sonatype / install4j-support Goto Github PK

Not able to copy dll files into windows system32 folder using install4j package

'''
control@ubuntu:~$ sh ./nexus-pro-trial_unix_2.2-SNAPSHOT.sh -c
Starting Installer ...
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/home/control/nexus-pro-trial_unix_2.2-SNAPSHOT.sh.10657.dir/user.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/home/control/nexus-pro-trial_unix_2.2-SNAPSHOT.sh.10657.dir/user/install4j-slf4j.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.sonatype.install4j.slf4j.Install4jLoggerFactory]
'''

The script spits out extra information like:

testing JVM in /usr …
install4j version 5.1.3 (build 5521), built on 2012-09-21

If the execution of install4jc fails, the mojo keeps going instead of stopping

macKeystorePassword not getting set correctly in CompileMojo.java

It looks like the check is looking for winKeystorePassword to not be null instead of macKeystorePassword . . .

This is what the code looks like currently for setting the keystore values:

if (winKeystorePassword != null) {
        task.createArg().setValue("--win-keystore-password");
        task.createArg().setValue(winKeystorePassword);
    }

    if (winKeystorePassword != null) {
        task.createArg().setValue("--mac-keystore-password");
        task.createArg().setValue(macKeystorePassword);
    }

Building our project module works fine using maven 3.0.5 but fails in 3.1.0:

It would be nice to be able to execute the compile goal several times in one maven build. It seems that currently this can only be done once.

I have a client-server application that has both a client installer and a complete installer with both the client and server. The tricky part is that the media file with only the client should also be downloadable from the server so it needs to be included in the installer compilation of the complete installer. To be able to reuse the same install4J project for both installers I would like to have the ability to first build the media file for the client-installer and then the media file for the complete installer.

Thanks,
Oscar Lantz
Assa Abloy

// Trigger a file download action, so that proxy configuration can be detected
log.debug("Detecting proxy configuration");
DownloadFileAction action = new DownloadFileAction();
action.setUrl("http://www.google-analytics.com/__utm.gif"); // just use the tracker's base url w/o any params
action.setAskForProxy(true);
action.setDeleteOnExit(true);
action.setRetryIfInterrupted(true);
action.setShowFileName(false);
action.setShowProgress(false);
action.setShowError(false);
action.setTargetFile(File.createTempFile("configure-proxy", ".tmp").getAbsolutePath());
action.execute(context);

I believe this should disable any progress display, but I still see some:

Starting Installer ...
0.0 MB of 0.0 MB (100.0%) at 17.1 kb/s

The "0.0 MB of 0.0 MB (100.0%) at 17.1 kb/s" here is the DownloadFileAction action executions output.

I had expected that if "action.setShowProgress(false);" that it would not emit any of these details.

When attaching files from output.txt the paths did not align properly depending on how you invoked maven. This caused some problems with the gpg plugin which uses the information detected from invocation to re-root signature files. So depending on how you ran mvn the location of the gpg files would change.

Checking the class /install4j-ga/src/main/java/org/sonatype/install4j/ga/ConfigureProxyAction.java, one of it's imports was moved.
The class is DownloadFileAction and it was moved from package "com.install4j.runtime.beans.actions.update" to "com.install4j.runtime.beans.actions.net".
This change was made in version 6 of i4jruntime.jar.

I moved some files in our project that resulted only in warnings from Install4j:

[INFO] Creating media file 'Windows 32bit':
[INFO] Created media file output directory /home/johannes/projects/service/...
[INFO]
[INFO] Collecting files:
[INFO] [WARNING] The path "../wibu/CodeMeterRuntime.exe" does not exist.
[INFO] [WARNING] The path "../wibu/WibuVm.jar" does not exist.
[INFO] [WARNING] The path "../wibu/WibuXpm4J32.dll" does not exist.
[INFO] [WARNING] The path "../wibu/WibuXpm4J64.dll" does not exist.

I really would like to fail the build, if these files could not be found. Any idea how to solve this?
I tried "true" - but unfortunately without any effect.

The default behavior is to WARN and ignore, but this can lead to problems on release systems which are expected to always generate installers.

Vulnerabilities

DepShield reports that this application's usage of com.jcraft:jsch:0.1.38 results in the following vulnerability(s):

• (CVSS 5.9) [CVE-2016-5725] Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal")

Occurrences

com.jcraft:jsch:0.1.38 is a transitive dependency introduced by the following direct dependency(s):

• org.apache.maven:maven-core:2.2.1
        └─ org.apache.maven.wagon:wagon-ssh:1.0-beta-6
              └─ com.jcraft:jsch:0.1.38

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

The plugin fails to start, complaining about missing compiler executable while
the file is at the right location. Here is an example of the output:

[INFO] --- install4j-maven-plugin:1.0.3:compile (compile-installers) @ ipdc-jboss-distribution ---
[WARNING] Missing install4j compiler executable: C:\Program Files\install4j5\bin\install4jc

I have taken a look at the source code and I can see that the problem lies in class Install4jcMojoSupport where at lines 71-76, it tries to determine if the compiler executable file exists:

File install4jc = new File(installDir, "bin/install4jc");
        if (!install4jc.exists()) {
            log.warn("Missing install4j compiler executable: " + install4jc);
            return;
        }

The problem is that on Windows machine (as mine) the install4jc file constructed points
to a directory and NOT on the actual file, hence the exist() method will always returns false.
At least for windows, it should be replaced with:

File install4jc = new File(installDir, "bin/install4jc.exe");

Please let me know if you need any more information.

The missing command line parameters are

--apple-id
--apple-id-password
--disable-bundling

Vulnerabilities

DepShield reports that this application's usage of org.apache.jackrabbit:jackrabbit-webdav:1.5.0 results in the following vulnerability(s):

• (CVSS 6.4) [CVE-2015-1833] Improper Input Validation

Occurrences

org.apache.jackrabbit:jackrabbit-webdav:1.5.0 is a transitive dependency introduced by the following direct dependency(s):

• org.apache.maven:maven-core:2.2.1
        └─ org.apache.maven.wagon:wagon-webdav-jackrabbit:1.0-beta-6
              └─ org.apache.jackrabbit:jackrabbit-webdav:1.5.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

The documentation of the last released version for the install4j support modules is not up-to-date and should be updated to version 1.1.1 including content changes.

AntHelper.java seems to use outputstreams in such a way that the outputs might get mixed up with outputs from other running tasks.

This becomes a problem when trying to run the plugin as part of a multithreaded Maven build. It might fail to:

[2019-04-25T10:16:52.515Z] [ERROR] Failed to execute goal org.sonatype.install4j:install4j-maven-plugin:1.0.8:compile (compile-installers)
on project install4j: Unable to parse version from input: Picked up JAVA_TOOL_OPTIONS:
-Dmaven.ext.class.path="pipeline-maven-spy.jar"
-Dorg.jenkinsci.plugins.pipeline.maven.reportsFolder="withMavene6640721"
install4j version 6.1.2 (build 6275), built on 2016-06-21 -> [Help 1]

The Exception is thrown here: https://github.com/sonatype/install4j-support/blob/master/install4j-maven-plugin/src/main/java/org/sonatype/install4j/maven/VersionHelper.java#L87
and if I understand correctly, the root of the problem is AntHelper
https://github.com/sonatype/install4j-support/blob/master/install4j-maven-plugin/src/main/java/org/sonatype/install4j/maven/AntHelper.java#L64

It seems to me that MavenAntLoggerAdapter is used and the output of calls is redirected to standard output where it mingles with other texts failing the version parsing.

Maybe the output could be redirected to a temporary file and read from there or fixed in some other way?

Vulnerabilities

DepShield reports that this application's usage of org.codehaus.plexus:plexus-utils:1.5.15 results in the following vulnerability(s):

• (CVSS 9.8) [CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)

Occurrences

org.codehaus.plexus:plexus-utils:1.5.15 is a transitive dependency introduced by the following direct dependency(s):

• org.apache.maven:maven-core:2.2.1
        └─ org.codehaus.plexus:plexus-utils:1.5.15

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

This parameter is used to keep the temporary files created by Install4j.
This option is not showed in --help, but its mentioned in http://stackoverflow.com/a/32273724/3385457.

Its possible to include it?

Reference:

http://stackoverflow.com/questions/25680587/sockettimeoutexception-during-signing-process

The documentation says, that the goal insatll-license will be skipped, if install4j.home is not set or invalid.
But when install4j.home is not set i get this error message and the build fails:

[ERROR] Failed to execute goal org.sonatype.install4j:install4j-maven-plugin:1.0.6:install-license (install-license) on project h-installer: The parameters 'installDir' for goal org.sonatype.install4j:install4j-maven-plugin:1.0.6:install-license are missing or invalid -> [Help 1]

When I set the variable to an invalid location, the goal is skipped.
Since I dont want all clients to set a variable to an invalid location, I need the goal to be skipped, when the variable is not set.

Vulnerabilities

DepShield reports that this application's usage of commons-httpclient:commons-httpclient:3.0 results in the following vulnerability(s):

• (CVSS 5.8) [CVE-2012-5783] Improper Input Validation

Occurrences

commons-httpclient:commons-httpclient:3.0 is a transitive dependency introduced by the following direct dependency(s):

• org.apache.maven:maven-core:2.2.1
        └─ org.apache.maven.wagon:wagon-webdav-jackrabbit:1.0-beta-6
              └─ org.apache.jackrabbit:jackrabbit-webdav:1.5.0
                    └─ commons-httpclient:commons-httpclient:3.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

If I use <attach>true</attach> with a install4j Unix archive, then the .tar extension is chopped of from .tar.gz on attachment:

[INFO] Installing /home/stain/src/net.sf.taverna.t2.taverna-commandline/target/media/taverna-commandline-core-2.5-SNAPSHOT-unix.tar.gz to /home/stain/.m2/repository/net/sf/taverna/t2/taverna-commandline-core/2.5-SNAPSHOT/taverna-commandline-core-2.5-SNAPSHOT-unix.gz

Suggested fix is to change CompileMojo#getType to have special cases for .tar.gz and .tar.bz2 (I will submit such a patch)