Commit Graph

142 Commits

Author SHA1 Message Date
Christoph Atteneder
0232a00282
Use tag instead of commit hash for netlayer 2022-07-05 10:29:13 +02:00
Christoph Atteneder
2dafd42639
Update tor-browser to v11.0.15 / tor-binary to v0.4.7.8 2022-07-04 12:04:48 +02:00
chimp1984
03efe23449
Add netlayer 0.7.3 2022-06-20 23:05:42 +02:00
chimp1984
bbf79872ac
Update dependency verification metadata 2022-06-14 12:53:11 +02:00
Christoph Atteneder
b1a53531ad
Update dependency verification for changes in pricenode 2022-06-09 09:41:33 +02:00
Daniel Bast
064c7590a8
Update gradle wrapper to 7.3.3
Done via `./gradlew wrapper --gradle-version 7.3.3 --distribution-type all`

From the release description:

This is a patch release for Gradle 7.3.

It fixes the following issues:

* #19360 Upgrade checks to Log4j 2.17.0

We recommend users upgrade to 7.3.3 instead of 7.3.

See also https://github.com/gradle/gradle/releases/tag/v7.3.3
2021-12-25 13:03:14 +01:00
Chris Beams
07a139c927
Upgrade log4j 2.15.0 => 2.17.0
This change upgrades log4j to patch fixes for recently documented
CVE-2021-45046 CVE-2021-45105 vulnerabilities related to the Log4Shell
exploit.

Like the earlier fix, Bisq does not appear to be vulnerable to these
exploits because it does not use log4j directly, only transitively
depends on it. Nevertheless, the upgrade is still the safe bet.
2021-12-20 07:34:04 +01:00
Chris Beams
55becc59c0
Avoid Log4J "Log4Shell" exploit
This commit upgrades our transitive dependency on Log4J 2 from 2.14.1 to
the newly-released 2.15.0 to avoid the CVE described at
https://www.lunasec.io/docs/blog/log4j-zero-day/.

We do not use log4j directly anywhere in our codebase, so our exposure
to this exploit was already mitigated if not eliminated, but Spring Boot
depends on Log4J 2 internally. This commit upgrades Spring Boot's
underlying dependency on Log4J to 2.15.0 in the manner recommended at
https://github.com/spring-projects/spring-boot/issues/28958.
2021-12-10 10:40:36 +01:00
Chris Beams
31c6e16e63
Use Spring dependency-management plugin in pricenode
This is in preparation for addressing log4j 2 zero day exploit described
at https://www.lunasec.io/docs/blog/log4j-zero-day/. See full details
in the next commit.

Bringing in the dependency-management plugin results in many changes to
our Gradle verification metadata file, but all are BOM / POM / Module
manifests. No additional jar or code dependencies have been whitelisted
with this change.
2021-12-10 10:34:09 +01:00
Chris Beams
42b00b3a3e
Fix guava dependency issue
Problem: a

    NoSuchMethodError: 'java.util.stream.Collector
    com.google.common.collect.ImmutableMultiset.toImmutableMultiset()'

exception was being thrown when testing the previously-merged upgrade to
Gradle 7.3, as described at keybase://chat/bisq#testing/2466.

Solution: This problem is similar to the issue reported at
jeremylong/DependencyCheck#3221. The source of the problem was multiple
conflicting guava jars on the runtime classpath. This commit upgrades to
guava 30.1.1-jre which ensures a single jar on the classpath.
2021-11-21 17:06:10 +01:00
Chris Beams
ea629de1a1
Add missing metadata for jackson-base pom 2.12.1
Problem: When merging #5824, the absence of this entry caused a build
failure at dependency verification time against JDK11 and JDK15 on
Ubuntu-latest [1]. It may also cause failures on other JDK/OS
combinations, but the GitHub workflow was aborted before those failures
couldhave occurred. In any case, this omission did not create build
failures on any of the local development machines that tested the
aforementioned PR. Reasons for this discrepancy are unknown.

Solution: manually fetch the pom from [2], run `sha256sum` on it locally
and commit the result to the verification metadata file.

[1]: https://github.com/bisq-network/bisq/runs/4249640611?check_suite_focus=true#step:6:33
[2]: https://repo1.maven.org/maven2/com/fasterxml/jackson/jackson-base/2.11.1/jackson-base-2.11.1.pom
2021-11-18 12:38:01 +01:00
Christoph Atteneder
0ea056c6d2
Add Windows artifact hashes 2021-11-15 13:26:05 +01:00
Chris Beams
d964ded2af
Add missing verification metadata
These entries showed up as missing when @jmacxx ran this PR branch on
his local Linux machine under JDK 11. It is not clear why these
dependencies were required there and not elsewhere, e.g. under CI or on
my own Mac.
2021-11-13 15:28:43 +01:00
Chris Beams
5e93cfea47
Add missing dependency verification entries
This fixes the CI build failure at
https://github.com/bisq-network/bisq/runs/4198811212?check_suite_focus=true#step:6:306
by adding missing entries for findbugs, jsr305 and various netty
artifacts. It is not clear why these artifacts were required under linux
and not under MacOS.
2021-11-13 14:56:49 +01:00
Chris Beams
d7129a2d19
Disable verification for javadoc and source jars
Prior to this commit, IDEA would fail to build the project because it
downloads javadoc and source jars that do not have entries in the
verification file. These artifacts are now trusted by default as
documented at https://docs.gradle.org/current/userguide/dependency_verification.html#sec:skipping-javadocs
2021-11-13 14:43:03 +01:00
Chris Beams
e09d56b696
Upgrade Mockito to 4.0.0
This fixes the 'Unsupported class file major version 60' problem
documented at mockito/mockito#2065 to allow building Bisq on JDK 16+.
2021-11-13 13:53:38 +01:00
Chris Beams
990365d5b9
Upgrade Lombok to support JDK16+
This fixes the IllegalAccessError problem documented at
https://stackoverflow.com/a/66981165/622403
2021-11-13 13:43:00 +01:00
Chris Beams
3557fe9844
Add verification metadata for MacOS x86 artifacts
This commit updates the verification-metadata.xml file to include
osx-x86_64 variants of protoc dependencies.
2021-11-13 13:33:26 +01:00
Chris Beams
695fe39cf7
Add verification metadata for linux-specific artifacts
CI build failed after the previous commit because the new dependency
verification file was generated on a Mac and therefore did not include
linux-specification artifact variants. This same process will need to
be done under Windows as well.
2021-11-13 13:26:03 +01:00
Chris Beams
6f8197b419
Migrate to Gradle's built-in dependency verification
This commit removes the use of our fork of the gradle-witness plugin in
favor of Gradle's relatively new built-in dependency verification
feature [1].

The gradle/verification-metadata.xml file was produced using the
following command:

    ./gradlew --write-verification-metadata sha256 build

Where `build` is the usual `gradle build` command. All dependency
configurations are resolved this way, and written out to the file.

The resulting file contains 273 unique dependency declarations, as
compared to just 64 in our now-removed gradle-witness.gradle file. This
means that the coverage of dependencies verified is much more complete.

The new file contains the same sha256 checksums for each dependency as
the old file. This was manually spot-checked for a significant number of
the dependencies.

Like with gradle-witness, builds will break when dependencies are
upgraded (and now also when they are added). To fix these breakages, the
`--write-verification-metadata sha256` option must be provided to the
build. Note that new entries will be added for upgraded depedencies, but
old entries are not removed automatically from the file. These must be
removed manually.

[1]: https://docs.gradle.org/current/userguide/dependency_verification.html
2021-11-13 12:59:52 +01:00
Chris Beams
6a3d2642da
Upgrade to Gradle 7.3
This commit does what is necessary to upgrade from Gradle 6.6.1 to
7.3, including:

- generating the new Gradle wrapper
- replacing uses of 'compile' with 'implementation'
- replacing uses of 'testCompile' with 'testImplementation'

Moving from *compile to *implementation results in many more duplicated
dependency declarations throughout the file. These will be tidied up in
a subsequent commit.

Several dependencies needed to be upgraded in order to support this
change. One of them was Spring Boot, from 1.5.1 to 2.5.6. This is a
major upgrade that contained some breaking changes to the Spring Boot
Actuator. These changes required the removal of the pricenode's
/getVersion endpoint.

The Gradle Witness plugin has been disabled in this commit, because it
uses the now-removed 'compile' configuration. Use of the Witness plugin
will be removed entirely in a subsequent commit in favor of using
Gradle's new built-in dependency verification feature.
2021-11-13 12:09:22 +01:00
chimp1984
2f40eddae8
Use bitcoinj 42bbae9 (with fix required for bsq swaps) 2021-10-21 15:41:07 +02:00
cd2357
455a74a4a8
chore: Bump tor to v0.4.5.10
Update netlayer and tor-binary dependencies.
2021-10-18 09:12:21 +02:00
Christoph Atteneder
9c411b9ba4
Update Bisq bitcoinj fork with latest commit (3186b200fff690fa51f3ebbf578f427d78242bc2)
Conflicts:
	build.gradle
	gradle/witness/gradle-witness.gradle
2021-09-13 11:33:12 +02:00
Christoph Atteneder
704333f133
Add bitcoinj Tor v3 support 2021-09-09 11:41:01 +02:00
cd2357
eea3acae36
Bump guice version to fix startup warnings
Bump guice to v5.0.1 to fix reflection warning logs shown each time Bisq started.
2021-06-11 12:03:28 +02:00
sqrrm
469448a218
Merge pull request #5431 from ripcurlx/upgrade-javafax-14
Upgrade Java to v11 and JavaFX to v15
2021-04-22 10:18:42 +02:00
Christoph Atteneder
b5beea58db
Temporary delete QR code scanner
used for mobile notification pairing because of missing current macOS support by currently used webcam library
2021-04-20 10:20:58 +02:00
Christoph Atteneder
7621803319
Merge pull request #5372 from cd2357/update-comment
Update gradle-witness comment
2021-04-12 16:05:44 +02:00
cd2357
ca5f41a9d9
Merge remote-tracking branch 'bisq-network/hotfix/v1.6.1' into upgrade-javafax-14
# Conflicts:
#	build.gradle
2021-03-29 18:37:14 +02:00
cd2357
9f28e55fdd
Update gradle-witness comment
Specify the algorithm used to calculate and verify the checksums.
2021-03-29 15:59:51 +02:00
cd2357
6c44f25738
Bump tor to v0.4.5.7
Bump tor-binary and netlayer dependencies to the newest versions which package tor v0.4.5.7.
2021-03-28 20:15:19 +02:00
cd2357
16b83052aa
Bump tor to v0.4.5.7
Bump tor-binary and netlayer dependencies to the newest versions which package tor v0.4.5.7.
2021-03-27 20:15:59 +01:00
Steven Barclay
f21379160b
Merge branch 'release/v1.6.0' into implement-segwit-for-bsq 2021-03-20 23:18:49 +00:00
cd2357
146531d8b1
Bump netlayer and tor-binary versions
Update dependencies to use tor v0.4.5.6
2021-02-26 12:20:06 +01:00
Steven Barclay
b4ad6bf637
Upgrade jsonrpc4j & Jackson; simplify BitcoindClient
Change jsonrpc4j version from 1.5.3 to 1.6.0.bisq.1, forked to the Bisq
repo from the recent 1.6.0 release. The forked version changes the class
'com.googlecode.jsonrpc4j.HttpException' to be public, instead of (prob.
mistakenly) package private, so we can avoid using reflection to catch
it and re-throw as a 'bisq.network.http.HttpException'. Remove the now
unused constructors from the latter.

As part of this, upgrade Jackson to the latest stable (2.12.1) release,
since jsonrpc4j now depends on a newer version than the previous 2.8.10.
2021-02-04 07:51:38 +00:00
Steven Barclay
8104301b52
Use new Bitcoind(Client|Daemon) & remove btcd-cli4j
Migrate RpcService over to the new block notification daemon and RPC
client based on jsonrpc4j. Drop in own DTO classes in place of the ones
defined by btcd-cli4j and rename requestBtcBlock & addNewBtcBlockHandler
to requestDtoBlock & addNewDtoBlockHandler respectively.

Also remove now redundant filtering from the logback config and update
grade-witness.
2021-01-21 10:10:28 +00:00
cd2357
47c4e09d69
Merge remote-tracking branch 'bisq-network/hotfix/v1.5.4' into upgrade-javafax-14 2021-01-13 19:44:12 +01:00
Oscar Guindzberg
a161376da3
Use bitcoinj 0.15.8.bisq.13 (commit dcf8af0) 2020-12-16 14:57:41 -03:00
cd2357
b82f3c1caa
Merge remote-tracking branch 'bisq-network/hotfix/v1.5.1' into upgrade-javafax-14 2020-12-13 13:57:28 +01:00
Oscar Guindzberg
9ca20d8b3d
Use bitcoinj 0.15.8 (commit dcf8af0) 2020-12-07 11:39:58 -03:00
cd2357
72a719dcc9
Merge remote-tracking branch 'bisq-network/release/v1.5.0' into upgrade-javafax-14 2020-11-27 16:59:23 +01:00
Oscar Guindzberg
e667f8fbad
Upgrade bitcoinj to commit 60b4f2f 2020-11-23 14:39:26 -03:00
Oscar Guindzberg
6bba6a526f
Use bitcoinj 0.15.8 (commit 60b4f2f) 2020-11-05 11:51:43 -03:00
Oscar Guindzberg
ef97daac89
Use bitcoinj 0.15.8 (commit fcec3da) 2020-11-05 11:47:38 -03:00
cd2357
ca56d002df
Update netlayer references to bisq repos
Update build.gradle to rely on the netlayer libraries from the bisq-network repo. The library versions (commit IDs) remain the same, only the repo from which they are pulled is changed.
2020-10-24 13:33:22 +02:00
cd2357
416373edf5
Merge remote-tracking branch 'bisq-network/release/v1.4.2' into upgrade-javafax-14 2020-10-24 11:22:25 +02:00
Oscar Guindzberg
417daf5692
Use bitcoinj 0.15.8 (commit a733034) 2020-10-08 16:33:58 -03:00
cd2357
6ef9368b75
Bump netlayer to use tor binary from tor browser v10.0
Upgrade netlayer to a version that uses tor binaries extracted from the latest tor-browser v10.0.
2020-10-06 18:03:59 +02:00
Oscar Guindzberg
5db273010f
Use bitcoinj 0.15.8 (commit 44ddbdc) 2020-09-30 13:10:05 -03:00