#26563 Checking dependencies for security vulnerabilities

Enhancement

Major

#26542

yFiles: onDoubleClick and context menu on node

#26563

Checking dependencies for security vulnerabilities

#26620

Drag and drop with multiple selection

#26696

Increase minimum Java version to 11

#26715

Uniform multi-selection display for grid and tables

#26719

WrapperGenerator: Maven plugin for wrapper generation

#26726

Code" data type

#26732

Layout editor: alternative views for different model types

#26739

WrapperGenerator: Typed factory methods and addXxx(), removeXxx()

#26746

Model: Password attributes

#26761

TL-Script: contextPath() function

#26772

List-valued attributes with primitive type

#26775

Automatic translation from I18NConstants

#26811

Kafka & TL-Sync swap log messages to own file

#26816

Add Kafka and TL-Sync status to monitor page

Detail

#24564

Creating ScriptRecorder templates not in the deploy folder

#26215

TL-Doc: Plugin for templates

#26703

Update MSSQL JDBC driver to version 10.2.0.jre11

#26707

API consistency checking tool

#26708

Check for missing translations of the I18NConstants in the nightly build.

#26712

Maven configuration for calling normalize layouts

#26722

TL-Maven plugin: Goal `translate` with encrypted server passphrase for DeepL

#26723

Redefine table column for primitive model attribute (simple)

#26728

CodeEditorControl should not write ACE editor for invisible fields

#26734

Schema editor: column selection when defining key attributes

#26747

JavaDoc: Warning for CameCase content inside <p>-tags in

#26752

Removing the tl-help module

#26764

Model editor: improve the design of the context menu

#26765

Model Editor: Extend context menu with GoTo Definition

#26766

Model Upgrade: Make-Abstract and Make-Concrete

#26799

Better loading cursor support for multiple long-running GUI actions

#26814

Faster resolving of files in FileManager (without Files.exists(...))

#26815

KBDataProducerTask should react on stop request of the scheduler

#26822

Migration: DB schema update after migration

#26838

Reduce selection for SingleSelectionModel if necessary

#26841

Migration: moving instances to another table

Nice to have

#26706

Better logging when building the App-WAR

#26737

Eclipse Maven settings: current TL version as minimum version for plugin exclude

#26738

Archetype: Avoid fully qualified module names

Bugfix

Critical

#26850

Enums of a module disappear when creating and deleting enums in this module

Major

#25761

Race Condition in TL-Sync in case of model changes, e.g. new TLClassifier

#26612

Invalid session revision for multiple threads

#26716

WrapperGenerator: derivation of StructuredElement not for all classes of a module

#26790

Error loading objects with long texts with H2

#26791

Knowlege Base: Error when updating validity periods when reloading object data

#26802

Migration scripts are not executed

#26808

Replay migration with H2 fails with long CLOB and BLOB values

#26809

Replay migration fails due to access to read-only columns

Detail

#25343

Missing filename check with multi-upload

#25834

Error with system without "maintenance pages

#25859

JavaScript error when expanding nodes in TreeTables

#26379

Replay migration fails because DependencyInjection does not take place

#26438

Checkbox to select all entries cannot be clicked

#26465

Module names with parts from digits allowed but not working

#26555

Bookmarks from TL-Doc always use the internal address

#26557

TL-Doc: Highlighting of code blocks leads to RegEx errors

#26577

Import of documentation does not work on Maven workspaces

#26602

No admin button in Modern theme

#26619

Inlining a file in LayoutModelProcessor broken

#26624

Incremental updates in TreeGrid do not always work

#26635

Remove dependency on apache-mime4j-0.3.jar

#26637

Raise dependency pac4j to version 5.3.1

#26638

Raise dependency H2 to version 2.1.210

#26639

Remove Ext Module for Jetty

#26640

Remove dependency openxml4j

#26641

Update Jetty to 9.4.45.v20220203

#26645

TestComponentConfiguration should not test templates

#26646

Udate POI to version 5.2.2

#26647

Update jsoup to version 1.14.3 and guice to version 5.1.0

#26649

Update commons-io to version 2.11.0

#26660

Remove TL Remote

#26680

Multiselection support in Tree, Table and TreeTable

#26694

replace itext 2.1.7 with openpdf 1.3.27

#26698

Raise MySQL Connector to version 8.0.27

#26699

Collapsing the selection changes the selection in TreeGrids

#26704

Dependency Analysis Tool: No Duplicate Classes in ClassPath

#26710

ModelBuilder for Services view inserts user sessions into the table

#26711

ACE Editor and requirejs define the global variable require

#26717

JavaDoc writes outside the module by default

#26720

CodeEditorControl is to report client-side errors of the ACE editor

#26724

Meta-model: access to the index of a classifier

#26725

Schema editor: error when saving

#26727

Missing adjustment of (default) selection after tree update

#26731

Model Editor: Delete in detail view removes wrong diagram element

#26735

Form editor: crash if attribute no longer exists

#26736

Double configuration of the description of a TLType

#26744

Post-create action in trees does not work with in-app commands

#26748

Insufficient quoting when writing JavaScript

#26757

Inconsistent API of StructuredElement

#26758

Model editor loses selection during relayout

#26760

Project Demo: Use H2 database config as local default.

#26763

TL-Doc: Copying old help documentation does not work

#26767

Model export writes resource files to wrong module

#26768

Parents are not always expanded after selection change

#26770

Model Editor: Error during further editing after deleting element

#26771

NPE when filtering all threads in the thread monitor

#26773

TL script: Self-expression in concat() is not taken into account

#26774

TL script: Error message when sublist() is called with too large index

#26783

WYSIWYG CSS uses variable defined in com.top_logic.icons

#26786

Launch-Configs still reference Java-8 VM

#26795

Data migration for ticket #25881 and #26398

#26800

Scripting: Record StructuredElement with arbitrary singleton root

#26803

KnowledgeBaseRuntimeException when accessing deleted reference

#26804

No consistent deletion of model elements during model upgrade

#26806

Script recorder: record branch and revision only if necessary

#26812

Subtree update of an invisible root node faulty

#26827

No error message when accessing foreign key references if foreign key cannot be resolved

#26842

Scripting recorder: Playback of multi-selection faulty

#26845

NPE in the translation service if no network connection is available at startup.

#26848

Document management does not work in non-versioning system

#26849

Maps of ConfiguredInstances should keep order

#26854

Tab delete of a legacy tabbar is not recorded

#26855

Missing dependency DynamicComponentService -> SafeHTML

Nice to have

#26792

Scripting: Assertions try to access invisible columns

Enhancement

Major

#26563

Checking dependencies for security vulnerabilities

Build Maven SecurityIssue

Top-Logic uses several third-party libraries. It is far too time-consuming to check manually whether these have security vulnerabilities. Therefore, this is to be automated. The libraries found in the process must then be updated.

Implementation

There is a Maven plugin that checks for all dependencies whether there are known security vulnerabilities in the versions used. The check is done recursively. The list of known vulnerabilities is updated automatically. The plugin itself does not have to be updated every time. The Maven plugin is offered by the "Open Web Application Security Project". It is available under the Apache 2 license. Links:

Usage

Add the following to tl-parent-all/pom.xml (under <project><build><plugins>):

{{#!xml <plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> <version>6.5.3</version> <configuration> <format>ALL</format> </configuration> </plugin> }}}

Run for all modules: mvn dependency-check:check.
- Write the reports to target/dependency-check-[...].
Update the reported libraries.
Ensure that the check is automatically run periodically and the build fails on finds: Jenkins target CheckDependencies.

Suppression file

A suppression file is used to enter vulnerabilities that should not currently (by a certain date) be reported again. Only suppressions with an expiration date should be stored there.

This supports the following workflow: A new vulnerability is detected. The build fails with a report. A ticket for the update of this library is created and a suppression for this vulnerability with an expiration date is entered into the suppression file. The build is then green again. If the ticket is not processed by the entered expiration date, the check fails again and reminds of the still open security issue .The suppression file is maintained in Trac: DependencyCheckSuppressions

Details

When using <format>ALL</format> the following reports are generated:

dependency-check-junit.xml
dependency-check-report.csv
dependency-check-report.html
dependency-check-report.json
dependency-check-report.sarif
dependency-check-report.xml

The dependency-check-junit.xml file is used to cause a test to fail when a vulnerability is detected, marking the build as unstable.

The file dependency-check-report.html contains a detailed report, which can also be used to generate a suppression for the suppression file.

Test

Run mvn dependency-check:check in all applications.
No vulnerabilities should be reported.
Check that:
- the Jenkins runs this check automatically on a regular basis (Target CheckDependencies).
- the corresponding build fails in case of security vulnerabilities
- we are informed about it.