[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [aspectj-users] AspectJ versioning question
|
Here is the CVE I was talking about, just found it again. It was in 1.9.19:
https://github.com/eclipse-aspectj/aspectj/issues/192
--
Alexander Kriegisch
https://scrum-master.de
Alexander Kriegisch via aspectj-users schrieb am 01.05.2024 um 10:46:
> Yes, 1.8.14 was unusual. That was before UI was an AspectJ
> committer, though.
>
> Concerning the hypothetical CVE report, let us walk through that door
> if and when we stand in front of it. It always depends on the
> circumstances, but actually I see no reason why Java 8 users should
> not use e.g. 1.9.22. Installing an extra JDK on the build machine
> and pointing to that during compile-time weaving is not rocket
> science and in no way impedes you in using the compile results on
> Java 8. Besides, many bugs and even one CVE I personally remember
> were fixed in more recent versions, i.e. it might be beneficial even
> for legacy projects to recompile and use more recent AspectJ
> dependencies.
>
> It should be super easy to upgrade. Have you tried?
>
>
> Mclachlan, Alan via aspectj-users schrieb am 30.04.2024 um 15:02:
>
>> 1.8.14 must have been unusual then, because I did see it released
>> after the 1.9.xx branch was in progress.
>>
>> For a team on 1.8.x facing a hypothetical CVE report, how hard is
>> the upgrade to 1.9.22 likely to be? Sounds like a Java build time
>> version upgrade may be needed.
>>
>>
>> From: Alexander Kriegisch
>>
>>> Thanks for your inquiry.
>>>
>>> AspectJ generally does not release updates for older versions.
>>> Usually, more recent versions are backward compatible. E.g., you
>>> can use the current 1.9.22 to compile with 1.8 source/target or
>>> use LTW on Java 8. Only in your build environment when using AJC
>>> directly or aspectjtools.jar via Maven oder Gradle plugin, you
>>> would need Java 17, because the upstream Eclipse compiler
>>> requires it.
>>>
>>>
>>> Mclachlan, Alan via aspectj-users schrieb am 30.04.2024 um
>>> 13:13:
>>>
>>>> I read up on the supported Java versions situation on the
>>>> github issue tracker. I have some related questions around the
>>>> v1.8.x line:
>>>>
>>>> 1. Is the project still releasing fixes on the 1.8.x line, at
>>>> least while Java 8 is still in support? I ask because I think
>>>> the last one was 1.8.14 in 2019. Say a CVE shows up, would you
>>>> be likely to release a 1.8.15 with a fix?
>>>>
>>>> 2. Are the 1.8.x minor releases compatible, in the
>>>> semantic-versioning sense of the word? i.e would a hypothetical
>>>> 1.8.15 be a drop-in replacement? I ask because this project
>>>> doesn't explicitly follow semantic versioning, although I
>>>> suspect it may have back in the 1.8 days?
>>>>
>>>> Apologies if these are answered elsewhere, if so I didn't
>>>> manage to find them on the website.
>>>>
>>>> The context of my ask is OWASP A06 analysis of our SBOM, not to
>>>> motivate for any project action.