[#7326] - Eclipse/STS Jasper studio plugin conflicts with dependecies

Category:
Bug report
Priority:
Normal
Status:
New
Project: Severity:
Major
Resolution:
Open
Component: Reproducibility:
Always
Assigned to:
1

After large update to my codebase Jasper studio plugin on my STS/Eclipse stopped working. The main problem is that I'm not able to open jrxml files anymore. If I try that, only a blank empty page opens up in my STS, when before my code was updated, I was able to see the full jrxml layout editor.

After very long investigation, I was able to get jrxml editor working again, but in quite laboursome fashion. To be able to use the editor I have to roll back my old pom.xml to the version it was before the major codebase update. Of course my application won't work with the old pom.xml, but at least I can use jasper studio editor with it. Switching between these pom.xml files is just so time consuming due to many side-effects of that, that I would love to find a better solution.

Here's a list of those dependencies that got updated during my the major code update:

-jackson databind 2.6.3 --> 2.7.3.
-jackson core 2.6.3 --> 2.7.3.
-jackson annotations 2.6.3 --> 2.7.3.
-jackson-datatype-hibernate4 2.6.3 --> 2.7.3.
-jackson-datatype-joda 2.6.3 --> 2.7.3.
-waffle 1.6. --> 1.8.1
-spring-security.version 3.2.4.--> 4.0.4.RELEASE
-org.springframework.version 4.1.6.--> 4.2.5.RELEASE

I'm suspecting that some of these are not compatible with the current version of jasper plugin?

v6.2.1
villekarjala's picture
Joined: Sep 21 2015 - 1:36am
Last seen: 11 months 3 weeks ago

3 Comments:

#1

There seems to be a security issue with the Jackson Versions prior to 2.7.4.
See https://bugzilla.redhat.com/show_bug.cgi?id=1328427
and
https://lists.fedoraproject.org/pipermail/package-announce/2016-May/1845...

Since it seems that Jasperreports is not compatible with Jackson 2.7.*, we are not able to fix the security issue in our application.
Please update your dependency to Jackson to a recent, fixed version.

#2

Hi,

As far as the Jackson dependencies are concerned, we are not using the Jackson Dataformat XML artifact against whom the CVE was reported.
And although we are compiling our library against version 2.1.4, I think there should be no issue if in your application, you simply use a newer version of Jackson, such as 2.7.4.

Have you tried it and it did not work? What was the error?

Thanks,
Teodor

#3

Hi,
No, I did not try it yet due to the other compatibility issues with Apache POI 3.15.
I just checked the dependencies and bugreports against them and saw that issue here which I interpreted such, that jasperreports is not compatible with 2.7.x releases of jackson libraries.
The POM file of jasperreports defines a dependency against jackson 2.1.4 - thats february 2013. If you think there is no problem with compatibility, then it shouldn't be one if you update your dependency to a security-fixed version ;-)
Since you have all the automated testcases running with your build-chain, it should be far easier for you to check if everything works with the new jackson library version than it is for us.

Feedback
randomness