Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kotlin-analysis-intellij-1.6.21.jar is bundled with log4j 1.2 #2488

Closed
Gamadril opened this issue May 5, 2022 · 1 comment · Fixed by #2508
Closed

kotlin-analysis-intellij-1.6.21.jar is bundled with log4j 1.2 #2488

Gamadril opened this issue May 5, 2022 · 1 comment · Fixed by #2508
Labels

Comments

@Gamadril
Copy link

Gamadril commented May 5, 2022

Describe the bug
Seems that kotlin-analysis-intellij-1.6.21.jar is bundled with log4j version 1.2.17.2. NexusIQ is blocking it because of CVE-2022-23305. META-INF/maven/log4j/log4j/pom.xml confirms it.

Expected behaviour
Upgrade to log4j version without security issues.

To Reproduce
Check the dependency tree

Installation

  • Operating system: macOS
  • Build tool: Gradle v7.2
  • Dokka version: 1.6.21
@Gamadril Gamadril added the bug label May 5, 2022
@vmishenev vmishenev linked a pull request May 25, 2022 that will close this issue
@IgnatBeresnev
Copy link
Member

Hi! Thanks for the report. It came from a transitive dependency, so we didn't even know

Should be fixed in 1.7.0

kodiakhq bot referenced this issue in RBusarow/Dispatch Jul 16, 2022
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [org.jetbrains.dokka](https://togithub.com/Kotlin/dokka) | `1.5.31` -> `1.7.10` | [![age](https://badges.renovateapi.com/packages/maven/org.jetbrains.dokka/1.7.10/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/maven/org.jetbrains.dokka/1.7.10/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/maven/org.jetbrains.dokka/1.7.10/compatibility-slim/1.5.31)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/maven/org.jetbrains.dokka/1.7.10/confidence-slim/1.5.31)](https://docs.renovatebot.com/merge-confidence/) |
| [org.jetbrains.dokka:dokka-gradle-plugin](https://togithub.com/Kotlin/dokka) | `1.5.31` -> `1.7.10` | [![age](https://badges.renovateapi.com/packages/maven/org.jetbrains.dokka:dokka-gradle-plugin/1.7.10/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/maven/org.jetbrains.dokka:dokka-gradle-plugin/1.7.10/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/maven/org.jetbrains.dokka:dokka-gradle-plugin/1.7.10/compatibility-slim/1.5.31)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/maven/org.jetbrains.dokka:dokka-gradle-plugin/1.7.10/confidence-slim/1.5.31)](https://docs.renovatebot.com/merge-confidence/) |

---

### Release Notes

<details>
<summary>Kotlin/dokka</summary>

### [`v1.7.10`](https://togithub.com/Kotlin/dokka/releases/tag/v1.7.10)

Bugfix release that addresses several blockers and regressions.

##### General

-   Support `Kotlin` 1.7.10

##### Gradle plugin

-   Do not expose `Kotlin` stdlib in plugin dependencies, this should fix errors like `Module was compiled with an incompatible version of Kotlin` when using `Dokka`. Thanks to [@&#8203;martinbonnin](https://togithub.com/martinbonnin) ([#&#8203;2543](https://togithub.com/Kotlin/dokka/issues/2543))

##### Java sources

-   Fixed build failure caused by having configured source links for `Java` code ([#&#8203;2544](https://togithub.com/Kotlin/dokka/issues/2544))
-   Fixed several exotic problems that led to build failures, all related to using annotation in `Java` sources ([#&#8203;2509](https://togithub.com/Kotlin/dokka/issues/2509), [#&#8203;2551](https://togithub.com/Kotlin/dokka/issues/2551), [#&#8203;2350](https://togithub.com/Kotlin/dokka/issues/2350))
-   Fixed `IntelliJ` platform `WARN: Attempt to load key` messages that appeared when analyzing `Java` sources ([#&#8203;2559](https://togithub.com/Kotlin/dokka/issues/2559))

### [`v1.7.0`](https://togithub.com/Kotlin/dokka/releases/tag/v1.7.0)

##### Improvements

##### General

-   Update to `Kotlin` 1.7.0, `IntelliJ` Platform 213
-   Support [definitely non-nullable types](https://kotlinlang.org/docs/whatsnew17.html#stable-definitely-non-nullable-types) ([https://github.com/Kotlin/dokka/pull/2520](https://togithub.com/Kotlin/dokka/pull/2520))
-   Don't expose enum entry constructor arguments, thanks to [@&#8203;ebraminio](https://togithub.com/ebraminio) ([https://github.com/Kotlin/dokka/pull/2497](https://togithub.com/Kotlin/dokka/pull/2497))
-   Preserve ordering of enum entries as in source code, previously reversed ([https://github.com/Kotlin/dokka/pull/2469](https://togithub.com/Kotlin/dokka/pull/2469))
-   Improve support for inherited `Java` fields with accessors, now properly interpreted as `val`/`var` properties ([https://github.com/Kotlin/dokka/pull/2481](https://togithub.com/Kotlin/dokka/pull/2481), [https://github.com/Kotlin/dokka/pull/2532](https://togithub.com/Kotlin/dokka/pull/2532), [https://github.com/Kotlin/dokka/pull/2540](https://togithub.com/Kotlin/dokka/pull/2540))
-   Skip `@Deprecated` members with `HIDDEN` level ([https://github.com/Kotlin/dokka/pull/2486](https://togithub.com/Kotlin/dokka/pull/2486))
-   Make rendered default value dependent on source set for expect/actual declarations ([https://github.com/Kotlin/dokka/pull/2449](https://togithub.com/Kotlin/dokka/pull/2449))

##### HTML format

-   Render quotes as blockquotes instead of code blocks, thanks to [@&#8203;TheOnlyTails](https://togithub.com/TheOnlyTails) ([https://github.com/Kotlin/dokka/pull/2496](https://togithub.com/Kotlin/dokka/pull/2496))

##### Javadoc format

-   Make `Javadoc` pages generation deterministic ([https://github.com/Kotlin/dokka/pull/2479](https://togithub.com/Kotlin/dokka/pull/2479))
-   Update shipped `jQuery` to avoid multiple CVEs, thanks to [@&#8203;ToppleTheNun](https://togithub.com/ToppleTheNun) ([https://github.com/Kotlin/dokka/issues/1938](https://togithub.com/Kotlin/dokka/issues/1938))

##### GFM format

-   Support rendering of code blocks and inline code used in KDocs, thanks to [@&#8203;cosinekitty](https://togithub.com/cosinekitty) ([https://github.com/Kotlin/dokka/pull/2485](https://togithub.com/Kotlin/dokka/pull/2485))

##### Kotlin-as-Java plugin

-   Include `Java` access modifiers into function signatures, thanks to [@&#8203;tripolkaandrey](https://togithub.com/tripolkaandrey) ([https://github.com/Kotlin/dokka/pull/2510](https://togithub.com/Kotlin/dokka/pull/2510))

##### Gradle runner

-   Make `dokka-analysis` dependency `compileOnly`, this should help avoid compatibility problems if different versions of `Kotlin` are bundled in `Gradle` and `Dokka` ([https://github.com/Kotlin/dokka/pull/2521](https://togithub.com/Kotlin/dokka/pull/2521))
-   Enable stricter validation for cacheable `Gradle` tasks, thanks to [@&#8203;3flex](https://togithub.com/3flex) ([https://github.com/Kotlin/dokka/pull/2500](https://togithub.com/Kotlin/dokka/pull/2500))
-   Remove unused & redundant dependencies for `Gradle` runner, thanks to [@&#8203;3flex](https://togithub.com/3flex) ([https://github.com/Kotlin/dokka/pull/2502](https://togithub.com/Kotlin/dokka/pull/2502))
-   Remove outdated suppression in `Gradle` runner, thanks to [@&#8203;3flex](https://togithub.com/3flex) ([https://github.com/Kotlin/dokka/pull/2501](https://togithub.com/Kotlin/dokka/pull/2501))

##### Fixes

##### General bugfixes

-   Fixed a compiler deadlock issue which led to stalling builds in some KMP projects ([https://github.com/Kotlin/dokka/pull/2480](https://togithub.com/Kotlin/dokka/pull/2480))
-   Fixed incorrect argument names of functional type parameters ([https://github.com/Kotlin/dokka/pull/2478](https://togithub.com/Kotlin/dokka/pull/2478))
-   Fixed missing external docs for AndroidX libraries, thanks to [@&#8203;EdricChan03](https://togithub.com/EdricChan03) ([https://github.com/Kotlin/dokka/pull/2456](https://togithub.com/Kotlin/dokka/pull/2456))
-   Fixed tests failing on Windows, thanks to [@&#8203;3flex](https://togithub.com/3flex) ([https://github.com/Kotlin/dokka/pull/2507](https://togithub.com/Kotlin/dokka/pull/2507))

##### Security

-   Get rid of bundled `log4j` 1.2 that came as a transitive dependency ([https://github.com/Kotlin/dokka/issues/2488](https://togithub.com/Kotlin/dokka/issues/2488))
-   Update Jackson to avoid [CVE-2020-36518](https://nvd.nist.gov/vuln/detail/CVE-2020-36518), thanks to [@&#8203;1mt](https://togithub.com/1mt) ([https://github.com/Kotlin/dokka/pull/2525](https://togithub.com/Kotlin/dokka/pull/2525))

##### Plugin API

-   Decompose `base.ftl` template: now `header.ftl`, `footer.ftl` and `page_metadata.ftl` can be overridden individually ([https://github.com/Kotlin/dokka/pull/2432](https://togithub.com/Kotlin/dokka/pull/2432))

##### Other

-   Add Kotlin stability & support badges, thanks to [@&#8203;etolstoy](https://togithub.com/etolstoy) ([https://github.com/Kotlin/dokka/pull/2511](https://togithub.com/Kotlin/dokka/pull/2511))
-   Remove an unused runner parameter, thanks to [@&#8203;3flex](https://togithub.com/3flex) ([https://github.com/Kotlin/dokka/pull/2498](https://togithub.com/Kotlin/dokka/pull/2498))
-   Correct typos, thanks to [@&#8203;PaladiRka](https://togithub.com/PaladiRka) ([https://github.com/Kotlin/dokka/pull/2504](https://togithub.com/Kotlin/dokka/pull/2504)) and [@&#8203;mahozad](https://togithub.com/mahozad) ([https://github.com/Kotlin/dokka/pull/2506](https://togithub.com/Kotlin/dokka/pull/2506))!

Thanks to all the contributors!

### [`v1.6.21`](https://togithub.com/Kotlin/dokka/releases/tag/v1.6.21)

This is a bugfix release that mostly enables building documentation for multiplatform projects that utilize `.klib` libraries.

##### Changes

-   Support Kotlin 1.6.21
-   Update `jsoup` dependency to avoid [CVE-2021-37714](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37714) ([#&#8203;2448](https://togithub.com/Kotlin/dokka/issues/2448))

##### Bugfixes

-   Support `KLIB` libraries for common platform, previously led to `ERROR CLASS` instead of references in documentation ([#&#8203;2441](https://togithub.com/Kotlin/dokka/issues/2441))
-   Fixed a maven plugin build problem related to coroutines which only occurred in multi-module builds ([#&#8203;2461](https://togithub.com/Kotlin/dokka/issues/2461))

### [`v1.6.20`](https://togithub.com/Kotlin/dokka/releases/tag/v1.6.20)

#### Features

-   Introduce `documentedVisibilities` setting that allows including/excluding any visibility modifier in documentation. This is a more flexible replacement for `includeNonPublic`, which has now been deprecated ([https://github.com/Kotlin/dokka/pull/2270](https://togithub.com/Kotlin/dokka/pull/2270))
-   Make HTML pages customizable through FreeMarker HTML templates ([https://github.com/Kotlin/dokka/pull/2374](https://togithub.com/Kotlin/dokka/pull/2374))
-   Add global settings to JSON dokka CLI input ([https://github.com/Kotlin/dokka/pull/2292](https://togithub.com/Kotlin/dokka/pull/2292)), thanks to [@&#8203;BarkingBad](https://togithub.com/BarkingBad)!

#### HTML format changes

-   Add vertical alignment (wrapping) of signatures when 3 and more parameters are present ([https://github.com/Kotlin/dokka/pull/2309](https://togithub.com/Kotlin/dokka/pull/2309))
-   Enhance primary constructor signature, display `val`/`var` keywords and default values ([https://github.com/Kotlin/dokka/pull/2313](https://togithub.com/Kotlin/dokka/pull/2313))
-   Add a level of indentation to childless items in navigation tree ([https://github.com/Kotlin/dokka/pull/2291](https://togithub.com/Kotlin/dokka/pull/2291))
-   Add horizontal margin to breadcrumbs delimiter ([https://github.com/Kotlin/dokka/pull/2285](https://togithub.com/Kotlin/dokka/pull/2285))
-   Fixed various CSS rendering issues ([https://github.com/Kotlin/dokka/pull/2284](https://togithub.com/Kotlin/dokka/pull/2284), [https://github.com/Kotlin/dokka/pull/2389](https://togithub.com/Kotlin/dokka/pull/2389))

#### Bugfixes

-   Fixed `OutOfMemoryError: Metaspace`-related issues for the majority of cases ([https://github.com/Kotlin/dokka/pull/2216](https://togithub.com/Kotlin/dokka/pull/2216))
-   Fixed classpath issues for HMPP libraries ([https://github.com/Kotlin/dokka/pull/2431](https://togithub.com/Kotlin/dokka/pull/2431))
-   Using `@` symbol within code blocks in `.md` files doesn't lead to cropped documents anymore ([https://github.com/Kotlin/dokka/pull/2418](https://togithub.com/Kotlin/dokka/pull/2418))
-   Fixed incorrect placement of HTML head tags, which led to missing favicon in multi-module projects ([https://github.com/Kotlin/dokka/pull/2365](https://togithub.com/Kotlin/dokka/pull/2365))
-   Fixed resolution of ultralight methods that led to flaky signature generation ([https://github.com/Kotlin/dokka/pull/2400](https://togithub.com/Kotlin/dokka/pull/2400))
-   Coroutines dispatchers are now shut down after each module pass to avoid resource leaks ([https://github.com/Kotlin/dokka/pull/2325](https://togithub.com/Kotlin/dokka/pull/2325))
-   Suppressed property setters are now excluded from documentation ([https://github.com/Kotlin/dokka/pull/2220](https://togithub.com/Kotlin/dokka/pull/2220))
-   Suppressing extensions doesn't fail builds anymore ([https://github.com/Kotlin/dokka/pull/2348](https://togithub.com/Kotlin/dokka/pull/2348)), thanks to [@&#8203;BarkingBad](https://togithub.com/BarkingBad)!
-   Fixed java getter / setter name generation for kotlin-java interop, now `isBoolean` instead of `getBoolean` ([https://github.com/Kotlin/dokka/pull/2356](https://togithub.com/Kotlin/dokka/pull/2356)), thanks to [@&#8203;CharlesG-Branch](https://togithub.com/CharlesG-Branch)!
-   Fixed MathJax plugin, previously completely broken ([https://github.com/Kotlin/dokka/pull/2342](https://togithub.com/Kotlin/dokka/pull/2342)), thanks to [@&#8203;wyskoj](https://togithub.com/wyskoj)!
-   Fixed Input/Output streams to minimize resource leaks ([https://github.com/Kotlin/dokka/pull/2312](https://togithub.com/Kotlin/dokka/pull/2312), [https://github.com/Kotlin/dokka/pull/2319](https://togithub.com/Kotlin/dokka/pull/2319))

#### Plugin API Changes

-   Add an extension point for rendering custom [documentation tags](https://kotlinlang.org/docs/kotlin-doc.html#block-tags) ([https://github.com/Kotlin/dokka/pull/2343](https://togithub.com/Kotlin/dokka/pull/2343))
-   Add an extension point for an external documentable provider ([https://github.com/Kotlin/dokka/pull/2307](https://togithub.com/Kotlin/dokka/pull/2307)), thanks to [@&#8203;Kordyjan](https://togithub.com/Kordyjan)!
-   Add filtering stategies extension point and fix constructors in Kotlin-as-Java ([https://github.com/Kotlin/dokka/pull/2277](https://togithub.com/Kotlin/dokka/pull/2277)), thanks to [@&#8203;BarkingBad](https://togithub.com/BarkingBad)!
-   Expose Kotlin-as-Java methods that could be used not only as part of transformers ([https://github.com/Kotlin/dokka/pull/2351](https://togithub.com/Kotlin/dokka/pull/2351)), thanks to [@&#8203;BarkingBad](https://togithub.com/BarkingBad)!
-   Refactor Ancestry Graphs ([https://github.com/Kotlin/dokka/pull/2326](https://togithub.com/Kotlin/dokka/pull/2326)), thanks to [@&#8203;BarkingBad](https://togithub.com/BarkingBad)!
-   Fixed resolving of DRIs for Enum Entries ([https://github.com/Kotlin/dokka/pull/2305](https://togithub.com/Kotlin/dokka/pull/2305)), thanks to [@&#8203;BarkingBad](https://togithub.com/BarkingBad)!

#### General Improvements

-   Collect annotations from `package-info.java` ([https://github.com/Kotlin/dokka/pull/2331](https://togithub.com/Kotlin/dokka/pull/2331)), thanks  to [@&#8203;ember-rose](https://togithub.com/ember-rose)!
-   Add support for header tags (`<h1>` / `<h2>` / `<h3>`) in Javadoc ([https://github.com/Kotlin/dokka/pull/2345](https://togithub.com/Kotlin/dokka/pull/2345)), thanks to [@&#8203;asfalcone](https://togithub.com/asfalcone)!
-   Add an option to merge implicit expect-actual declarations, enables merging of pages for related declarations which are not connected via `expect`-`actual` keywords ([https://github.com/Kotlin/dokka/pull/2316](https://togithub.com/Kotlin/dokka/pull/2316))
-   Add a note about using Dokka in a precompiled script plugin ([https://github.com/Kotlin/dokka/pull/2303](https://togithub.com/Kotlin/dokka/pull/2303)), thanks to [@&#8203;chkpnt](https://togithub.com/chkpnt)!
-   Fixed wrong Groovy DSL example ([https://github.com/Kotlin/dokka/pull/2302](https://togithub.com/Kotlin/dokka/pull/2302)), thanks to [@&#8203;chkpnt](https://togithub.com/chkpnt)!
-   Various code cleanups ([https://github.com/Kotlin/dokka/pull/2165](https://togithub.com/Kotlin/dokka/pull/2165), [https://github.com/Kotlin/dokka/pull/2360](https://togithub.com/Kotlin/dokka/pull/2360), [https://github.com/Kotlin/dokka/pull/2364](https://togithub.com/Kotlin/dokka/pull/2364), [https://github.com/Kotlin/dokka/pull/2385](https://togithub.com/Kotlin/dokka/pull/2385)), thanks to [@&#8203;Goooler](https://togithub.com/Goooler)!

#### Known issues

-   Kotlin Multiplatform projects that use `.klib` libraries may experience problems. There will be a separate `1.6.21` release that will address this issue shortly.

### [`v1.6.10`](https://togithub.com/Kotlin/dokka/releases/tag/v1.6.10)

#### Changes

-   Support Kotlin 1.6.10
-   Add a sample project for versioning multi-module ([https://github.com/Kotlin/dokka/pull/2170](https://togithub.com/Kotlin/dokka/pull/2170))

#### Bugfixes

-   Fix various `java.util.zip.ZipException` for JS dependencies ([https://github.com/Kotlin/dokka/pull/2258](https://togithub.com/Kotlin/dokka/pull/2258))
-   Fix handling of Description Lists (`<dl>`) used in JavaDocs ([https://github.com/Kotlin/dokka/pull/2259](https://togithub.com/Kotlin/dokka/pull/2259))
-   Fix for "repositories not defined" issue in versioning multimodule example ([https://github.com/Kotlin/dokka/pull/2263](https://togithub.com/Kotlin/dokka/pull/2263)), thanks [@&#8203;rajdeep1008](https://togithub.com/rajdeep1008)!
-   Fix multiple rendering issues for "See Also" block for html format ([https://github.com/Kotlin/dokka/pull/2267](https://togithub.com/Kotlin/dokka/pull/2267))
-   Fix sample body not being embedded to documentation ([https://github.com/Kotlin/dokka/pull/2216](https://togithub.com/Kotlin/dokka/pull/2216))

#### Maintenance

-   Update npm dependencies ([https://github.com/Kotlin/dokka/pull/2251](https://togithub.com/Kotlin/dokka/pull/2251))
-   Bump `de.undercouch.download` to 4.1.2 ([https://github.com/Kotlin/dokka/pull/2268](https://togithub.com/Kotlin/dokka/pull/2268))
-   Bump `kotlinx.coroutines` to 1.6.0 in integration tests ([https://github.com/Kotlin/dokka/pull/2276](https://togithub.com/Kotlin/dokka/pull/2276))

### [`v1.6.0`](https://togithub.com/Kotlin/dokka/releases/tag/v1.6.0)

Changes:

-   **New UI**
-   Support of version plugin for single module projects
-   Allow package-level suppression ([#&#8203;2209](https://togithub.com/Kotlin/dokka/issues/2209)), thanks [@&#8203;owengray-google](https://togithub.com/owengray-google)
-   GFM: Use Markdown syntax to render lists ([#&#8203;2098](https://togithub.com/Kotlin/dokka/issues/2098)), thanks [@&#8203;sgilson](https://togithub.com/sgilson)
-   Fix names of nested inheritors
-   Fix adding new custom stylesheets in submodules
-   Add keywords `expect` and `actual` in signatures

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#github/RBusarow/Dispatch).

PR-URL: #488
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants