Friday, September 15, 2017

Upgrade J2ee project to latest libraries

Leave a Comment

I got a task to tidy up a j2ee application and upgrade all its libraries for security purposes (some older jars got on a security concern report)

we are using maven and I have couple of questions :
Is it possible to find unused jars?
How to go about upgrading the libraries?
If library A is upgraded how to find related libraries minimum version?

m2/aopalliance/aopalliance/1.0/aopalliance-1.0.jar m2/asm/asm/3.3.1/asm-3.3.1.jar m2/cglib/cglib-nodep/2.2.2/cglib-nodep-2.2.2.jar m2/cglib/cglib/2.2.2/cglib-2.2.2.jar m2/com/google/code/gson/gson/2.7/gson-2.7.jar m2/com/ibm/icu/icu4j/53.1/icu4j-53.1.jar m2/com/thoughtworks/proxytoys/proxytoys/1.0/proxytoys-1.0.jar m2/commons-beanutils/commons-beanutils/1.9.2/commons-beanutils-1.9.2.jar m2/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar m2/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar m2/commons-io/commons-io/2.4/commons-io-2.4.jar m2/commons-logging/commons-logging/1.2/commons-logging-1.2.jar m2/junit/junit/4.11/junit-4.11.jar m2/org/apache/commons/commons-collections4/4.0/commons-collections4-4.0.jar m2/org/apache/commons/commons-digester3/3.2/commons-digester3-3.2.jar m2/org/apache/commons/commons-email/1.3.3/commons-email-1.3.3.jar m2/org/apache/commons/commons-lang3/3.3.2/commons-lang3-3.3.2.jar m2/org/apache/logging/log4j/log4j-api/2.1/log4j-api-2.1.jar m2/org/apache/logging/log4j/log4j-core/2.1/log4j-core-2.1.jar m2/org/apache/taglibs/taglibs-standard-impl/1.2.1/taglibs-standard-impl-1.2.1.jar m2/org/apache/taglibs/taglibs-standard-spec/1.2.1/taglibs-standard-spec-1.2.1.jar m2/org/mongodb/mongo-java-driver/2.12.4/mongo-java-driver-2.12.4.jar m2/org/mongodb/morphia/morphia/1.3.2/morphia-1.3.2.jar m2/org/slf4j/jcl-over-slf4j/1.7.7/jcl-over-slf4j-1.7.7.jar m2/org/slf4j/slf4j-api/1.7.7/slf4j-api-1.7.7.jar m2/org/springframework/data/spring-data-commons/1.8.0.RELEASE/spring-data-commons-1.8.0.RELEASE.jar m2/org/springframework/data/spring-data-mongodb/1.5.0.RELEASE/spring-data-mongodb-1.5.0.RELEASE.jar m2/org/springframework/spring-aop/4.0.5.RELEASE/spring-aop-4.0.5.RELEASE.jar m2/org/springframework/spring-beans/4.0.5.RELEASE/spring-beans-4.0.5.RELEASE.jar m2/org/springframework/spring-context/4.0.5.RELEASE/spring-context-4.0.5.RELEASE.jar m2/org/springframework/spring-core/4.0.5.RELEASE/spring-core-4.0.5.RELEASE.jar m2/org/springframework/spring-expression/4.0.5.RELEASE/spring-expression-4.0.5.RELEASE.jar m2/org/springframework/spring-tx/3.2.9.RELEASE/spring-tx-3.2.9.RELEASE.jar m2/org/springframework/spring-web/4.0.5.RELEASE/spring-web-4.0.5.RELEASE.jar m2/org/springframework/spring-webmvc/4.0.5.RELEASE/spring-webmvc-4.0.5.RELEASE.jar m2/xalan/serializer/2.7.1/serializer-2.7.1.jar m2/xalan/xalan/2.7.1/xalan-2.7.1.jar m2/xml-apis/xml-apis/1.3.04/xml-apis-1.3.04.jar 

1 Answers

Answers 1

  • Is it possible to find unused jars?

    Yes!, you can use the Apache Maven Dependency Plugin.

    You can do a mvn dependency:analyze -DignoreNonCompile to find unused but declared and used but undeclared dependencies. Please check the full documentation because you can customize exclusions, in what phase you want to execute the verification and other topics within this plugin.

    You can be as strict as you want, check the goals available for this plugin, using <goal>analyze-duplicate</goal> you can also catch duplicated dependencies, for example if you want your build to fail on "dependency errors" you can define this plugin in your pom.xml like:

    <plugin>   <groupId>org.apache.maven.plugins</groupId>   <artifactId>maven-dependency-plugin</artifactId>   <executions>     <execution>       <id>analyze-dependencies</id>       <goals>         <goal>analyze-duplicate</goal>         <goal>analyze-only</goal>       </goals>     </execution>   </executions>   <configuration>     <failBuild>true</failBuild>   </configuration> </plugin> 
  • How about upgrading the libraries?

    Yes! For this task you can use the Versions Maven Plugin.

    To find new dependency updates you can use mvn versions:display-dependency-updates, it will give you a list of the latest versions for the dependencies in your pom.xml

    You can also do a mvn versions:display-plugin-updates to find plugin updates.

    By default this will be performed recursively, in case you don't want to have it recursive you can use the -N flag.

    Putting it all together: mvn -N versions:display-dependency-updates versions:display-plugin-updates

If You Enjoyed This, Take 5 Seconds To Share It

0 comments:

Post a Comment