[#7326] - Eclipse/STS Jasper studio plugin conflicts with dependecies

Category:
Bug report
Priority:
Normal
Status:
New
Project: Severity:
Major
Resolution:
Open
Component: Reproducibility:
Always
Assigned to:
1

After large update to my codebase Jasper studio plugin on my STS/Eclipse stopped working. The main problem is that I'm not able to open jrxml files anymore. If I try that, only a blank empty page opens up in my STS, when before my code was updated, I was able to see the full jrxml layout editor.

After very long investigation, I was able to get jrxml editor working again, but in quite laboursome fashion. To be able to use the editor I have to roll back my old pom.xml to the version it was before the major codebase update. Of course my application won't work with the old pom.xml, but at least I can use jasper studio editor with it. Switching between these pom.xml files is just so time consuming due to many side-effects of that, that I would love to find a better solution.

Here's a list of those dependencies that got updated during my the major code update:

-jackson databind 2.6.3 --> 2.7.3.
-jackson core 2.6.3 --> 2.7.3.
-jackson annotations 2.6.3 --> 2.7.3.
-jackson-datatype-hibernate4 2.6.3 --> 2.7.3.
-jackson-datatype-joda 2.6.3 --> 2.7.3.
-waffle 1.6. --> 1.8.1
-spring-security.version 3.2.4.--> 4.0.4.RELEASE
-org.springframework.version 4.1.6.--> 4.2.5.RELEASE

I'm suspecting that some of these are not compatible with the current version of jasper plugin?

v6.2.1
villekarjala's picture
Joined: Sep 21 2015 - 1:36am
Last seen: 10 months 3 weeks ago

2 Comments:

#1

There seems to be a security issue with the Jackson Versions prior to 2.7.4.
See https://bugzilla.redhat.com/show_bug.cgi?id=1328427
and
https://lists.fedoraproject.org/pipermail/package-announce/2016-May/1845...

Since it seems that Jasperreports is not compatible with Jackson 2.7.*, we are not able to fix the security issue in our application.
Please update your dependency to Jackson to a recent, fixed version.

#2

Hi,

As far as the Jackson dependencies are concerned, we are not using the Jackson Dataformat XML artifact against whom the CVE was reported.
And although we are compiling our library against version 2.1.4, I think there should be no issue if in your application, you simply use a newer version of Jackson, such as 2.7.4.

Have you tried it and it did not work? What was the error?

Thanks,
Teodor

Feedback