serverlessworkflow / sdk-java Goto Github PK
View Code? Open in Web Editor NEWJava SDK for Serverless Workflow
Home Page: http://serverlessworkflow.io
License: Apache License 2.0
sdk-java's People
Contributors
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "mend-bolt-for-github[bot]")
Stargazers
Watchers
Forkers
tsurdilo catherleen eeinfo ricardozanini geored tommd-test wittech antmendoza krutarththakkar janaganh asquare14 ghuntley soniasingla manick02 bhamail akshaykotagal mswiderski gautric jiangrongxin thaingo fjtirado hbelmiro joshuayan spolti vaniharipriya heavenlxj iyerajesh startime-h davideduma bancolombia wmedvede laiqiuhua tina-realm junjiem radtriste porcelli marianmacik visheshruparelia fleetingold awssa1412 madhubabu5 tianpeijunsdk-java's Issues
EventDefinition does not have dataOnly attribute
What happened:
Cannot find dataOnly attribute in EventDefinition
What you expected to happen:
EventDefinition to have a boolean dataOnly attribute as specified in the spec https://github.com/serverlessworkflow/specification/blob/main/specification.md#event-definition
How to reproduce it:
This is the decompiled EventDefinition class in version 4.0.2
package io.serverlessworkflow.api.events;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.validation.Valid;
import javax.validation.constraints.Size;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.annotation.JsonPropertyDescription;
import com.fasterxml.jackson.annotation.JsonPropertyOrder;
import com.fasterxml.jackson.annotation.JsonValue;
import io.serverlessworkflow.api.correlation.CorrelationDef;
@JsonInclude(JsonInclude.Include.NON_NULL)
@JsonPropertyOrder({
"name",
"source",
"type",
"correlation",
"kind",
"metadata"
})
public class EventDefinition implements Serializable
{
/**
* Event Definition unique name
*
*/
@JsonProperty("name")
@JsonPropertyDescription("Event Definition unique name")
@Size(min = 1)
private java.lang.String name;
/**
* CloudEvent source UUID
*
*/
@JsonProperty("source")
@JsonPropertyDescription("CloudEvent source UUID")
private java.lang.String source;
/**
* CloudEvent type
*
*/
@JsonProperty("type")
@JsonPropertyDescription("CloudEvent type")
private java.lang.String type;
/**
* CloudEvent correlation definitions
*
*/
@JsonProperty("correlation")
@JsonPropertyDescription("CloudEvent correlation definitions")
@Size(min = 1)
@Valid
private List<CorrelationDef> correlation = new ArrayList<CorrelationDef>();
/**
* Defines the events as either being consumed or produced by the workflow. Default is consumed
*
*/
@JsonProperty("kind")
@JsonPropertyDescription("Defines the events as either being consumed or produced by the workflow. Default is consumed")
private EventDefinition.Kind kind = EventDefinition.Kind.fromValue("consumed");
/**
* Metadata
*
*/
@JsonProperty("metadata")
@JsonPropertyDescription("Metadata")
@Valid
private Map<String, String> metadata;
private final static long serialVersionUID = -7106400632209024391L;
/**
* Event Definition unique name
*
*/
@JsonProperty("name")
public java.lang.String getName() {
return name;
}
/**
* Event Definition unique name
*
*/
@JsonProperty("name")
public void setName(java.lang.String name) {
this.name = name;
}
public EventDefinition withName(java.lang.String name) {
this.name = name;
return this;
}
/**
* CloudEvent source UUID
*
*/
@JsonProperty("source")
public java.lang.String getSource() {
return source;
}
/**
* CloudEvent source UUID
*
*/
@JsonProperty("source")
public void setSource(java.lang.String source) {
this.source = source;
}
public EventDefinition withSource(java.lang.String source) {
this.source = source;
return this;
}
/**
* CloudEvent type
*
*/
@JsonProperty("type")
public java.lang.String getType() {
return type;
}
/**
* CloudEvent type
*
*/
@JsonProperty("type")
public void setType(java.lang.String type) {
this.type = type;
}
public EventDefinition withType(java.lang.String type) {
this.type = type;
return this;
}
/**
* CloudEvent correlation definitions
*
*/
@JsonProperty("correlation")
public List<CorrelationDef> getCorrelation() {
return correlation;
}
/**
* CloudEvent correlation definitions
*
*/
@JsonProperty("correlation")
public void setCorrelation(List<CorrelationDef> correlation) {
this.correlation = correlation;
}
public EventDefinition withCorrelation(List<CorrelationDef> correlation) {
this.correlation = correlation;
return this;
}
/**
* Defines the events as either being consumed or produced by the workflow. Default is consumed
*
*/
@JsonProperty("kind")
public EventDefinition.Kind getKind() {
return kind;
}
/**
* Defines the events as either being consumed or produced by the workflow. Default is consumed
*
*/
@JsonProperty("kind")
public void setKind(EventDefinition.Kind kind) {
this.kind = kind;
}
public EventDefinition withKind(EventDefinition.Kind kind) {
this.kind = kind;
return this;
}
/**
* Metadata
*
*/
@JsonProperty("metadata")
public Map<String, String> getMetadata() {
return metadata;
}
/**
* Metadata
*
*/
@JsonProperty("metadata")
public void setMetadata(Map<String, String> metadata) {
this.metadata = metadata;
}
public EventDefinition withMetadata(Map<String, String> metadata) {
this.metadata = metadata;
return this;
}
public enum Kind {
CONSUMED("consumed"),
PRODUCED("produced");
private final java.lang.String value;
private final static Map<java.lang.String, EventDefinition.Kind> CONSTANTS = new HashMap<java.lang.String, EventDefinition.Kind>();
static {
for (EventDefinition.Kind c: values()) {
CONSTANTS.put(c.value, c);
}
}
private Kind(java.lang.String value) {
this.value = value;
}
@Override
public java.lang.String toString() {
return this.value;
}
@JsonValue
public java.lang.String value() {
return this.value;
}
@JsonCreator
public static EventDefinition.Kind fromValue(java.lang.String value) {
EventDefinition.Kind constant = CONSTANTS.get(value);
if (constant == null) {
throw new IllegalArgumentException(value);
} else {
return constant;
}
}
}
}
Anything else we need to know?:
Environment:
- Specification version used: Using serverlessworkflow-api-4.0.2.final.jar
Improve DSL validation
What would you like to be added:
Improve validation (https://github.com/serverlessworkflow/sdk-java/blob/main/validation/src/main/java/io/serverlessworkflow/validation/WorkflowValidatorImpl.java) to include more checks.
Why is this needed:
Currently only a small portion of the DSL is being validated by workflow validation
List of checks to add:
- Check that there is a state with name of the workflow start property
- Make sure that if a state defines retires (retry definition) that it references a valid one
- Remove all the checks if actions are null on states (operation/parallel/foreach/event) since actions can be empty / not defined. If action is not null it should not be empty.
- Switch state: for both data based and event based conditions they can contain end definitions. check them to add to list of end definitions
- Parallel state should have at least 2 branches defined. If it's less it should be a validation error
- InjectState - make sure if data is defined its not empty. if is it should be a validation error
Function Parameters in Operation State should support Json as objects, not only literals
What happened:
When trying to parse something like:
{
"id": "petstore",
"version": "1.0",
"name": "Send CloudEvent after creating Pluto",
"events": [
{
"name": "Complete",
"type": "complete",
"kind": "produced"
}
],
"functions": [
{
"name": "addPet",
"operation": "openapi/specs/petstore.json#addPet"
}
],
"states": [
{
"name": "AddPluto",
"type": "operation",
"start": true,
"actions": [
{
"functionRef": {
"refName": "addPet",
"parameters": {
"body": {
"name": "Pluto"
}
}
}
}
],
"end": {
"produceEvents": [
{
"eventRef": "Complete"
}
]
}
}
]
}This operation is expecting a parameter of type Pet, which is something like:
"Pet": {
"type": "object",
"required": [
"name",
"photoUrls"
],
"properties": {
"id": {
"type": "integer",
"format": "int64"
},
"category": {
"$ref": "#/definitions/Category"
},
"name": {
"type": "string",
"example": "doggie"
},
"photoUrls": {
"type": "array",
"xml": {
"wrapped": true
},
"items": {
"type": "string",
"xml": {
"name": "photoUrl"
}
}
},
"tags": {
"type": "array",
"xml": {
"wrapped": true
},
"items": {
"xml": {
"name": "tag"
},
"$ref": "#/definitions/Tag"
}
},
"status": {
"type": "string",
"description": "pet status in the store",
"enum": [
"available",
"pending",
"sold"
]
}
},
"xml": {
"name": "Pet"
}
}It's a complex type for this input parameter, as defined in the specification:
"parameters": [
{
"in": "body",
"name": "body",
"description": "Pet object that needs to be added to the store",
"required": true,
"schema": {
"$ref": "#/definitions/Pet"
}
}
],The SDK should parse this as a JSON object, but instead, I'm getting two parameters like body: { and name: Pluto.
What you expected to happen:
Two have only one parameter of type JSON.
How to reproduce it:
Just try to parse the mentioned spec.
Anything else we need to know?:
Nops
Environment: Linux/IntelliJ
Specification version used: 0.5
Wrong ISO8601 durations
What happened:
@tsurdilo Following our discussion on the spec repo, it configured my unit tests to run the examples.
My tests fail with the booklending.json file, because an ISO 8601 duration is I believe in an invalid format: PT2W instead of P2W. Am I correct to assume it is a typo?
What you expected to happen:
When ISO 8601 values specify a period of time, they should be prefixed with 'P' instead of 'PT'
How to reproduce it:
Read the 'timeDelay' property with an ISO 8601 duration parser.
Inconsistencies between the JSON schemas and the specification
I found some inconsistencies between the JSON schemas and the specification.
Can you please clarify which one is correct so I can submit a fix?
Spec version: 0.8
workflow.json
| Property | Schema | Specification |
|---|---|---|
id |
Required | Required if key not defined |
name |
Required | Not required |
version |
Required | Not required |
states/switchstate.json
| Property | Schema | Specification |
|---|---|---|
default |
Required | defaultCondition is required. Seems to be a typo |
switchconditions/eventcondition.json
| Property | Schema | Specification |
|---|---|---|
transition |
Required | transition (x)or end is required |
branches/branch.json
| Property | Schema | Specification |
|---|---|---|
actions |
Not required | Required |
states/foreach.json
| Property | Schema | Specification |
|---|---|---|
actions |
Not required | Required |
events/onevents.json
| Property | Schema | Specification |
|---|---|---|
actions |
Not required | Required |
error/error.json
| Property | Schema | Specification |
|---|---|---|
error |
Required | error is not a property |
transition |
Required | transition or end is required |
retry/retrydef.json
| Property | Schema | Specification |
|---|---|---|
maxAttempts |
Required | Not required |
end/continueas.json
| Property | Schema | Specification |
|---|---|---|
kind |
Required | Not a property |
Change getAdditionalProperties by getName and getValue.
What would you like to be added:
Currently, this yaml
taskList:
type: array
items:
type: object
title: TaskItem
minProperties: 1
maxProperties: 1
additionalProperties:
$ref: '#/$defs/task'
is translated to
@Generated("jsonschema2pojo")
public class TaskItem implements Serializable
{
@JsonIgnore
@Valid
private Map<String, Task> additionalProperties = new LinkedHashMap<String, Task>();
private final static long serialVersionUID = 2309610577983775837L;
@JsonAnyGetter
public Map<String, Task> getAdditionalProperties() {
return this.additionalProperties;
}
@JsonAnySetter
public void setAdditionalProperty(String name, Task value) {
this.additionalProperties.put(name, value);
}
public TaskItem withAdditionalProperty(String name, Task value) {
this.additionalProperties.put(name, value);
return this;
}
}
which ideally should be
@Generated("jsonschema2pojo")
public class TaskItem implements Serializable
{
@JsonIgnore
@Valid
private Map<String, Task> additionalProperties = new LinkedHashMap<String, Task>();
private final static long serialVersionUID = 2309610577983775837L;
private String name;
private Task task;
public Task getTask() {
return task;
}
public void setTask(Task task) {
this.task = task;
}
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
}
Why is this needed:
To make API more usable
DefaultCondition for Swith state is mandatory, but the SDK recognizes as valid a file not including it
What would you like to be added:
A check that throws a parsin error if default condition is not there for swith state
Why is this needed:
To avoid different runtimes to implement that check
annotations attribute is missing in the SDK
What happened:
spec defines annotations attribute on the workflow but it does not exist in the SDK
https://github.com/serverlessworkflow/specification/blob/main/specification.md#Workflow-Definition-Structure
What you expected to happen:
annotations should be available in SDK
How to reproduce it:
use SDK to parse any workflow that uses annotations attribute, it won't be available
Define Fluent API to build 10.0 DSL workflows programatically
What would you like to be added:
A fluent API to easily write workflow definitions programatically
Why is this needed:
The builders generated by the json schema parser are cool, but too verbose. It will better to build a wrapper API, which, using these builders internally, is more "fluent"
Start printed as io.serverlessworkflow.api.start.Start@....
What happened:
When trying to create a Workflow object to convert it to JSON or YAML, the Start object is not properly formatted. I get an output like:
id: "helloworld"
name: "Hello World Workflow"
description: "Inject Hello World"
version: "1.0"
start: "io.serverlessworkflow.api.start.Start@66b6873f"
or in JSON:
{
"id" : "helloworld",
"name" : "Hello World Workflow",
"description" : "Inject Hello World",
"version" : "1.0",
"start" : "io.serverlessworkflow.api.start.Start@66b6873f",
What you expected to happen:
The output in YAML should be something like:
start:
stateName: Hello State
or
start: Hello State
How to reproduce it:
Workflow workflow =
new Workflow()
.withId(...)
.withName(...)
.withVersion(...)
.withStates(states)
.withSpecVersion(...)
.withDescription(...);
Start start = new Start();
start.setStateName("Hello State");
workflow.withStart(start);
System.out.println(Workflow.toJson(workflow));
System.out.println(Workflow.toYaml(workflow));
There is a state with that same name on the list of states, which is properly formatted:
"states" : [ {
"data" : {
"result" : "Hello World!"
},
"usedForCompensation" : false,
"name" : "Hello State",
"type" : "inject",
"onErrors" : [ ]
} ]
My full formatted output in YAML is:
{
"id" : "helloworld",
"name" : "Hello World Workflow",
"description" : "Inject Hello World",
"version" : "1.0",
"start" : "io.serverlessworkflow.api.start.Start@c4cceb",
"specVersion" : "0.8",
"expressionLang" : "jq",
"events" : [ ],
"functions" : [ ],
"retries" : [ ],
"errors" : [ ],
"secrets" : [ ],
"states" : [ {
"data" : {
"result" : "Hello World!"
},
"usedForCompensation" : false,
"name" : "Hello State",
"type" : "inject",
"onErrors" : [ ]
} ]
}
Anything else we need to know?:
I don't think so.
Environment:
- Specification version used:
4.0.1.Final
Add workflow utilities
What would you like to be added:
Add utility methods that implementors can use instead of having to write it themselves.
Ideas such as:
- getStartingState
- getStatesByType
- getNextState
- getConsumedEvents
- getProducedEvents
- getFunctionsDefsForAction
- getActionsForFunctionDef
- ...
Key property is missing in the Workflow.
What would you like to be added:
The 'key' property is missing in the sdk.
Why is this needed:
https://github.com/serverlessworkflow/specification/blob/main/specification.md#workflow-definition-structure
Version 5.0.0-SNAPSHOT release notes
Hi, I was trying to upgrade the SDK's dependency from 4.0.3-FINAL to 5.0.0-SNAPSHOT but before I do that, I wanted to know if are there any breaking changes etc. I tried searching for the release notes but could not find it. Can someone help?
ignore
ignore
Retry definition validation doesn't work
Given:
Workflow definition to be validated
{
"id": "workflow_1",
"name": "workflow_1",
"description": "workflow_1",
"version": "1.0",
"specVersion": "0.8",
"start": "Task1",
"functions": [
{
"name": "increment",
"type": "custom",
"operation": "worker"
}
],
"retries": [
{
"maxAttempts": 3
}
],
"states": [
{
"name": "Task1",
"type": "operation",
"actionMode": "sequential",
"actions": [
{
"functionRef": {
"refName": "increment",
"arguments": {
"input": "some text"
}
},
"retryRef": "const",
"actionDataFilter": {
"toStateData": "${ .result }"
}
}
],
"end": true
}
]
}Expected result:
Validation failed (because of name of RetryDefinition missed)
Actual result:
Validation passed.
The same result(validation passed) if 'name' field is empty or/and maxAttempts not defined.
According to specification 'name ' is required and maxAttempts not.
But in the retrydef.json schema they are required both.
Could you please support us in this question? May be we miss something?
Mis-match between spec and implementation for switch state condition
What happened:
Currently, the SDK model defines data conditions of switch states as requiring a transition, this doesn't match the spec as it's outlined that either end or transition can be specified
Spec: https://github.com/serverlessworkflow/specification/blob/0.8.x/specification.md#switch-state-data-conditions
Implementation:
What you expected to happen:
SDK adheres to spec as defined
https://github.com/serverlessworkflow/specification/blob/0.8.x/specification.md#switch-state-data-conditions
Environment:
- Specification version used: 0.8
Get Svg Diagram from test
What happened:
Don't create SVG. This is the output SVG for "helloworld"
What you expected to happen:
this output is expected or something like that
How to reproduce it:
When to use WorkflowDiagramTest.testSpecExamplesParsing
Anything else we need to know?:
Not yet
Environment:
Java 11
Apache Maven 3.8.6
- Specification version used: branch main version
4.0.x branch has reported CVEs in Maven Central (CVE-2017-5929 and CVE-2022-45688)
What happened:
See https://mvnrepository.com/artifact/io.serverlessworkflow/serverlessworkflow-api/4.0.3.Final
CVEs:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45688
Anything else we need to know?:
Also, we need to cherry-pick the last CVE fixed here #193
Environment:
- Specification version used:
Dependency 'org.json' has vulnerabilities
What happened:
Dependency org.json is a transitive dependency from everit-json-schema that has vulnerabilities (CVE Name: Cx78f40514-81ff)
The everit-json-schema maintainer released a new version fixing it: https://github.com/everit-org/json-schema/releases
Reactive api rest for get SVG
What would you like to be added:
Reactive api rest for get SVG
Why is this needed:
Interact with the application without unit tests
Jakarta update
Spring Boot 3 is out and Quarkus 3 should be really soon and both frameworks migrated to jakarta libraries.
Would it be possible to update the codebase to use jakarta in the next version ?
Or try to maintain 2 versions: one with javax and one with jakarta ?
The problem is mainly with the validation-api library dependency
Add timeouts update from spec
timeouts update - serverlessworkflow/specification@53e932c
How to use "produceEventRef", "consumeEventRef" at EventRef
What is the question:
In serverless workflow specification EventRef Definition has "produceEventRef", "consumeEventRef", "consumeEventTimeout" properties.
https://github.com/serverlessworkflow/specification/blob/main/specification.md#eventref-definition
How can I use these properties in sdk-java?
Where to find 7.0.0.Final build
Where to find 7.0.0.Final build:
Hi,
Maven repository only shows 5.0.0.Final build
But the Readme documentation mentions 7.0.0.Final.
Where can we use that build from?
Add better code formatting and license header checks
What would you like to be added:
We should define better code formatting and license header checks
Why is this needed:
WorkflowValidator validate Wrokflow.tojson(workflow) failed
What happened: A Workflow object does not contain the events property,when use Workflow.tojson() generate JSON strings,The strings contains “ errors:[]”. If you use workflowValidator.setSource("WORKFLOW_MODEL_JSON").isValid(), you can get an error massage, such as "msg": "[{"message":"#/errors: expected type: JSONObject, found: JSONArray","type":"schemavalidation"}]"
What you expected to happen:
The Json strings do not contain " errors :[]", or validate success
How to reproduce it:
Anything else we need to know?:
Environment:
- Specification version used:
Add more options to diagram generation
What would you like to be added:
Add more options to diagram generation. Some ideas include
- add option to display diagram vertically/horizontally
- add option to define the min/max size of the generated diagram
- add ability to display actions (service invocations)
- add custom node representations for different states
Why is this needed:
to improve diagram generation
Automatically generate serializers and deserializers
What would you like to be added:
Replace harcoded serializers by automatically generated ones
Why is this needed:
Current de/serializers are hardcoded, which is error promt
grantType "resourceOwner" mentioned in 0.8 but not supported in sdk
What is the question:
GrantType "resourceOwner" is not supported by 4.0.5 java sdk but the spec 0.8 refers to "resourceOwner" for userName field
https://github.com/serverlessworkflow/specification/blob/0.8.x/specification.md#oauth2-properties-definition
https://github.com/serverlessworkflow/specification/blob/0.8.x/schema/auth.json#L191
public static enum GrantType {
PASSWORD("password"),
CLIENT_CREDENTIALS("clientCredentials"),
TOKEN_EXCHANGE("tokenExchange");
private final String value;
grantType "resourceOwner" mentioned in 0.8 but not supported in sdk 4.0.5-FINAL
What happened: grantType "resourceOwner" mentioned in 0.8 but not supported in sdk
What you expected to happen: resourceOwner support should be present
How to reproduce it: Add grantType as "resourceOwner"
Anything else we need to know?:
Environment:
- Specification version used:
- 4.0.5-FINAL java sdk spec 0.8
Need the fix to be available 4.0.x as we are using 0.8
ref: #364
Retry does not have increment that is defined in 0.6 version of the spec
What happened:
Spec version 0.6 defines that retries have increment - a static value appended to each retry attempt but it does not existing is Java SDK. Most likely caused by not having it defined in the def json file https://github.com/serverlessworkflow/sdk-java/blob/main/api/src/main/resources/schema/retry/retrydef.json
What you expected to happen:
Increment should be part of retry definition of Java SDK
How to reproduce it:
just use Java SDK and look at the retry definition
Published version 4.0.3.Final does not contains the latest changes
What happened:
The artifact published into maven central repository seems that is not compiled with the latest changes.
How to reproduce it:
Download the binary from:
- https://repo1.maven.org/maven2/io/serverlessworkflow/serverlessworkflow-validation/4.0.3.Final/serverlessworkflow-validation-4.0.3.Final.jar
- https://repo1.maven.org/maven2/io/serverlessworkflow/serverlessworkflow-validation/4.0.3.Final/serverlessworkflow-validation-4.0.3.Final-sources.jar
And review if the latest changes are applied.
For example, If you go to WorkflowValidatorImpl.java file to line 333, the code must be the next:
if (!haveFunctionDefinition(
callbackState.getAction().getFunctionRef().getRefName(), functions)) {
addValidationError(
"CallbackState action function ref does not reference a defined workflow function definition",
ValidationError.WORKFLOW_VALIDATION);
}
But the code seems that is the old version.
Environment:
- Specification version used: serverlessworkflow-validation-4.0.3.Final
Validation missing out on refname in foreach>actions
What happened:
Validation passed
What you expected to happen:
Validation Fail
How to reproduce it:
use this yaml for validation
id: Test
version: "1.0"
specVersion: "0.8"
name: Test
description: Test
functions:
- name: Test
states:
- name: TestingForEach
type: foreach
inputCollection: "${ .archives }"
iterationParam: archive
outputCollection: "${ .output}"
actions:
- functionRef:
refName: DoesNotExist
end:
terminate: true
Anything else we need to know?:
for type operation, the functionRef will be checked against the list of functions provided at the top of the file however the validation is missing if the type is foreach
Environment:
- Specification version used: v0.8
Remove unnecessary version tags from pom.xml files
What would you like to be added:
We would like to remove the unnecessary <version>${project.parent.version}</version> tags from the pom.xml files in this repository, namely:
- api/pom.xml
- diagram/pom.xml
- spi/pom.xml
- utils/pom.xml
- validation/pom.xml
Why is this needed:
Maven already takes the parent version by default if not specified. Additionally the pom is less cluttered without it and it also sometimes breaks our automation, which doesn't expect this.
Migration to new DSL (Specification 1.0.0)
What would you like to be added:
Make Java SDK compatible with new DSL
Why is this needed:
This is needed to be able to operate with files following the new DSL
Error parsing Oauth properties in cncf spec using java sdk
Discussed in serverlessworkflow/specification#857
Originally posted by mahith2108 May 23, 2024
Hi,
we are using Java sdk version "4.0.5.Final" and spec version: 0.8 as suggested (https://github.com/serverlessworkflow/sdk-java)
I am trying to define Oauth properties using "auth" field in my spec as follows based on serverlessworkflow/specification#675
"auth":[
{ "name" : "serviceCloud",
"scheme": "oauth2",
"properties":{
"scopes": ["$$$$XXXMMMMM"],
"audiences":["%%%XXXXXXX"]
}
}]while parsing the spec using Workflow.fromSource("") I am getting following error.
Could not convert markup to Workflow: Unrecognized field "scopes" (class io.serverlessworkflow.api.auth.BasicAuthDefinition), not marked as ignorable (3 known properties: "password", "username", "metadata"])
at [Source: UNKNOWN; byte offset: #UNKNOWN] (through reference chain: io.serverlessworkflow.api.Workflow["auth"]->io.serverlessworkflow.api.auth.BasicAuthDefinition["scopes"])
we have tried following spec as well but the authDefinition.getOauth() is coming as null.
"auth":[
{ "name" : "serviceCloud",
"scheme": "oauth2",
"oauth":{
"scopes": ["%%%%%X"],
"audiences":["%%%XXXXXX"]
}
}]@JsonPropertyOrder({"name", "scheme", "basicauth", "bearerauth", "oauth"})
public class AuthDefinition implements Serializable {Started SDK for java
i am trying compile SDK java but i was getting error because IDE not found JAR.
For example:
import io.serverlessworkflow.api.Workflow;
import io.serverlessworkflow.api.actions.Action;
import io.serverlessworkflow.api.auth.AuthDefinition;
import io.serverlessworkflow.api.branches.Branch;
this jar not exists in the dependency maven.
I want to become contributor but i not know how compile SDK and use.
the readme document is not enough. something is missing
Thanks
Add schema validation
This is a follow up of #359. The purpose is to add validation besides the one provided by the generator.
CallbackState validated incorrectly
I think that the CallbackState validation is incorrect
This line must be negated, isn't?
thymeleaf-3.0.11.RELEASE.jar: 1 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - thymeleaf-3.0.11.RELEASE.jar
Modern server-side Java template engine for both web and standalone environments
Library home page: http://www.thymeleaf.org
Path to dependency file: /diagram/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/thymeleaf/thymeleaf/3.0.11.RELEASE/thymeleaf-3.0.11.RELEASE.jar
Found in HEAD commit: 732482701d91b4e904df6d61ecb1097ad4243016
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (thymeleaf version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-38286 |  High |
7.5 | thymeleaf-3.0.11.RELEASE.jar | Direct | de.codecentric:spring-boot-admin-server:3.1.2;rg.thymeleaf:thymeleaf:3.1.2.RELEASE | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-38286
Vulnerable Library - thymeleaf-3.0.11.RELEASE.jar
Modern server-side Java template engine for both web and standalone environments
Library home page: http://www.thymeleaf.org
Path to dependency file: /diagram/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/thymeleaf/thymeleaf/3.0.11.RELEASE/thymeleaf-3.0.11.RELEASE.jar
Dependency Hierarchy:
- ❌ thymeleaf-3.0.11.RELEASE.jar (Vulnerable Library)
Found in HEAD commit: 732482701d91b4e904df6d61ecb1097ad4243016
Found in base branch: main
Vulnerability Details
Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.
Publish Date: 2023-07-14
URL: CVE-2023-38286
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-7gj7-224w-vpr3
Release Date: 2023-07-14
Fix Resolution: de.codecentric:spring-boot-admin-server:3.1.2;rg.thymeleaf:thymeleaf:3.1.2.RELEASE
Step up your Open Source Security Game with Mend here
Whether to allow spaces in the state name
What is the question:
online editor:https://serverlessworkflow.io/editor.html ,the state name cannot have spaces.
But in the examples,https://github.com/serverlessworkflow/specification/tree/main/examples#hello-world-example, there are spaces in state name
serverlessworkflow-api-5.0.0-SNAPSHOT.jar: 14 vulnerabilities (highest severity is: 9.8) - autoclosed
Vulnerable Library - serverlessworkflow-api-5.0.0-SNAPSHOT.jar
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar
Found in HEAD commit: 81f69282b99cdc8d585d0687ff8f6e4d144b6af4
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (serverlessworkflow-api version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-1471 |  Critical |
9.8 | snakeyaml-1.24.jar | Transitive | N/A* | ❌ |
| CVE-2022-42004 | High |
7.5 | jackson-databind-2.10.3.jar | Transitive | N/A* | ❌ |
| CVE-2022-42003 | High |
7.5 | jackson-databind-2.10.3.jar | Transitive | N/A* | ❌ |
| CVE-2017-18640 | High |
7.5 | snakeyaml-1.24.jar | Transitive | N/A* | ❌ |
| CVE-2022-25857 | High |
7.5 | snakeyaml-1.24.jar | Transitive | N/A* | ❌ |
| CVE-2020-36518 | High |
7.5 | jackson-databind-2.10.3.jar | Transitive | N/A* | ❌ |
| CVE-2020-25649 | High |
7.5 | jackson-databind-2.10.3.jar | Transitive | N/A* | ❌ |
| CVE-2021-46877 | High |
7.5 | jackson-databind-2.10.3.jar | Transitive | N/A* | ❌ |
| CVE-2022-41854 |  Medium |
6.5 | snakeyaml-1.24.jar | Transitive | N/A* | ❌ |
| CVE-2022-38752 | Medium |
6.5 | snakeyaml-1.24.jar | Transitive | N/A* | ❌ |
| CVE-2022-38751 | Medium |
6.5 | snakeyaml-1.24.jar | Transitive | N/A* | ❌ |
| CVE-2022-38749 | Medium |
6.5 | snakeyaml-1.24.jar | Transitive | N/A* | ❌ |
| WS-2021-0616 | Medium |
5.9 | jackson-databind-2.10.3.jar | Transitive | N/A* | ❌ |
| CVE-2022-38750 | Medium |
5.5 | snakeyaml-1.24.jar | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
Details
CVE-2022-1471
Vulnerable Library - snakeyaml-1.24.jar
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /diagram/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar
Dependency Hierarchy:
- serverlessworkflow-api-5.0.0-SNAPSHOT.jar (Root Library)
- jackson-dataformat-yaml-2.10.3.jar
- ❌ snakeyaml-1.24.jar (Vulnerable Library)
- jackson-dataformat-yaml-2.10.3.jar
Found in HEAD commit: 81f69282b99cdc8d585d0687ff8f6e4d144b6af4
Found in base branch: main
Vulnerability Details
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
Publish Date: 2022-12-01
URL: CVE-2022-1471
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374
Release Date: 2022-12-01
Fix Resolution: org.yaml:snakeyaml:2.0
Step up your Open Source Security Game with Mend here
CVE-2022-42004
Vulnerable Library - jackson-databind-2.10.3.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /spi/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar
Dependency Hierarchy:
- serverlessworkflow-api-5.0.0-SNAPSHOT.jar (Root Library)
- ❌ jackson-databind-2.10.3.jar (Vulnerable Library)
Found in HEAD commit: 81f69282b99cdc8d585d0687ff8f6e4d144b6af4
Found in base branch: main
Vulnerability Details
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
Publish Date: 2022-10-02
URL: CVE-2022-42004
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-02
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.13.4
Step up your Open Source Security Game with Mend here
CVE-2022-42003
Vulnerable Library - jackson-databind-2.10.3.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /spi/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar
Dependency Hierarchy:
- serverlessworkflow-api-5.0.0-SNAPSHOT.jar (Root Library)
- ❌ jackson-databind-2.10.3.jar (Vulnerable Library)
Found in HEAD commit: 81f69282b99cdc8d585d0687ff8f6e4d144b6af4
Found in base branch: main
Vulnerability Details
In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
Publish Date: 2022-10-02
URL: CVE-2022-42003
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-02
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.12.7.1,2.13.4.1
Step up your Open Source Security Game with Mend here
CVE-2017-18640
Vulnerable Library - snakeyaml-1.24.jar
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /diagram/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar
Dependency Hierarchy:
- serverlessworkflow-api-5.0.0-SNAPSHOT.jar (Root Library)
- jackson-dataformat-yaml-2.10.3.jar
- ❌ snakeyaml-1.24.jar (Vulnerable Library)
- jackson-dataformat-yaml-2.10.3.jar
Found in HEAD commit: 81f69282b99cdc8d585d0687ff8f6e4d144b6af4
Found in base branch: main
Vulnerability Details
The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
Publish Date: 2019-12-12
URL: CVE-2017-18640
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640
Release Date: 2019-12-12
Fix Resolution: org.yaml:snakeyaml:1.26
Step up your Open Source Security Game with Mend here
CVE-2022-25857
Vulnerable Library - snakeyaml-1.24.jar
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /diagram/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar
Dependency Hierarchy:
- serverlessworkflow-api-5.0.0-SNAPSHOT.jar (Root Library)
- jackson-dataformat-yaml-2.10.3.jar
- ❌ snakeyaml-1.24.jar (Vulnerable Library)
- jackson-dataformat-yaml-2.10.3.jar
Found in HEAD commit: 81f69282b99cdc8d585d0687ff8f6e4d144b6af4
Found in base branch: main
Vulnerability Details
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
Publish Date: 2022-08-30
URL: CVE-2022-25857
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857
Release Date: 2022-08-30
Fix Resolution: org.yaml:snakeyaml:1.31
Step up your Open Source Security Game with Mend here
CVE-2020-36518
Vulnerable Library - jackson-databind-2.10.3.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /spi/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar
Dependency Hierarchy:
- serverlessworkflow-api-5.0.0-SNAPSHOT.jar (Root Library)
- ❌ jackson-databind-2.10.3.jar (Vulnerable Library)
Found in HEAD commit: 81f69282b99cdc8d585d0687ff8f6e4d144b6af4
Found in base branch: main
Vulnerability Details
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Mend Note: After conducting further research, Mend has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.
Publish Date: 2022-03-11
URL: CVE-2020-36518
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-03-11
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.12.6.1,2.13.2.1
Step up your Open Source Security Game with Mend here
CVE-2020-25649
Vulnerable Library - jackson-databind-2.10.3.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /spi/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar
Dependency Hierarchy:
- serverlessworkflow-api-5.0.0-SNAPSHOT.jar (Root Library)
- ❌ jackson-databind-2.10.3.jar (Vulnerable Library)
Found in HEAD commit: 81f69282b99cdc8d585d0687ff8f6e4d144b6af4
Found in base branch: main
Vulnerability Details
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
Publish Date: 2020-12-03
URL: CVE-2020-25649
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2020-12-03
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.4,2.9.10.7,2.10.5.1,2.11.0.rc1
Step up your Open Source Security Game with Mend here
CVE-2021-46877
Vulnerable Library - jackson-databind-2.10.3.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /spi/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar
Dependency Hierarchy:
- serverlessworkflow-api-5.0.0-SNAPSHOT.jar (Root Library)
- ❌ jackson-databind-2.10.3.jar (Vulnerable Library)
Found in HEAD commit: 81f69282b99cdc8d585d0687ff8f6e4d144b6af4
Found in base branch: main
Vulnerability Details
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
Publish Date: 2023-03-18
URL: CVE-2021-46877
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2021-46877
Release Date: 2023-03-18
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.12.6,2.13.1
Step up your Open Source Security Game with Mend here
CVE-2022-41854
Vulnerable Library - snakeyaml-1.24.jar
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /diagram/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar
Dependency Hierarchy:
- serverlessworkflow-api-5.0.0-SNAPSHOT.jar (Root Library)
- jackson-dataformat-yaml-2.10.3.jar
- ❌ snakeyaml-1.24.jar (Vulnerable Library)
- jackson-dataformat-yaml-2.10.3.jar
Found in HEAD commit: 81f69282b99cdc8d585d0687ff8f6e4d144b6af4
Found in base branch: main
Vulnerability Details
Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.
Publish Date: 2022-11-11
URL: CVE-2022-41854
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/531/
Release Date: 2022-11-11
Fix Resolution: org.yaml:snakeyaml:1.32
Step up your Open Source Security Game with Mend here
CVE-2022-38752
Vulnerable Library - snakeyaml-1.24.jar
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /diagram/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar
Dependency Hierarchy:
- serverlessworkflow-api-5.0.0-SNAPSHOT.jar (Root Library)
- jackson-dataformat-yaml-2.10.3.jar
- ❌ snakeyaml-1.24.jar (Vulnerable Library)
- jackson-dataformat-yaml-2.10.3.jar
Found in HEAD commit: 81f69282b99cdc8d585d0687ff8f6e4d144b6af4
Found in base branch: main
Vulnerability Details
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
Publish Date: 2022-09-05
URL: CVE-2022-38752
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-9w3m-gqgf-c4p9
Release Date: 2022-09-05
Fix Resolution: org.yaml:snakeyaml:1.32
Step up your Open Source Security Game with Mend here
CVE-2022-38751
Vulnerable Library - snakeyaml-1.24.jar
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /diagram/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar
Dependency Hierarchy:
- serverlessworkflow-api-5.0.0-SNAPSHOT.jar (Root Library)
- jackson-dataformat-yaml-2.10.3.jar
- ❌ snakeyaml-1.24.jar (Vulnerable Library)
- jackson-dataformat-yaml-2.10.3.jar
Found in HEAD commit: 81f69282b99cdc8d585d0687ff8f6e4d144b6af4
Found in base branch: main
Vulnerability Details
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38751
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039
Release Date: 2022-09-05
Fix Resolution: org.yaml:snakeyaml:1.31
Step up your Open Source Security Game with Mend here
CVE-2022-38749
Vulnerable Library - snakeyaml-1.24.jar
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /diagram/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar
Dependency Hierarchy:
- serverlessworkflow-api-5.0.0-SNAPSHOT.jar (Root Library)
- jackson-dataformat-yaml-2.10.3.jar
- ❌ snakeyaml-1.24.jar (Vulnerable Library)
- jackson-dataformat-yaml-2.10.3.jar
Found in HEAD commit: 81f69282b99cdc8d585d0687ff8f6e4d144b6af4
Found in base branch: main
Vulnerability Details
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38749
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027
Release Date: 2022-09-05
Fix Resolution: org.yaml:snakeyaml:1.31
Step up your Open Source Security Game with Mend here
WS-2021-0616
Vulnerable Library - jackson-databind-2.10.3.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /spi/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar
Dependency Hierarchy:
- serverlessworkflow-api-5.0.0-SNAPSHOT.jar (Root Library)
- ❌ jackson-databind-2.10.3.jar (Vulnerable Library)
Found in HEAD commit: 81f69282b99cdc8d585d0687ff8f6e4d144b6af4
Found in base branch: main
Vulnerability Details
FasterXML jackson-databind before 2.12.6 and 2.13.1 there is DoS when using JDK serialization to serialize JsonNode.
Publish Date: 2021-11-20
URL: WS-2021-0616
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-11-20
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.12.6, 2.13.1; com.fasterxml.jackson.core:jackson-core:2.12.6, 2.13.1
Step up your Open Source Security Game with Mend here
CVE-2022-38750
Vulnerable Library - snakeyaml-1.24.jar
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /diagram/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.24/snakeyaml-1.24.jar
Dependency Hierarchy:
- serverlessworkflow-api-5.0.0-SNAPSHOT.jar (Root Library)
- jackson-dataformat-yaml-2.10.3.jar
- ❌ snakeyaml-1.24.jar (Vulnerable Library)
- jackson-dataformat-yaml-2.10.3.jar
Found in HEAD commit: 81f69282b99cdc8d585d0687ff8f6e4d144b6af4
Found in base branch: main
Vulnerability Details
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38750
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027
Release Date: 2022-09-05
Fix Resolution: org.yaml:snakeyaml:1.31
Step up your Open Source Security Game with Mend here
POJOs being generated with initialized collections by default
POJOs are being generated with initialized collections by default. This causes properties not set in the workflow to be unmarshaled to empty collections.
For instance, given the following JSON:
{
"id": "helloworld",
"annotations": ["hello", "world"]
}getAnnotations() should return a collection with two objects. This is working as expected.
Given the followin JSON:
{
"id": "helloworld",
"annotations": []
}getAnnotations() should return an empty collection. This is also working as expected.
Given the followin JSON:
{
"id": "helloworld"
}getAnnotations() should return null, but currently it's returning an empty collection. Here's the problem.
This is a problem because there are properties that aren't required, but when present, they should not be empty.
Translating this to Java:
| Value | Valid |
|---|---|
null |
Yes |
| empty | No |
| not empty | Yes |
To fix this behavior, we just need to set initializeCollections to false in pom.xml.
But, this change can break compatibility, since methods that today never return null might return null after the change, which may cause NullPointerExceptions to users.
So, what do you guys think? Can I submit a PR to fix this issue?
Enhancements to the SVG diagram generation for a workflow.
What would you like to be added:
For States which have actions associated in an array, a way to look at the actions in detail or atleast the names of the actions.
Right now, the diagram is linear. For ex: If there is a Parallel State, with 3 flows , the SVG generated just has a box, that says number of actions = 3.Similarly for Event state, if there are actions it just lists the number of actions.
May be a collapsible box, which when clicked shows more details.
Why is this needed:
One of the reasons to have an SVG, is to make it easier to understand the steps in the logic. It would be nice if we can dig into details on the diagram itself rather than going into the JSON to figure out what detailed actions, are associated with a State.
I talked about this on the slack channel. The link to the conversation is here.
@tsurdilo created a gist for it here.
I would enhance that with a Merge step as well, which show cases that with the default strategy of "and" as completion, the workflow will wait for all to finish and merge the results from each of the flows before passing them as data to the subsequent downstream tasks.
Not able to build correctly (instructions from readme.MD Could not find tools.jackson:jackson-base:3.0.0-SNAPSHOT)
What is the question:
I followed the guide for v4.0.x but am having issues relating to the gradle build, can someone assist me in resolving this error?
Execution failed for task ':compileJava'.
> Could not resolve all files for configuration ':compileClasspath'.
> Could not resolve com.fasterxml.jackson.core:jackson-annotations:3.0-SNAPSHOT.
Required by:
project : > io.serverlessworkflow:serverlessworkflow-api:4.0.2.Final > com.fasterxml.jackson.core:jackson-databind:3.0.0-SNAPSHOT:20220708.234610-2817
project : > io.serverlessworkflow:serverlessworkflow-api:4.0.2.Final > com.fasterxml.jackson.core:jackson-core:3.0.0-SNAPSHOT:20220711.031917-1199 > com.fasterxml.jackson:jackson-bom:3.0.0-SNAPSHOT:20220526.172315-155
> Could not resolve com.fasterxml.jackson.core:jackson-annotations:3.0-SNAPSHOT.
> Could not parse POM https://oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-annotations/3.0-SNAPSHOT/jackson-annotations-3.0-20220803.174657-62.pom
> Could not find tools.jackson:jackson-base:3.0.0-SNAPSHOT.
Searched in the following locations:
- https://repo.maven.apache.org/maven2/tools/jackson/jackson-base/3.0.0-SNAPSHOT/maven-metadata.xml
- https://repo.maven.apache.org/maven2/tools/jackson/jackson-base/3.0.0-SNAPSHOT/jackson-base-3.0.0-SNAPSHOT.pom
- https://oss.sonatype.org/content/repositories/snapshots/tools/jackson/jackson-base/3.0.0-SNAPSHOT/maven-metadata.xml
- https://oss.sonatype.org/content/repositories/snapshots/tools/jackson/jackson-base/3.0.0-SNAPSHOT/jackson-base-3.0.0-SNAPSHOT.pom
Possible solution:
- Declare repository providing the artifact, see the documentation at https://docs.gradle.org/current/userguide/declaring_repositories.html
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.