Dear all,
I am writing this message in order to notify you so you can be careful about something I messed up without knowing it due to the order of actions I took. I will explain myself as I am proceeding. I was using in a project, a library I created, which was using XLUtils, which was using jPOI, which depends on commons-compress-1.20.jar library. The lib I had created, I had also compiled it to a native b4j library. It merged the dexes and resulted in a totally working library. Then using @tchart 's B4J Scanner, I found out that commons-compress-1.20.jar library, that jPOI used, had a vulnerability. I changed commons-compress-1.20.jar library to commons-compress-1.28.jar, and changed also the XML of jPOI to point the "depends on" to the new non vulnerable library. I compiled again my project, but B4JScanner was still reporting the old java jar library. I figured out that my library had merged the dexes according to the previous settings of jPOI. So recompiling my library it solved the issue, or at least I thought so. Today I tried to run my project and export an excel file. I got the following error, and it seems that when I tried it before, my library had been created using the previous version of jPOI.xml and it worked.
So be careful everybody because it compiles, but it does not run at runtime, at least in my case. Please check also and report in this thread your experiences.
I am writing this message in order to notify you so you can be careful about something I messed up without knowing it due to the order of actions I took. I will explain myself as I am proceeding. I was using in a project, a library I created, which was using XLUtils, which was using jPOI, which depends on commons-compress-1.20.jar library. The lib I had created, I had also compiled it to a native b4j library. It merged the dexes and resulted in a totally working library. Then using @tchart 's B4J Scanner, I found out that commons-compress-1.20.jar library, that jPOI used, had a vulnerability. I changed commons-compress-1.20.jar library to commons-compress-1.28.jar, and changed also the XML of jPOI to point the "depends on" to the new non vulnerable library. I compiled again my project, but B4JScanner was still reporting the old java jar library. I figured out that my library had merged the dexes according to the previous settings of jPOI. So recompiling my library it solved the issue, or at least I thought so. Today I tried to run my project and export an excel file. I got the following error, and it seems that when I tried it before, my library had been created using the previous version of jPOI.xml and it worked.
So be careful everybody because it compiles, but it does not run at runtime, at least in my case. Please check also and report in this thread your experiences.
Last edited:
