FISH-7757 FISH-8344 Upgrade to Parsson 1.1.5 with JSONP-API Deprecated to 2.1.0 #6612
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Andrew Pielage <[email protected]>
Signed-off-by: Andrew Pielage <[email protected]>
This reverts commit 4c347c0.
Pandrex247
changed the title
Use patched Parsson 1.1.5 with JSONP API deprecated to 2.1.0 as changes to the JsonProvider.provider method break us. Signed-off-by: Andrew Pielage <[email protected]>
kalinchan
approved these changes
Apr 1, 2024
Pandrex247
added a commit
to Pandrex247/Payara
that referenced
this pull request
Apr 4, 2024
FISH-7757 FISH-8344 Upgrade to Parsson 1.1.5 with JSONP-API Deprecated to 2.1.0
Pandrex247
added a commit
to Pandrex247/Payara
that referenced
this pull request
May 2, 2024
FISH-7757 FISH-8344 Upgrade to Parsson 1.1.5 with JSONP-API Deprecated to 2.1.0
Pandrex247
added a commit
to Pandrex247/Payara
that referenced
this pull request
May 8, 2024
FISH-7757 FISH-8344 Upgrade to Parsson 1.1.5 with JSONP-API Deprecated to 2.1.0
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Upgrades us to Parsson 1.1.5 with the JSONP-API deprecated to 2.1.0 to grab the fixes for CVE-2023-4043.
Parsson 1.1.5 includes the same upgrades that caught us out when we tried to upgrade to 1.1.4 - JSONP-API has been updated from 2.1.0.
Changes introduced in JSONP-API to the
JsonProvider.provider()method appear to break our TCK runner.They reworked how system properties are loaded by this SPI class, and it now (correctly) finds the system property. This however breaks us because this SPI class doesn't fall back to the other methods available for loading the factory class (service loader, OSGi, default) - it simply fails with a (wrapped) ClassNotFoundException.
In our case, we previously passed this TCK test because our Service Loader would end up returning the expected dummy TCK factory class, and now it doesn't reach this point. Payara is attempting to load the dummy factory class using the class loader available to the jakarta.json.jar module - the OSGi bundle class loader. This fails as the jakarta.json.jar module doesn't have the dummy TCK factory class as an OSGi import, and it's not otherwise available on this class loader.
This PR is a temporary measure just so we have the CVE fix - the intent is that we will continue to investigate and address this class loader issue for a future release.
Important Info
Blockers
payara/patched-src-parsson#2
Testing
New tests
None
Testing Performed
Built the blocking PR, built Payara, and ran the JSONP TCK.
Testing Environment
Windows 11, Zulu 11.0.22
Documentation
payara/Payara-Documentation#423
Notes for Reviewers
See description.