After adding Jackson as a dependency in my project, I get the warning:
Provides transitive vulnerable dependency maven:com.fasterxml.jackson.core:jackson-databind:2.13.4 CVE-2022-42003 7.5 Deserialization of Untrusted Data vulnerability with medium severity found Results powered by Checkmarx(c)
I appreciate the reminder provided by this message. But now that I am aware of this issue, I wish to suppress the message.
👉 How can I suppress this message from appearing in my IDE (IntelliJ)?
Related
I've created a new project by checking the "include kotlin" box in Android Studio 3 and out of the box I get an error while compiling
"Failed to resolve: org.jetbrains.kotlin:kotlin-stdlib-jre7..."
I have made sure all plugins are up to date and that the Android SDK is properly installed.
How can I solve for this error?
kotlin-stdlib-jre[7/8] was deprecated a while ago, and has since been removed. The deprecation note was kept until 1.2.71, which was the last version to release those artifacts. The official deprecation notice can be found here. Using any of the deprecated versions (before it was removed) should also produce a warning in (at least) Android Studio and IntelliJ.
Use kotlin-stdlib-jdk7 instead. It's the same dependency as kotlin-stdlib-jre7 (except newer), but it was re-named to kotlin-stdlib-jdk. kotlin-stdlib-jre is now no longer maintained as a separate dependency.
Both IntelliJ and Android Studio currently generate new projects using kotlin-stdlib-jre7; this likely is a bug. They have probably not updated the project generators. Therefore, you have to manually replace the dependencies with working ones until they fix this. This is dependent on the Kotlin plugin. Update it if you haven't. I haven't checked whether it's been patched or not - if it has, that only fixes the creation of new projects. For updating from older versions, the rest of the answer still applies
You naturally have to do this if you're on 1.2.71 or lower, and you're upgrading to 1.3.0 or higher.
These are the new valid dependencies as of Kotlin 1.3.0:
implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk7:$kotlin_version"
implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk8:$kotlin_version"
Where $kotlinVersion is either a variable containing the version, or a hard-coded version (i.e. 1.3.0)
Alternatively, you can use the "plain" stdlib (kotlin-stdlib) instead of the JDK-specific versions. But you have to change your dependency either way, so I recommend you go with kotlin-stdlib-jdk7, or if you plan on using Java 8, kotlin-stdlib-jdk8
The newest versions of the dependencies can also be found here. jdk7, jdk8, and the version-unspecific stdlib all follow the same versions (as per this edit - this could change in the future, but there'll likely be notices before that change happens), so whether you check jdk8, jdk7 or the regular one, all the versions should be universally available across the stdlib artifacts.
Note for other build systems
The same actual solution applies to other build systems as well, but the code is different. As there are a lot of build systems, I'm not going to include all of them, but the point is changing the artifact from kotlin-stdlib-jre[num] to kotlin-stdlib-jdk[num] (without brackets of course). Or, as mentioned earlier, kotlin-stdlib.
Independently of the build system, this bases itself on access to Maven Central and similar repositories. If your build system doesn't support this, and/or breaks with Maven-style conventions and repositories, you'll have to find what works for your build system.
TL;DR:
Use org.jetbrains.kotlin:kotlin-stdlib-jdk7:$kotlin_version or org.jetbrains.kotlin:kotlin-stdlib-jdk8:$kotlin_version (depending on which version you originally used) instead.
Remove this line from the build.gradle:
implementation"org.jetbrains.kotlin:kotlin-stdlib-jre7:$kotlin_version"
Add this line in the build.gradle:
implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk8:$kotlin_version"
Update the version build.gradle in project level:
kotlin version='1.3.0'
I have a SonarQube 5.3.1 in place with the C# Plugin 4.5.0 installed.
Basic included rules are detected as expected.
Now, I want to use the Roslyn SDK project (https://github.com/SonarSource-VisualStudio/sonarqube-roslyn-sdk) to add my tailor made analyzers into account.
I'm pretty sure they are okay because they are raised in both Visual Studio and when using msbuild in command line.
My problem now is to be able to upload those issues into Sonar, I must be missing something.
I obviously use the SonarQube Scanner for MSBuild v2.0, have installed my generated jar and have activated the rules (the appear in "Code Smell"), try to build a project with which my rules should break (and they do, as I said earlier), but it does not seem to pick up my rules.
The doc (https://blogs.msdn.microsoft.com/visualstudioalm/2016/02/18/sonarqube-scanner-for-msbuild-v2-0-released-support-for-third-party-roslyn-analyzers/) says it should "produce an error report containing analysis errors and warnings for all of the analyzers" and then upload it to SonarQube, but I cannot find this report. At the very least, just a SonarLint output file with no related rule whatsoever.
I've also tried with the Wintellect Analyzer as the github page suggests (https://github.com/SonarSource-VisualStudio/sonarqube-roslyn-sdk) with no success.
My guess is there's something wrong somewhere in the configuration but I don't know where, any idea ?
For each custom analyzer you want to use in SonarQube (example: Wintellect), you need to use the Roslyn SDK for SonarQube tool to create plug-ins that can be imported into SonarQube. Directions and info can be found here.
As mentioned in the Bluemix guide, I tried installing the Bluemix tool plugin on eclipse(Mars) with Java 7 installed on my Ubuntu machine.
1). Through the eclipse market place where Bluemix tool is present and the same fails with the following error when installation is nearly over:
Cannot complete the install because one or more required items could not be found.
Software currently installed: IBM Bluemix Tools 1.0.5.v20150801_1001
(com.ibm.cftools.feature.feature.group 1.0.5.v20150801_1001)
Missing requirement: Bluemix Tools 1.0.6.v20150801_1001
(com.ibm.cftools.branding 1.0.6.v20150801_1001)
requires 'bundle org.eclipse.jst.server.core 0.0.0' but it could not be found
Cannot satisfy dependency:
From: Cloud Tools Branding UI Plugin 1.0.2.v20150801_1001
(com.ibm.cftools.branding.ui 1.0.2.v20150801_1001)
To: package com.ibm.cftools.branding.internal 0.0.0
Cannot satisfy dependency:
From: IBM Bluemix Tools 1.0.5.v20150801_1001
(com.ibm.cftools.feature.feature.group 1.0.5.v20150801_1001)
To: com.ibm.cftools.branding.ui [1.0.2.v20150801_1001]
I checked this exception and found a description about it in the eclipse web page. However, the remedy is missing for this particular problem.
2). Besides I tried to install the same via WASdev, but I ended up with the following error:
No repository found at http://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/wasdev/updates/cloud/V1.0
However, the same page is accessible from any web browser. Also, I have checked my proxies and they are fine.
Please let me know if there is any solution or what I am doing wrong here. Thanks.
Are you using Eclipse for Java EE Developers edition? It is required that edition to satisfy some bundle requirements.
A few pointers:
An Eclipse update site needs to have a site.xml - check if the location actually has one.
Your install error points to a missing jst component. That's Eclipse "core" stuff. So it seems your access to the original Eclipse update site needs to be checked
Check your Eclipse install, do you have rights to all the files?
Hope this helps
As mentioned, the error message you are receiving (not able to resolve "org.eclipse.jst.server.core") is due to the installation process not being able to locate this package. This package is provided by the same Eclipse marketplace entry or DHE update site from which you are installing (and so you should not see this error when installing from our marketplace or update site). I have confirmed that the provided update site URL is correct and installation works as expected on my own Ubuntu installation.
A few other suggestions, or for users that see the same problem:
This may be a hiccup with DHE or with your connection to the update site. I would suggest trying the installation again.
Try a fresh install of Eclipse to ensure that no other dependencies are interfering with your installation. The Java EE package 'Eclipse IDE for Java EE Developers' available for download from Eclipse.org will include the required package that is mentioned in your error message (though as previously mentioned, this should not be necessary as this package is bundled with our update site/marketplace entry).
Ensure you are NOT using the default version of Eclipse available from the Eclipse Software Center, which is often several versions behind.
If this doesn't help, feel free to provide more information about your current installation (version details, method of installation, any other details) to help us reproduce.
Using bamboo v5.7 with msbuild v12, how do I fail a build if there are any static code analysis warnings? We do have our projects all set to treat all warnings as errors so the project itself doesn't build, but bamboo is not detecting this and continues on.
This seems basic, what might I be doing wrong?
The simple answer is you are doing nothing wrong, nor are you missing anything.
While it seems like basic functionality, Bamboo's MSBuild task currently doesn't support reading, reporting or failing the build on Warnings or Errors. The task only fails because MSBuild (or XBuild if you are using Mono) returns with an error code when a compiler error occurs.
Also, MSBuild doesn't actually support failing on all warnings either, as you can see here.
You have a couple options.
You can use one of the options in the referenced post
You could roll your own MSBuild log parser plugin using Atlassian's Plugin SDK.
You could make a simple script that is executed after the build, reads the logs and returns a non-zero integer if there were compiler warnings.
You can vote for the issue in the Atlassian Jira and also for the related issue for parsing build details.
Whatever your solution, I hope you share it with the many of us that have run into the same problem. It seems to be something quite common, so I was surprised there wasn't an issue already open for this in Atlassian's Jira instance
For VS 2008 and later, a new project setting was added for this. See this link.
10.9 deprecated a bunch of SSL stuff, how do I hide the warnings or fix the issues?
You can turn deprecation warnings on and off in your target's build settings. To do so, click on your project in the Project Navigator, select the target you're working on and show the Build Settings for that target. You can use the search box to search for "deprecate", and you should find an LLVM warning for "Deprecated Functions" and set it to "No".
Be aware that if you do this, you can compile without (deprecation) warnings, but you're setting yourself up to have broken code in the future. At some point you really should rewrite that code using the new proper method as #CodaFi mentions above.