finos / legend-pure Goto Github PK
View Code? Open in Web Editor NEWLegend Pure module
Home Page: https://legend.finos.org
License: Apache License 2.0
Legend Pure module
Home Page: https://legend.finos.org
License: Apache License 2.0
The following model/mapping will fail when executing the mapping test:
Class test::MilestonedData
{
FROM_Z: StrictDate[0..1];
THRU_Z: StrictDate[0..1];
}
Class test::MarketListIdentifier extends test::MilestonedData
{
identifier: String[1];
}
Class test::TopLevelTarget
{
id: String[*];
}
Class test::TopLevelSource
{
current: test::MarketListIdentifier[*];
}
function test::f(t: test::TopLevelSource[1]): test::MarketListIdentifier[*]
{
$t.current->filter(m|$m->test::isNonEmptyDates())
}
function test::isNonEmptyDates(milestonedData: test::MilestonedData[1]): Boolean[1]
{
$milestonedData.THRU_Z->isNotEmpty() && $milestonedData.FROM_Z->isNotEmpty()
}
###Mapping
Mapping test::M
(
test::TopLevelTarget: Pure
{
~src test::TopLevelSource
id: $src->test::f().identifier
}
MappingTests
[
test_1
(
query: |test::TopLevelTarget.all()->graphFetchChecked(#{test::TopLevelTarget{id}}#)->serialize(#{test::TopLevelTarget{id}}#);
data:
[
<Object, JSON, test::TopLevelSource, '{"current":[{"FROM_Z":"2021-10-11","THRU_Z":"2021-11-01","delete":true,"topLevel":{"marketList":[{"FROM_Z":"2021-10-23","THRU_Z":"2021-11-20","delete":true,"identifier":"identifier 51"}],"id":["id 54"]},"identifier":"identifier 67"}],"proposed":{"FROM_Z":"2021-11-13","THRU_Z":"2021-11-19","topLevel":{"marketList":[{"FROM_Z":"2021-11-23","THRU_Z":"2021-11-12","identifier":"identifier 59"}],"id":["id 4"]},"identifier":"identifier 68"}}'>
];
assert: '{}';
)
]
)
Expected result is successful execution of the mapping test
Test fails with error: ClassNotFoundException: org.finos.legend.pure.generated.Root_test_MilestonedData
The bug is due to this line:
Here, the call to subTypeOf should be replaced with _subTypeOf and is fixed here: #322
However, to avoid future issues with subTypeOf, the behaviour should be changed: in the case that the class is not found, we should fall back on searching the graph for the class (as _subTypeOf does).
JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.
Library home page: http://junit.org
Path to dependency file: legend-pure/legend-pure-configuration-external/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/junit/junit/4.11/junit-4.11.jar,/home/wss-scanner/.m2/repository/junit/junit/4.11/junit-4.11.jar,/home/wss-scanner/.m2/repository/junit/junit/4.11/junit-4.11.jar,/home/wss-scanner/.m2/repository/junit/junit/4.11/junit-4.11.jar,/home/wss-scanner/.m2/repository/junit/junit/4.11/junit-4.11.jar,/home/wss-scanner/.m2/repository/junit/junit/4.11/junit-4.11.jar,/home/wss-scanner/.m2/repository/junit/junit/4.11/junit-4.11.jar,/home/wss-scanner/.m2/repository/junit/junit/4.11/junit-4.11.jar
Dependency Hierarchy:
Found in HEAD commit: b59e9e28c092c5e6feaca79385149326039248d5
Found in base branch: master
In JUnit4 before version 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir
system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.
Publish Date: 2020-07-21
URL: CVE-2020-15250
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-269g-pwp5-87pp
Release Date: 2020-07-21
Fix Resolution: junit:junit:r4.13.1
Support mod
operator for memsql.
The light server cannot be accessed from the Light IDE in its current version.
In the current iteration of the Light IDE, starting the IDE locally with a version of the Light server running in the background yields the message that /initialize
cannot be found. Browser debug logs show that the IDE is trying to GET localhost:3000/initialize
, where instead it should GET localhost:9010/initialize
, which is the default port for the light server.
This is due to the following line in EditorStore.tsx
:
this.client = new PureClient(
new NetworkClient({
// NOTE: ignore the URL specified in the config so we can use this client for both Pure and Engine
baseUrl: window.location.origin,
}),
);
The following fix works:
this.client = new PureClient(
new NetworkClient({
// NOTE: ignore the URL specified in the config so we can use this client for both Pure and Engine
baseUrl: this.applicationStore.config.pureUrl,
}),
);
I see that there is a NOTE remarking that the use of the window origin is intentional to support both PURE and the engine. So how does one run the Light IDE plus the IDE server locally?
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Path to dependency file: legend-pure/legend-pure-m4/pom.xml
Path to vulnerable library: canner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,canner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,canner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,canner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,canner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar
Dependency Hierarchy:
Found in HEAD commit: 03d9649e7cc4bc5afd2bcf813b6ffea681a17ab8
Found in base branch: master
Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.
Publish Date: 2019-05-20
URL: WS-2019-0379
Base Score Metrics:
Type: Upgrade version
Origin: apache/commons-codec@48b6157
Release Date: 2019-05-12
Fix Resolution: 1.13-RC1
Provide Legend users with a way to persist the results of a service invocation to a target datastore.
This capability would enable users to ingest data onto the platform.
It would also serve as a building block for other platform components, e.g. moving data in service of caching.
Allow users to provide a persistence specification that takes a Legend service as input and covers key facets of persistence:
The specification would be executable against different runtimes which a user could choose depending on feature set, environment, or non-functional requirements.
Currently the method checks that the business date is a constant or a VariableExpression, expecting use cases of
MyClass.all(%2015-01-01)
or
let businessDate = today();
MyClass.all($businessDate );
However it gives compiler usage like
let businessDate = today();
MyClass.all($businessDate )
->concatenate(MyClass.all($businessDate->adjust(-1, DurationUnit.DAYS));
due to the parameter being a FunctionExpression.
Although people can still create an equivalent query via:
let businessDate = today();
MyClass.all($businessDate )
->concatenate({d:Date[1]|MyClass.all($d)}->eval($businessDate->adjust(-1, DurationUnit.DAYS));
and the compiler won't complain (but it's more complicated to write / less clear)
Current builds fail on WhiteSource security checks due to CVE-2020-7774 affecting y18n. (Example build)
This dependency is brought in via webpack-dev-server, but seems that the change needs to be backported to y18n v4 and to allow webpack-dev-server to be updated.
Rather than waiting we could force the dependency update on y18n to version 5.0.5, since webpack-dev-server cannot update to that version due to their dependency on node >= 6.11.5 and we use a later version.
What do you think @akphi?
In Java 11.0.9 the use of timezone "CST" no longer works causing the test on line 55 of TestPureDate.java to fail:
Tests run: 13, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.388 sec <<< FAILURE! - in org.finos.legend.pure.m4.coreinstance.primitive.date.TestPureDate
testFormatWithTimeZoneShift(org.finos.legend.pure.m4.coreinstance.primitive.date.TestPureDate) Time elapsed: 0.029 sec <<< FAILURE!
This should instead be
Assert.assertEquals("2013-12-31 19:01:01.070 GMT-06:00", date.format("[CST]yyyy-MM-dd HH:mm:ss.SSS z"));
mvn -Dtest=TestPureDate test
mvn -Dtest=TestPureDate test
The test should pass consistently on 11.0.7 and 11.0.9
-------------------------------------------------------
T E S T S
-------------------------------------------------------
Running org.finos.legend.pure.m4.coreinstance.primitive.date.TestPureDate
Tests run: 13, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.388 sec <<< FAILURE! - in org.finos.legend.pure.m4.coreinstance.primitive.date.TestPureDate
testFormatWithTimeZoneShift(org.finos.legend.pure.m4.coreinstance.primitive.date.TestPureDate) Time elapsed: 0.029 sec <<< FAILURE!
org.junit.ComparisonFailure: expected:<...-12-31 19:01:01.070 [CST]> but was:<...-12-31 19:01:01.070 [GMT-06:00]>
at org.junit.Assert.assertEquals(Assert.java:117)
at org.junit.Assert.assertEquals(Assert.java:146)
at org.finos.legend.pure.m4.coreinstance.primitive.date.TestPureDate.testFormatWithTimeZoneShift(TestPureDate.java:55)
Results :
Failed tests:
TestPureDate.testFormatWithTimeZoneShift:55 expected:<...-12-31 19:01:01.070 [CST]> but was:<...-12-31 19:01:01.070 [GMT-06:00]>
Version: master after commit f98651e
OS: Ubuntu 18.04.5 LTS and Windows 10 (baremetal)
Java: 11.0.7 and 11.0.9
As this issue is version specific I believe it needs a deeper dive into the use of java.util.TimeZone
across the project. In this case used on line 255 of DateFormat.java
I am happy to open a PR to resolve across the board; let me know if you would like me to proceed
Ref: https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/util/TimeZone.html
Expand relational grammar to allow dashes in schema names.
In some databases/dataservices (e.g BigQuery), the schema name does not allow "_" (underscore) but does allow "-" (dash).
Using "-" in a schema name results in a compilation error.
The grammar defines "schema" to be an "identifier" [1]. "identifier" does not include dash (-). The grammar should be change to include "-" (dash) for schema names.
Provide a facility for testing persistence specifications. In particular, allow users to:
Generate a Persistence specification that can be used to run on Aws. Builds on top of #425
Starting from an already-crafted Persistence, this capability will enable users to File Generate an Aws-specific persistence specification that contains all necessary information to run on Aws.
I am currently trying to implement a Database via my own class. Hence, I define my database via the use of local variables rather than global ones, as, naturally, there is no dedicated syntax for this database type yet (such as in the case of Relational Databases). However, the router component heavily invokes the function elementToPath
on store objects that are present in the mapping object handed over to the execute
function. The function elementToPath
, however, errors when invoked on objects that do not exist globally but are rather bound via local variables.
This is the problematic code segment of elementToPath
:
function meta::pure::functions::meta::elementToPath(element:PackageableElement[1], separator:String[1]):String[1]
{
let path = $element->elementPath();
if($path->size() == 1,
| let first = $path->at(0);
if(is(::, $first),
| '',
| $first.name->toOne());,
| $path->tail()->map(e | $e.name)->joinStrings($separator));
}
If $first
does not have a name
attribute, the call to toOne()
errors. My current workaround is to provide a name
attribute to my custom Store. However, I guess this is rather a hack, as in reality, my local object does not have a package path.
One solution would be to provide a wrapper type that lets me expose my custom store as a packagable element so that calls to that functions do not error. Does such a type/solution exist?
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: legend-pure/legend-pure-runtime-java-extension-external-json/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.60/bcprov-jdk15on-1.60.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.60/bcprov-jdk15on-1.60.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.60/bcprov-jdk15on-1.60.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.60/bcprov-jdk15on-1.60.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.60/bcprov-jdk15on-1.60.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.60/bcprov-jdk15on-1.60.jar,canner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.60/bcprov-jdk15on-1.60.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.60/bcprov-jdk15on-1.60.jar
Dependency Hierarchy:
Found in HEAD commit: 03d9649e7cc4bc5afd2bcf813b6ffea681a17ab8
Found in base branch: master
The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.
Publish Date: 2019-10-08
URL: CVE-2019-17359
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17359
Release Date: 2019-10-08
Fix Resolution: org.bouncycastle:bcprov-jdk15on:1.64
When defining a lambda function without typing its arguments, the error message is cryptic:
{x|fooBarFunction($x)} // fails with "Function type is not fully defined in {NULL[NULL], NULL[NULL]->NULL[NULL]}".
The fooBarFunction has already been defined with appropriate signature, like: fooBarFunction (Argument: Type[n]):ReturnType[m]
Either infer that x is of type Type, or (much simpler) return an error message such as "argument types not defined".
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Path to dependency file: legend-pure/legend-pure-maven-java-compiled/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar,/home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar
Dependency Hierarchy:
Found in HEAD commit: 03d9649e7cc4bc5afd2bcf813b6ffea681a17ab8
Found in base branch: master
Plexus-utils before 3.0.24 are vulnerable to Directory Traversal
Publish Date: 2016-05-07
URL: WS-2016-7057
Base Score Metrics:
Type: Upgrade version
Origin: codehaus-plexus/plexus-utils@33a2853
Release Date: 2019-05-30
Fix Resolution: 3.0.24
Test issue - please ignore
@maoo I thought it's better to create a separate thread to the conversation about sonar
. I can set quality gate now, for all projects except for legend-pure
, which is actually the one I need right now 😄 If you could add me to that one, it would be great!
That aside, I think the current quality gate profile Sonar default
is good enough. My concern is how should we set the new code definition
, do you have any experience or advice for us about this? As of now I thought the most sensible option is previous version
(see screenshot), what do you think?
Thanks!
The following code compiles in Pure, but yields a Java compilation error in compiled mode.
import test::*;
function test::inspect<T|m>(values:T[m], fn:Function<{T[m]->Any[*]}>[1]):T[m]
{
$fn->eval($values);
$values;
}
function test::test():Any[*]
{
inspect([1, 2, 3, 4], v | $v->map(i | $i->toString())->joinStrings('[', ', ', ']\\n'))
}
An ignored failing test was added for this in this commit.
The Java code that is generated for the Pure code should compile (and behave correctly).
What actually happens is a Java compilation error which complains that the generated Java code is not a statement.
This was reproduced with legend-pure 3.7.0 and JDK 11.0.16.
Legend should support generating Morphir IR enriched with Pure source information.
Legend currently supports generating simple Pure functions into Morphir IR, and the next milestone would be to include Pure code source information in the generated IR in order for Bosque to provide theorem proving feedback with useful source info.
Currently, (unmerged) changes have been made to support including source information in Morphir transform process. Here we provide example input function with an explicit zero division, which looks like:
function meta::external::language::morphir::transform::tests::zeroDivisionFunction(v1:Number[1]):Number[1]
{
$v1 / 0.0;
}
… which would be located on line 23-26 of file “\core\external\language\morphir\tests\transformAndSerializeTests.pure”.
And the generated output from it would be:
{ "formatVersion": 1, "distribution": [ "library", [ [ "system" ], [ "morphir" ] ], [], { "modules": [ { "name": [ [ "transform" ] ], "def": [ "public", { "types": [], "values": [ [ [ "zero", "division", "function" ], [ "public", { "inputTypes": [ [ [ "v", "1" ], [ "reference", {}, [ [ [ "morphir" ], [ "s", "d", "k" ] ], [ [ "basics" ] ], [ "float" ] ], [], [ "sourceInformation", [ "source", "\/core\/external\/language\/morphir\/tests\/transformAndSerializeTests.pure" ], [ "startLine", 23 ], [ "startColumn", 1 ], [ "endLine", 26 ], [ "endColumn", 1 ] ] ], [ "reference", {}, [ [ [ "morphir" ], [ "s", "d", "k" ] ], [ [ "basics" ] ], [ "float" ] ], [], [ "sourceInformation", [ "source", "\/core\/external\/language\/morphir\/tests\/transformAndSerializeTests.pure" ], [ "startLine", 23 ], [ "startColumn", 1 ], [ "endLine", 26 ], [ "endColumn", 1 ] ] ] ] ], "outputType": [ "reference", {}, [ [ [ "morphir" ], [ "s", "d", "k" ] ], [ [ "basics" ] ], [ "float" ] ], [], [ "sourceInformation", [ "source", "\/core\/external\/language\/morphir\/tests\/transformAndSerializeTests.pure" ], [ "startLine", 23 ], [ "startColumn", 1 ], [ "endLine", 26 ], [ "endColumn", 1 ] ] ], "body": [ "apply", [ "reference", {}, [ [ [ "morphir" ], [ "s", "d", "k" ] ], [ [ "basics" ] ], [ "float" ] ], [], [ "sourceInformation", [ "source", "\/core\/external\/language\/morphir\/tests\/transformAndSerializeTests.pure" ], [ "startLine", 25 ], [ "startColumn", 8 ], [ "endLine", 25 ], [ "endColumn", 8 ] ] ], [ "apply", [ "function", {}, [ "reference", {}, [ [ [ "morphir" ], [ "s", "d", "k" ] ], [ [ "basics" ] ], [ "float" ] ], [], [] ], [ "reference", {}, [ [ [ "morphir" ], [ "s", "d", "k" ] ], [ [ "basics" ] ], [ "float" ] ], [], [] ], [] ], [ "reference", [ "function", {}, [ "reference", {}, [ [ [ "morphir" ], [ "s", "d", "k" ] ], [ [ "basics" ] ], [ "float" ] ], [], [] ], [ "function", {}, [ "reference", {}, [ [ [ "morphir" ], [ "s", "d", "k" ] ], [ [ "basics" ] ], [ "float" ] ], [], [] ], [ "reference", {}, [ [ [ "morphir" ], [ "s", "d", "k" ] ], [ [ "basics" ] ], [ "float" ] ], [], [] ], [] ], [] ], [ [ [ "morphir" ], [ "s", "d", "k" ] ], [ [ "basics" ] ], [ "divide" ] ] ], [ "variable", [ "reference", {}, [ [ [ "morphir" ], [ "s", "d", "k" ] ], [ [ "basics" ] ], [ "float" ] ], [], [ "sourceInformation", [ "source", "\/core\/external\/language\/morphir\/tests\/transformAndSerializeTests.pure" ], [ "startLine", 25 ], [ "startColumn", 5 ], [ "endLine", 25 ], [ "endColumn", 6 ] ] ], [ "v", "1" ] ] ], [ "literal", [ "reference", {}, [ [ [ "morphir" ], [ "s", "d", "k" ] ], [ [ "basics" ] ], [ "float" ] ], [], [ "sourceInformation", [ "source", "\/core\/external\/language\/morphir\/tests\/transformAndSerializeTests.pure" ], [ "startLine", 25 ], [ "startColumn", 10 ], [ "endLine", 25 ], [ "endColumn", 12 ] ] ], [ "float_literal", 0.0 ] ] ] } ] ] ] } ] } ] } ] }
It would be good to have Snowflake support for convertVarchar128().
The soon-to-be-added PR for this will achieve using Snowflake's to_char (see https://docs.snowflake.com/en/sql-reference/functions/to_char.html). Note that unlike with other DBs, the result will not be padded.
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.</p>
Library home page: http://code.google.com/p/guava-libraries
Path to dependency file: legend-pure/legend-pure-runtime-java-engine-compiled/pom.xml
Path to vulnerable library: canner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar
Dependency Hierarchy:
Found in HEAD commit: 03d9649e7cc4bc5afd2bcf813b6ffea681a17ab8
Found in base branch: master
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
Publish Date: 2018-04-26
URL: CVE-2018-10237
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-10237
Release Date: 2018-04-26
Fix Resolution: 24.1.1-jre, 24.1.1-android
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Path to dependency file: legend-pure/legend-pure-maven-java-compiled/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar,/home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar
Dependency Hierarchy:
Found in HEAD commit: 03d9649e7cc4bc5afd2bcf813b6ffea681a17ab8
Found in base branch: master
Security vulnerability found in plexus-utils before 3.0.24. XML injection found in XmlWriterUtil.java.
Publish Date: 2016-05-07
URL: WS-2016-7062
Type: Upgrade version
Origin: codehaus-plexus/plexus-utils@f933e5e
Release Date: 2019-09-26
Fix Resolution: 3.0.24
Suppose I want to define a type that models a bijective Map like so:
Class BiMap<K, V> {
to: Map<K, V>[1];
from: Map<V, K>[1];
}
Now I want to provide to users a convenient constructor method that just yields an empty instance of BiMap
:
function empty<K, V>(): BiMap<K, V>[1] {
^BiMap<K,V>(to=^Map<K,V>(), from=^Map<K,V>());
}
Such a function definition does not work for two reasons: First, PURE tries to find existing types named K
and V
. Second, there is no way to invoke the empty
function by explicitly specifying type parameters at invocation (type parameters are always implicit via supplied function arguments).
<module>legend-pure-ide-light</module>
-- this is my attempt to operationalize the comment in the readme:Pure IDE has a web application component which requires Node 14.17.1+ and Yarn 1.22.10. Make sure you have these set up in your development environment, otherwise, you would need to exclude the build step for this web application in legend-pure-ide-light module.
(I looked for what I could exclude in legend-pure-ide-light/pom.xml
, couldn't find anything. Is this particular comment out of date?)
3. Run mvn install
successful build
failure. See attached log.
mvn](url) --version
:
Apache Maven 3.6.3 (cecedd343002696d0abb50b32b541b8a6ba2883f)
Maven home: /Users/vijaysaraswat/Downloads/apache-maven-3.6.3
Java version: 11.0.14, vendor: Oracle Corporation, runtime: /Library/Java/JavaVirtualMachines/jdk-11.0.14.jdk/Contents/Home
Default locale: en_US, platform encoding: UTF-8
OS name: "mac os x", version: "11.4", arch: "x86_64", family: "mac"
...add any other context about the problem here. If applicable, add screenshots to help explain...
build-fail-log.txt
git log
:
git log
WARNING: terminal is not fully functional
- (press RETURN)
commit ca62687264a4e45807aa7084edf56aaacd5b8eac (HEAD -> master, origin/master, origin/HEAD)
Author: pierredebelen <[email protected]>
Date: Wed Mar 23 11:24:00 2022 -0400
[maven-release-plugin] prepare for next development iteration
commit 2d18b24d608469e2ff975efb4bf77655d6d9c2bc (tag: legend-pure-1.52.0)
Author: pierredebelen <[email protected]>
Date: Wed Mar 23 11:23:58 2022 -0400
[maven-release-plugin] prepare release legend-pure-1.52.0
...
git status is:
On branch master
Your branch is up to date with 'origin/master'.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.