\1${NEXT_VERSION}/" gradle.properties