Merge remote-tracking branch 'origin/pr/1287'

5 years ago · ee5cbfdad0
parent eda6406865 ef22d6d8ed
commit ee5cbfdad0
6 changed files with 5 additions and 67 deletions
--- a/airsonic-main/cve-suppressed.xml
+++ b/airsonic-main/cve-suppressed.xml
@ -47,13 +47,6 @@
        <cpe regex="true">.*</cpe>
    </suppress>

-    <!-- Jetty is currently only used for developer experimentation -->
-    <suppress>
-        <notes>Jetty is currently only used for developer experimentations</notes>
-        <gav regex="true">^org\.eclipse\.jetty:.*$</gav>
-        <cpe>cpe:/a:org.eclipse.jetty:</cpe>
-    </suppress>
-
    <!-- No git functionality is used from the following dependencies -->
    <suppress>
        <notes><![CDATA[file name: org.eclipse.persistence.core-2.5.1.jar]]></notes>
@ -111,12 +104,6 @@
        <cve>CVE-2016-5425</cve>
    </suppress>

-    <!-- Jetty is currently disabled and not added to the built war -->
-    <suppress>
-        <notes><![CDATA[file name: jetty-schemas-3.1.jar]]></notes>
-        <gav regex="true">^org\.eclipse\.jetty\..*$</gav>
-        <cpe>cpe:/a:mortbay_jetty:jetty</cpe>
-    </suppress>
    <!--Vulnerabilty lies in Database Clusterscripts-->
    <suppress>
        <notes><![CDATA[file name: postgresql-42.1.4.jar]]></notes>
@ -184,17 +171,17 @@
        <cvssBelow>9.0</cvssBelow>
    </suppress>
    <suppress>
-        <notes>False positive for tomcat vuln in eclipse jetty/jasper compat lib</notes>
+        <notes>False positive for tomcat vuln in eclipse jasper compat lib</notes>
        <gav regex="true">^org\.mortbay\.jasper:apache-jsp:.*$</gav>
        <cve>CVE-2016-5425</cve>
    </suppress>
    <suppress>
-        <notes>False positive for tomcat vuln in eclipse jetty/jasper compat lib</notes>
+        <notes>False positive for tomcat vuln in eclipse jasper compat lib</notes>
        <gav regex="true">^org\.mortbay\.jasper:apache-jsp:.*$</gav>
        <cve>CVE-2017-6056</cve>
    </suppress>
    <suppress>
-        <notes>False positive for tomcat vuln in eclipse jetty/jasper compat lib</notes>
+        <notes>False positive for tomcat vuln in eclipse jasper compat lib</notes>
        <gav regex="true">^org\.mortbay\.jasper:apache-jsp:.*$</gav>
        <cve>CVE-2019-10072</cve>
    </suppress>
--- a/airsonic-main/pom.xml
+++ b/airsonic-main/pom.xml
@ -512,24 +512,6 @@
            <artifactId>tomcat-embed-jasper</artifactId>
            <scope>${tomcat.server.scope}</scope>
        </dependency>
-        <!-- Embedded Jetty -->
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-jetty</artifactId>
-            <scope>provided</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.eclipse.jetty</groupId>
-            <artifactId>apache-jsp</artifactId>
-            <scope>provided</scope>
-        </dependency>
-
-        <!-- Provided by the servlet container, but found by dependency:analyze even if used via reflection -->
-        <dependency>
-          <groupId>org.eclipse.jetty</groupId>
-          <artifactId>jetty-io</artifactId>
-          <scope>provided</scope>
-        </dependency>

        <dependency>
            <groupId>com.fasterxml.jackson.core</groupId>
@ -620,8 +602,6 @@
                <configuration>
                    <mainClass>org.airsonic.player.Application</mainClass>
                    <layout>WAR</layout>
-                    <excludeGroupIds>${boot.group.excludes}</excludeGroupIds>
-                    <excludeArtifactIds>${boot.artifact.excludes}</excludeArtifactIds>
                </configuration>
                <executions>
                    <execution>
@ -715,17 +695,6 @@
            <activation>
                <activeByDefault>true</activeByDefault>
            </activation>
-            <properties>
-                <boot.group.excludes>org.eclipse.jetty,org.eclipse.jetty.websocket,org.mortbay.jasper,org.eclipse.jetty.toolchain,org.ow2.asm</boot.group.excludes>
-                <boot.artifact.excludes>spring-boot-starter-jetty</boot.artifact.excludes>
-            </properties>
-        </profile>
-        <profile>
-            <id>jetty-embed</id>
-            <properties>
-                <boot.group.excludes>org.apache.tomcat.embed</boot.group.excludes>
-                <boot.artifact.excludes>spring-boot-starter-tomcat</boot.artifact.excludes>
-            </properties>
        </profile>
        <profile>
            <id>ide-tomcat-embed</id>
--- a/airsonic-main/src/main/java/org/airsonic/player/Application.java
+++ b/airsonic-main/src/main/java/org/airsonic/player/Application.java
@ -214,14 +214,6 @@ public class Application extends SpringBootServletInitializer implements Embedde
            LOG.warn("An error happened while trying to optimize tomcat", e);
        }

-        try {
-            Class<?> jettyESCF = Class.forName("org.springframework.boot.context.embedded.jetty.JettyEmbeddedServletContainerFactory");
-            if (jettyESCF.isInstance(container)) {
-                LOG.warn("Detected Jetty web server. Here there be dragons.");
-            }
-        } catch (NoClassDefFoundError | ClassNotFoundException e) {
-            LOG.debug("No jetty classes found");
-        }
    }

    public static void main(String[] args) {
--- a/airsonic-main/src/main/java/org/airsonic/player/controller/StreamController.java
+++ b/airsonic-main/src/main/java/org/airsonic/player/controller/StreamController.java
@ -258,9 +258,7 @@ public class StreamController {
            // This happens often and outside of the control of the server, so
            // we catch Tomcat/Jetty "connection aborted by client" exceptions
            // and display a short error message.
-            boolean shouldCatch = false;
-            shouldCatch |= Util.isInstanceOfClassName(e, "org.apache.catalina.connector.ClientAbortException");
-            shouldCatch |= Util.isInstanceOfClassName(e, "org.eclipse.jetty.io.EofException");
+            boolean shouldCatch = Util.isInstanceOfClassName(e, "org.apache.catalina.connector.ClientAbortException");
            if (shouldCatch) {
                LOG.info("{}: Client unexpectedly closed connection while loading {} ({})",
                        request.getRemoteAddr(),
--- a/airsonic-main/src/main/java/org/airsonic/player/spring/LoggingExceptionResolver.java
+++ b/airsonic-main/src/main/java/org/airsonic/player/spring/LoggingExceptionResolver.java
@ -21,9 +21,7 @@ public class LoggingExceptionResolver implements HandlerExceptionResolver, Order
        // This happens often and outside of the control of the server, so
        // we catch Tomcat/Jetty "connection aborted by client" exceptions
        // and display a short error message.
-        boolean shouldCatch = false;
-        shouldCatch |= Util.isInstanceOfClassName(e, "org.apache.catalina.connector.ClientAbortException");
-        shouldCatch |= Util.isInstanceOfClassName(e, "org.eclipse.jetty.io.EofException");
+        boolean shouldCatch = Util.isInstanceOfClassName(e, "org.apache.catalina.connector.ClientAbortException");
        if (shouldCatch) {
            LOG.info("{}: Client unexpectedly closed connection while loading {} ({})", request.getRemoteAddr(), Util.getAnonymizedURLForRequest(request), e.getCause().toString());
            return null;
--- a/pom.xml
+++ b/pom.xml
@ -129,12 +129,6 @@
                <artifactId>guava</artifactId>
                <version>27.1-jre</version>
            </dependency>
-            <dependency>
-                <groupId>org.eclipse.jdt</groupId>
-                <artifactId>ecj</artifactId>
-                <version>3.14.0</version>
-                <scope>provided</scope>
-            </dependency>
            <dependency>
                <groupId>org.apache.ant</groupId>
                <artifactId>ant</artifactId>