Bug 1020925 - Dual maven repositories unable to remove malicious dependency in Business Central
Dual maven repositories unable to remove malicious dependency in Business Cen...
Status: CLOSED CURRENTRELEASE
Product: JBoss BRMS Platform 6
Classification: JBoss
Component: Business Central (Show other bugs)
6.0.0
Unspecified Unspecified
high Severity high
: ER5
: 6.0.0
Assigned To: manstis
Radovan Synek
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-18 10:11 EDT by Radovan Synek
Modified: 2015-01-22 06:59 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-08-06 16:18:51 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
malicious JAR (added pom.xml inside to be able to upload it, see bug 1019854) (11.43 KB, application/x-java-archive)
2013-10-18 10:11 EDT, Radovan Synek
no flags Details
screenshot - Project Screen error message (38.58 KB, image/png)
2013-10-18 10:12 EDT, Radovan Synek
no flags Details

  None (edit)
Description Radovan Synek 2013-10-18 10:11:23 EDT
Created attachment 813791 [details]
malicious JAR (added pom.xml inside to be able to upload it, see bug 1019854)

Take a look at bug 1007055. After getting Business Central into this broken state, I wanted to recover it by deleting the malicious dependency:

1) Removing the dependency from the project will help - in case you haven't close Project Screen yet. 
But after closing and reopening the Project Screen, error message appears and Project Screen keeps loading.
=> dependency cannot be removed from the project

2) Removing the JAR from Asset Repository.
This didn't helped me, the Project Screen was either still loading, or it allowed me to remove the dependency, but after closing and reopening, error message appeared again.

3) Erasing the malicious JAR (com.cigna.jar) from ~/.m2/repository/...
After rebuilding via Project Editor, Business Central seems to be recovered.

When some JAR is uploaded into asset repository, this artifact is deployed also to ~/.m2 repo and is being read by Business Central, even after this artifact has been erased from asset repository. In this case it's hard to get rid of a malicious JAR.

Attaching error message from Project Screen and the malicious JAR. Here are simplified steps for reproduction:
1) upload JAR into Asset Repository
2) add it as a dependency to a project.
3) save & build the project
4) close and reopen Project Editor => error screen should appear and Project Editor should be loading infinitely 
5) erase the JAR from Asset Repository
6) build the project, close & reopen Project Editor => error screen should appear again
7) remove JAR from your ~/.m2 repository, repeat step 6), I was able to get Project Screen without any error message.
Comment 1 Radovan Synek 2013-10-18 10:12:28 EDT
Created attachment 813792 [details]
screenshot - Project Screen error message
Comment 4 manstis 2013-10-21 17:28:45 EDT
I have fixed the problem demonstrated in the latest screenshot (i.e. "Loading..." still showing after the error popup). I have also checked that removing the dependency from the project results in a successful build; and that removing the Cigna JAR from the Guvnor M2 Repository removed it from the underlying /repository folder. If there is something I've missed please let me know.
Comment 5 Radovan Synek 2013-10-22 05:06:54 EDT
From the description is not fully clear what the root cause is.

The main problem is that business central uploads JARs into two repositories (one in a ${working directory}/repository and one in ~/.m2/repository) but deletes them only from the first one. When user deletes JAR from Asset Repository, it needs to be removed from both maven repositories.
Comment 6 manstis 2013-10-25 12:18:16 EDT
Hello,

I've being doing some research and chatted to a few colleagues that know more about Maven than I. The common opinion is that we should *not* be deleting any artifact from a "remote" maven repository (which is what /bin/repository represents). We can however delete from a "local" repository, i.e. .m2.

That said, this suggests the ability to delete JARs in the Asset Repository at best can only *ever* do half of it (as we should never delete from "remotes") and therefore I wonder if we should remove the ability to delete all together.

WDYT? 

The root cause of the problem we now discuss, is that you could not delete a dependency from a project within the workbench. This has been fixed (https://bugzilla.redhat.com/show_bug.cgi?id=1018968).

Cheers,

Mike
Comment 7 Radovan Synek 2013-10-29 07:39:01 EDT
After discussing this issue we agreed that there is no need for delete operation in Asset Repository at all. Any malicious dependency can be removed from the corresponding project now (bug 1018968) and deleting artifacts from maven repositories cannot be considered as the best practice.
Comment 9 Radovan Synek 2013-12-03 08:57:40 EST
Verified on BRMS-6.0.0.ER5
Comment 10 Radovan Synek 2014-03-18 11:57:47 EDT
qe_test_coverage: see comment 7

Note You need to log in before you can comment on or make changes to this bug.