Skip to content

bump XStream to >= 1.4.21 #587

@vladak

Description

@vladak

Chronicle map currently (optionally) depends on XStream 1.4.20 which is impacted by CVE-2024-47072 and was resolved in 1.4.21.

Chronicle map consumers which exercise the getAll()/putAll() functionality that uses XStream have to use the XStream dependency, which has to be in line with whatever XStream version Chronicle map uses. Because of that the consumers would get flagged for security however cannot bump XStream themselves until Chronicle map does.

When investigating the upgrade, I found that XStream behavior changed from 1.4.20 to 1.4.21. In particular, the call to moveDown() in AbstractChronicleMapConverter's unmarshall() seems to be extraneous and in fact errorneous as it descends one node too deep:

With 1.4.20 the moveDown() call stayed at the same node for some reason, with 1.4.21 it moves on, hence causing deserialization error in

if (!nodeName0.equals("entry"))
throw new ConversionException("unable to convert node named=" + nodeName0);
This leads to a number of failing tests in CHMUseCasesTest. When the moveDown() call is removed, the tests pass once again.

Now, with update to 1.4.21 there is bunch of other tests that fail in Chronicle map. Most of these seem to pertain to XStream requirements of specifying key size:

[ERROR] Failures: 
[ERROR]   CHMUseCasesTest.testLongValueLongValueMap:2214 expected:<1> but was:<61>
[ERROR]   CHMUseCasesTest.testLongValueLongValueMap:2214 expected:<1> but was:<64>
[ERROR] Errors: 
[ERROR]   OffHeapByteArrayExampleTest.beforeClass:27 » IllegalState Key size in serialized form must be configured in ChronicleMap, at least approximately.
Use builder.averageKey()/.constantKeySizeBySample()/.averageKeySize() methods to configure the size
[ERROR]   PortfolioValueTest.test:98 » IllegalState Key size in serialized form must be configured in ChronicleMap, at least approximately.
Use builder.averageKey()/.constantKeySizeBySample()/.averageKeySize() methods to configure the size
[ERROR]   ChronicleMapImportExportTest.testWithLongValue:217 » IllegalState Value size in serialized form must be configured in ChronicleMap, at least approximately.
Use builder.averageValue()/.constantValueSizeBySample()/.averageValueSize() methods to configure the size
[ERROR]   DataKeyValueTest.dataKeyValueTest:19 » IllegalState Value size in serialized form must be configured in ChronicleMap, at least approximately.
Use builder.averageValue()/.constantValueSizeBySample()/.averageValueSize() methods to configure the size
[ERROR]   Issue354Test.reproduce:26 » IllegalState Key size in serialized form must be configured in ChronicleMap, at least approximately.
Use builder.averageKey()/.constantKeySizeBySample()/.averageKeySize() methods to configure the size
[ERROR]   Issue354bTest.build_toFile:28 » IllegalState Key size in serialized form must be configured in ChronicleMap, at least approximately.
Use builder.averageKey()/.constantKeySizeBySample()/.averageKeySize() methods to configure the size
[ERROR]   LostKeyTest.lostkeysTest:26 » IllegalArgument java.util.ConcurrentModificationException
[ERROR]   NegativeIntegerKeyTest.testNegativeIntegerKey:16 NoClassDefFound Could not initialize class net.openhft.chronicle.map.ChronicleMapTest
[ERROR]   RecoverTest.testCorruptedEntryRecovery:117 ExceptionInInitializer
[ERROR]   ValueInterfaceWithEnumTest.testValueInterface:24 » IllegalArgument java.util.ConcurrentModificationException
[ERROR]   ChecksumEntryTest.testChecksumEntriesWithValueInterface:30 » IllegalState Value size in serialized form must be configured in ChronicleMap, at least approximately.
Use builder.averageValue()/.constantValueSizeBySample()/.averageValueSize() methods to configure the size
[ERROR]   PutIfAbsentNoGarbageTest.testPutIfAbsentDefault:48 » IllegalArgument java.util.ConcurrentModificationException
[ERROR]   PutIfAbsentNoGarbageTest.testPutIfAbsentUsingValue:26 » IllegalArgument java.util.ConcurrentModificationException
[INFO] 
[ERROR] Tests run: 1303, Failures: 2, Errors: 13, Skipped: 78

The failing tests in CHMUseCasesTest I could not reproduce when running the tests from IDEA.

Also, while there the hard-coded version on

"<dependency>\n" +
" <groupId>xstream</groupId>\n" +
" <artifactId>xstream</artifactId>\n" +
" <version>1.2.2</version>\n" +
"</dependency>\n" +
should be updated.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions