|Re: [tycho-user] is it possible to override version requirements?|
That way it is just a matter of delete the old bundle and install the new one with the fix and your done without any rebuild required. That's how OSGi is supposed to work.
For a temporary fix (@Mickael please don't read any further here ;-))Prepare a patched bundle and use the *same version* in the manifest (just with a different qualifier e.g. org.apache.httpcomponents.httpclient4.5.10.patched-4_5_12, and proceed as described above.
That way you don't even need to rebuild the whole package and as long as there is no binary incompatibility your all set.
Am 30.01.21 um 23:27 schrieb Homer, Tony:
I maintain a fork of epp.packages which is intended to enable me to build Eclipse for C/C++ Developers using a target to override some dependency versions.This allows me to mitigate some CVEs that show up in between SimRels or are missed in a SimRel.Then I can, for example, build an updated version of Eclipse for C/C++ Developers 2020-12 with CVE-XYZ mitigated by updating a vulnerable dependency.To do this, I do something like 1. build a non-vulnerable version that is not yet available in Orbit and publish it in a P2 2. add it to my target definition 3. add a version restriction filter to target-platform-definition (https://wiki.eclipse.org/Tycho/Target_Platform#Filtering <https://wiki.eclipse.org/Tycho/Target_Platform#Filtering>) 4. make plans to upstream to Orbit for the next SimRelI run into a problem many times where one of the Eclipse dependencies wants an exact version of a third-party dependency which has a CVE.[ERROR] Cannot resolve project dependencies:[ERROR] Software being installed: org.eclipse.epp.package.cpp.feature.feature.group 4.18.0.qualifier[ERROR] Missing requirement: org.eclipse.ecf.filetransfer.httpclient45.feature.feature.group 1.0.702.v20201025-2303 requires 'org.eclipse.equinox.p2.iu; org.apache.httpcomponents.httpclient [4.5.10.v20200830-2311,4.5.10.v20200830-2311]' but it could not be foundIn this case, I usually I either temporarily remove the feature or follow our internal procedure for temporarily living with the CVE.I’ve thought about building my own org.apache.httpcomponents.httpclient_4.5.10.v20200830-2311 which actually contains a newer version of httpclient, but I’m not sure how to do it and it is probably not a good idea 😊However, today I wondered, is it somehow to possible to override the dependency requirements?That is, org.eclipse.epp.package.cpp.feature.feature.group_4.18.0 wants to have org.apache.httpcomponents.httpclient_4.5.10.v20200830-2311.Is there some way for me to tell Tycho to let it use org.apache.httpcomponents.httpclient_4.5.14 instead (assuming that I have made org.apache.httpcomponents.httpclient_4.5.14 available)?I looked at the Tycho docs and don’t see anything there, so I thought I would come here and ask.Thanks for reading! Tony Homer _______________________________________________ tycho-user mailing list tycho-user@xxxxxxxxxxx To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user
Back to the top