This week's Java roundup for January 2nd, 2023, features news from JDK 20, JDK 21, Ideal Graph Visualizer open-sourced, Spring Tools 4.17.1, Open Liberty 23.0.0.1, Quarkus 2.15.2, Quarkus OpenAPI Generator 2.0, Apache Tomcat CVE, Apache TomEE certification, Apache James 3.7.3, Apache Camel 3.20.1, MyFaces Core 4.0-RC3, Ktor 2.2.2, JHipster Lite 0.25, JobRunr 5.3.3, SourceBuddy 2.1, and CircleCI CVE.
JDK 20
Build 30 of the JDK 20 early-access builds was made available this past week, featuring updates from Build 29 that include fixes to various issues. More details on this build may be found in the release notes.
JDK 21
Build 4 of the JDK 21 early-access builds was also made available this past week featuring updates from Build 3 that include fixes to various issues.
For JDK 20 and JDK 21, developers are encouraged to report bugs via the Java Bug Database.
Oracle Labs
Oracle Labs has open-sourced their Ideal Graph Visualizer (IGV), a tool that allows developers to analyze compilation graphs and investigate performance issues. Originally part of GraalVM Enterprise Edition and only available through the Oracle Technology Network (OTN), the primary goal in open-sourcing IGV is to "make it easier for third-party compiler and language developers to use and contribute to it." Further details on other goals and non-goals may be found in this GitHub issue.
Spring Framework
The release of Spring Tools 4.17.1 delivers bug fixes and improvements such as: Eclipse STS 4.17.0 uses 96% processor time on Intel i9; the BootLanguageServerBootApp class is continuously taking all available CPU cycles; and the Language Server background job loads OpenRewrite recipes despite the OpenRewrite options unchecked. More details on this release may be found in the release notes.
Open Liberty
IBM has released Open Liberty 23.0.0.1-beta featuring: the ability to configure the maximum age of their First Failure Data Capture (FFDC) application data collection system; and fixes for CVE-2022-3509 and CVE-2022-3171, both of which have parsing issues with text data and binary data, respectively, in the Protocol Buffers Java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 that can lead to a denial of service attack. As noted in the blog post, this release is essentially the same as the release of Open Liberty 22.0.0.13-beta.
Quarkus
Red Hat has released Quarkus 2.15.2.Final that ships with fixes such as: ensure that a Kotlin subclass of the QuarkusApplication interface works properly; Kafka Dev UI is rendered unstable upon using an implementation of the ObjectMapperCustomizer interface; and an AbstractMethodError after upgrading to 2.15.0.Final. Further details on this release may be found in the changelog.
Red Hat has also released version 2.0 of the Quarkus OpenAPI Generator, a Quarkus extension for generating Rest Clients based on OpenAPI specification files, featuring support for the upcoming GA release of Quarkus 3.0. Other notable changes include: a fix for the msgType property not being serialized correctly; support for enum arrays; and dependency upgrades to quarkiverse-parent 12 and javaparser-core 3.24.9.
Apache Software Foundation
The Apache Software Foundation has published CVE-2022-45143, Apache Tomcat JsonErrorReportValve Injection, a vulnerability in which the JsonErrorReportValue class did not properly escape the type, message or description values. This could lead to users to supply values that invalidated or manipulated the JSON output. Developers are encouraged to upgrade to minimal versions 10.1.2, 9.0.69 and 8.5.84 of Apache Tomcat.
The release of Apache James 3.7.3 features security fixes such as: a dependency upgrade to Apache Commons Text 1.10; and an instance of the RemoteDelivery class will perform TLS hostname verification when contacting remote mail servers. There were also notable bug fixes to the Apache SpamAssassin container and the ToSenderFolder class. More details on this release may be found in the changelog.
Apache Camel 3.20.1, a patch release, ships with bug fixes and improvements such as: the @XmlAttributes annotation should only be of type String or Enum; performance improvements due to limiting emitting events for asynchronous processing; and moving base classes into a new camel-console-support module to avoid enabling the console by default if a component is already supporting a console. There was also a dependency upgrade to Spring Boot 2.7.7. Further details on this release may be found in the release notes.
After having achieved Jakarta 9.1 certification in May 2022, the Apache TomEE team has announced that the application server is now a compatible implementation of MicroProfile 5.0. Jean-Louis Monteiro, director of engineering at Tomitribe, describes the journey on this latest achievement and plans to support MicroProfile 6.0 and Jakarta EE 10.
The third release candidate of MyFaces Core 4.0.0 delivers improvements such as: implementation of the CDI annotations, @Initialized, @BeforeDestroyed and @Destroyed, for the @FlowScoped and @ViewScoped annotations; implicit Objects for Facelets and Programmatic Access must be resolved using CDI resulting in a refactoring and improvements to their Expression Language resolvers. More details on this release may be found in the release notes.
JetBrains
JetBrains has released version 2.2.2 of Ktor, the asynchronous framework for creating microservices and web applications, that include improvements such as: engine shutdown grace period and timeout are now configurable; the swaggerUI() method is no longer too restrictive and may now be called inside a route; and the ability to specify the immutable option in the CacheControl class. Further details on this release may be found in the changelog.
JHipster
JHipster Lite 0.25.0 has been released featuring a number of bug fixes and enhancements such as; support for a Gradle Build Tool module; a new inject() function for Angular; declaratively add test dependencies in the Maven module; and improvements in the UI buttons.
JobRunr
JobRunr 5.3.3 has been released with a bug fix in which the logs are removed when the job history is long due to the metadata keys for logs having only two digits appended at the end of the log file.
SourceBuddy
Less than a month after it was introduced to the Java community, version 2.1.0 of SourceBuddy, a new utility that compiles Java source code dynamically created in a Java application, features the creation of inner classes and interfaces. InfoQ will follow up with a more detailed news story on SourceBuddy.
CircleCI
CircleCI, a CI/CD platform company, has published a security alert. While they were confident that there were no unauthorized actors active in their systems, developers are encouraged to rotate any secrets in their CircleCI applications out of an abundance of caution. CircleCI has also been rotating GitHub OAuth tokens for their customers.