|[tycho-user] is it possible to override version requirements?|
I maintain a fork of epp.packages which is intended to enable me to build Eclipse for C/C++ Developers using a target to override some dependency versions.
This allows me to mitigate some CVEs that show up in between SimRels or are missed in a SimRel.
Then I can, for example, build an updated version of Eclipse for C/C++ Developers 2020-12 with CVE-XYZ mitigated by updating a vulnerable dependency.
To do this, I do something like
I run into a problem many times where one of the Eclipse dependencies wants an exact version of a third-party dependency which has a CVE.
[ERROR] Cannot resolve project dependencies:
[ERROR] Software being installed: org.eclipse.epp.package.cpp.feature.feature.group 4.18.0.qualifier
[ERROR] Missing requirement: org.eclipse.ecf.filetransfer.httpclient45.feature.feature.group 1.0.702.v20201025-2303 requires 'org.eclipse.equinox.p2.iu; org.apache.httpcomponents.httpclient [4.5.10.v20200830-2311,4.5.10.v20200830-2311]' but it could not be found
In this case, I usually I either temporarily remove the feature or follow our internal procedure for temporarily living with the CVE.
I’ve thought about building my own org.apache.httpcomponents.httpclient_4.5.10.v20200830-2311 which actually contains a newer version of httpclient, but I’m not sure how to do it and it is probably not a good idea 😊
However, today I wondered, is it somehow to possible to override the dependency requirements?
That is, org.eclipse.epp.package.cpp.feature.feature.group_4.18.0 wants to have org.apache.httpcomponents.httpclient_4.5.10.v20200830-2311.
Is there some way for me to tell Tycho to let it use org.apache.httpcomponents.httpclient_4.5.14 instead (assuming that I have made org.apache.httpcomponents.httpclient_4.5.14 available)?
I looked at the Tycho docs and don’t see anything there, so I thought I would come here and ask.
Thanks for reading!
Back to the top