We are working on WSO2 Open source API Manger 4.0.0 and Micro Integrator 1.2.0. we need to apply the bug fixes. We are unable get the latest build of specific WSO2 API Manager and Micro Integrator versions from the source code.
We are trying to get latest build by building the product from source code available in below github. But the master branch contains latest APIM and MI versions. could you please help on build the product of specific APIM and MI versions (APIM 4.0.0 and MI 1.2.0)
API Manager:
https://github.com/wso2/product-apim
Micro Integrator:
https://github.com/wso2/micro-integrator
You can checkout from the tag and apply the fixes.
https://github.com/wso2/product-apim/tree/v4.0.0
https://github.com/wso2/micro-integrator/tree/v1.2.0
Carbon APIMGT version for APIM v4 - https://github.com/wso2/carbon-apimgt/tree/v9.0.174
Carbon APIMGT contains the core functionalities of the product APIM.
WSO2 API Manager and MI are a collection of different jars and webapps. In our opensource code base, each product has a product repo (product-apim, micro-integrator, product-is) and multiple component repositories (carbon-apimgt, wso2-synapse). All of these are in the WSO2 or WSO2-extensions organization.
If you want to find the codebase for a specific version of a product or a component, you can check the release tag of the repository. For an example, if you want to find the APIM 4.0.0 related code base, you first need to get the 4.0.0 tag in product-apim repository.
Since we use maven as the build tool, pom.xml in the product repository includes all the component versions. Most of the time, fix is sent to a component repository and you can find the relevant component version by referring to this pom.xml. For example, most of the apim specific components are included in the carbon-apimgt repository. You can find the relevant carbon-apimgt version in the pom.xml as 9.0.174.
If you check out the carbon-apimgt repo's 9.0.174 tag, you can find the relevant code base. Similarly, synapse version is 2.1.7-wso2v227.
Once you find the relevant code base, you can apply your fix and build the component locally. This will build the jar with your fix and you can patch the product by adding this jar to the /repository/component/patches/patch0001/<Jar_name>.jar.
Make sure that use the same name as the jar included in the /repository/component/plugins repository (Sometimes the "-" in the name is converted to "_" in the name).
Related
I am looking out for suggestions on the recent vulnerability(https://blogs.apache.org/security/entry/cve-2022-42889) which is also coming from the wso2 IS 5.11 binary downloaded from(https://github.com/wso2/product-is/releases/tag/v5.11.0) and the carbon libraries we are using in custom plugins like:
<groupId>org.wso2.carbon.identity.framework</groupId><artifactId>org.wso2.carbon.identity.mgt</artifactId>
<version>5.18.187</version>
<groupId>org.wso2.carbon.identity.framework</groupId>
<artifactId>org.wso2.carbon.identity.application.authentication.framework</artifactId>
<version>5.18.187</version>
<groupId>org.wso2.carbon.identity.framework</groupId>
<artifactId>org.wso2.carbon.identity.provisioning</artifactId>
<version>5.18.187</version>
As there any upgrades to these which is compatible with wso2 IS v5.11?
From wso2 advisories, it is mentioned that the vulnerability has no impact on the products [1] since the preconditions are not met and the team promises of fixing the vulnerable versions and (paid) customers will be able to obtain it through their security update once it is available. Along with this effort, the public fix will be done for the current public branch and will be available if you build the product-is from the repository. The timeline for the public fix is yet to be known.
And the suggested upgrade would be to 1.10.0 of Apache Commons Text library for 5.11.0.
This library comes to Identity server 5.11 pack mainly through Forget me tool. And in the latest release (wso2is-6.0.0), forget me tool has been externalized[2] which could be used in the product on demand.
Refer:
[1] https://docs.wso2.com/display/Security/CVE-2022-42889
[2] https://is.docs.wso2.com/en/latest/deploy/remove-references-to-deleted-user-identities/#building-the-identity-anonymization-tool
I have tried the custom federated authenticator sample given in wso2 doumentation(https://github.com/wso2/samples-is/tree/master/authenticators/components/org.wso2.carbon.identity.sample.federated.authenticator), after building I have deployed in /repository/components/dropins folder. But after deployment it is not showing in the federated authenticator list. I am using wso2 IS 5.10.0
Below is the build which I used from the sample,
https://github.com/VIKRAMAS/wso2-custom-federated-authentor
But I tried to deploy github authenticator from IS connector store page, but it is working and showing in the federated authenticator list, but it is not working for the sample which I have deployed. But same build works in wso2 IS version 5.12.
Your component is not activating (In INSTALLED state) in the IS5.10.0 pack due to the following issue.
It may have a dependency on the application authentication framework, and you have specified the range as version 5.18.0 or above. But, 5.17.5 is the framework version available in runtime.
Check the framework version range in the pom file and correct it to a version range that contains 5.17.5 . Check the framework version range used for <Import-Package> in
<plugin>
<groupId>org.apache.felix</groupId>
<artifactId>maven-bundle-plugin</artifactId>
<plugin>
If the framework component is not defined with a range inside <Import-Package>, and <DynamicImport-Package>*</DynamicImport-Package> is used the runtime versions will be resolved dynamically. It takes the version range based on the framework version defined for dependencies (normally used for compilation).
eg: If the framework version is 5.18.21, it searches 5.18.0 - 6.0.0 version in runtime.
You can refer to Useful OSGi commands to debug section of https://anuradha-15.medium.com/lets-write-and-run-your-first-osgi-service-on-wso2-platform-482f6e5e3ea5 to learn more about OSGi activation issue trouble shooting.
I have installed DSS feature on ESB. While deploying DSS artifact, I came across error similar to one below
WARN - DefaultAppDeployer Can't deploy artifact : EmployeeDataService of type : service/dataservice. Required features are not installed in the system
The wso2 jira indicates that the issue has been resolved
https://wso2.org/jira/browse/CARBON-15657
How do I incorporate this fix in my wso2 esb 4.9 installation?
You can get relevant patches for that fixes and apply to your version. As most of patches are provided upon customer requests, it is better to use release versions which are having those fixes.
In ESB 5.0.0, all fixes are attached and it may be release within this month (July, 2016).
I see there's a separate maven repo at http://dist.wso2.org/maven2 but the version of siddhi - your CEP does not match what is in here: https://github.com/wso2/product-cep
Which is current and which can be used? Also, the website has a lead-capture form. Is the product truly apache2 open source or is it in name only?
WSO2 products are 100% apache 2.0 license compatible free and open source products. you can find the siddhi version used in WSO2 CEP.
Based on the description given on Siddhi repository,current version is 3.0.2. Please find the maven nexus repository for Siddhi
We are using WSO2 4.1.1 for user management. Is there a way to do a session time out in WSO2 4.1.1?
(I am looking if there is a fix for this in WSO2 4.1.1. Currently, I am not looking at migrating to WSO2 4.5
where this is mentioned as a supported feature).
I am referring to the following link where it says the WSO2 4.1.1.code has been changed to handle session time out.
https://wso2.org/jira/browse/IDENTITY-1030
Are these changes available as a new version of jar compatible with the WSO2 4.1.1 version?
Thanks in advance for the help
You won't be able to get a new version of the jar and use it with the WSO2 IS 4.1.1. AFAIK, IS 4.1.1 was never released, I think you are using a build shared via dev# list.
Anyway, you can try following.
Checkout the source for the corresponding jars in WSO2 IS 4.1.1. Try to checkout from branch. For example: https://svn.wso2.org/repos/wso2/carbon/platform/branches/4.1.0/components/identity/org.wso2.carbon.identity.base/
Fix the issue and do 'mvn clean install'
Copy the target jar as a patch.
Run server with -DapplyPatches
In this way, you can try to fix this issue.
If we discover issues with any product after it has been released, you will be able to get the fix only in a newer version. Otherwise, you need to patch the existing jar versions.
I hope this helps.