Commit 8ed021a3 authored by namebee's avatar namebee
Browse files

fop: 2.8 -> 2.11 

Using the suggestions made by @afh in #348116.
I did not see a reason to not include `stripJavaArchivesHook`.

The patch for CVE-2024-28168 has been part of Apache FOP since 2.10:
https://github.com/apache/xmlgraphics-fop/commit/d96ba9a11710d02716b6f4f6107ebfa9ccec7134
parent ea839424

pkgs/by-name/fo/fop/package.nix

+16 −34
Original line number Diff line number Diff line 
{

  lib,

  stdenv,

  fetchurl,

  fetchpatch,

  ant,

  jdk,

  maven,

  jre,

  makeWrapper,

  stripJavaArchivesHook,

}:



stdenv.mkDerivation (finalAttrs: {

maven.buildMavenPackage rec {

  pname = "fop";

  version = "2.8";

  version = "2.11";



  src = fetchurl {

    url = "mirror://apache/xmlgraphics/fop/fop-${finalAttrs.version}-src.tar.gz";

    hash = "sha256-b7Av17wu6Ar/npKOiwYqzlvBFSIuXTpqTacM1sxtBvc=";

    url = "https://dlcdn.apache.org/xmlgraphics/fop/source/fop-${version}-src.tar.gz";

    hash = "sha256-uY6cUjmyuenfK3jAWvugsYa5qg8rbnvRZZ6qA/g2fZM=";

  };



  patches = [

    (fetchpatch {

      name = "CVE-2024-28168.patch";

      url = "https://github.com/apache/xmlgraphics-fop/commit/d96ba9a11710d02716b6f4f6107ebfa9ccec7134.patch";

      hash = "sha256-zmUA1Tq6iZtvNECCiXebXodp6AikBn10NTZnVHpPMlw=";

    })

  ];

  mvnHash = "sha256-EaOIAy0+YPrF+yGsFKKqcA4bt90bq1Z86V57P9rMatE=";



  buildOffline = true;

  doCheck = false;



  nativeBuildInputs = [

    ant

    jdk

    makeWrapper

    stripJavaArchivesHook

  ];



  # Note: not sure if this is needed anymore

  env.JAVA_TOOL_OPTIONS = "-Dfile.encoding=UTF8";



  buildPhase = ''

    runHook preBuild



    # build only the "package" target, which generates the fop command.

    ant -f fop/build.xml package



    runHook postBuild

  '';



  installPhase = ''

    runHook preInstall



    mkdir -p $out/lib $out/share/doc/fop

    cp fop/build/*.jar fop/lib/*.jar $out/lib/

    cp -r README fop/examples/ $out/share/doc/fop/

    install -Dm644 fop*/target/*.jar -t "$out/lib"

    install -Dm644 fop*/lib/*.jar -t "$out/lib"



    install -Dm644 README -t "$out/share/doc/fop"

    cp -r fop/examples/ "$out/share/doc/fop"



    # There is a fop script in the source archive, but it has many impurities.

    # Instead of patching out 90 % of the script, we write our own.

    makeWrapper ${jre}/bin/java $out/bin/fop \

    makeWrapper ${lib.getExe jre} "$out/bin/fop" \

        --add-flags "-Djava.awt.headless=true" \

        --add-flags "-classpath $out/lib/\*" \

        --add-flags "org.apache.fop.cli.Main"
@@ -91,4 +73,4 @@ stdenv.mkDerivation (finalAttrs: { 
      binaryBytecode # source bundles dependencies as jars

    ];

  };

})
 
}