Hi,
I'm working in the openapi-generator open-source project (https://github.com/OpenAPITools/openapi-generator), and a vulnerability was recently reported against the older io.airlift:airline library. I think the best way to address the vulnerability is to migrate to the latest version of com.github.rvesse:airline.

Time is somewhat of the essence, so I was hoping that some kind soul with detailed knowledge of the old and new "airline" libraries could perhaps offer some advice on how to go about migrating the code in the openapi-generator's openapi-generator-cli module. Perhaps just some overall advice on which classes to use in the new library would be a big help.

Many thanks in advance,
Phil Adams

After my initial semi-panicked post above 😂, I've been able to migrate the majority of the code to use the new airline v2.9.0 library, with a few loose ends remaining.

Previously the openapi-generator code used the "required" and "allowedValues" attributes of the @Option annotation and I don't see equivalents in the newer "airline" library v2.9.0. Were these just dropped or is there some alternative that I can use?

Also, the CompletionCommand class uses airline's "Suggester" support and the parser (the code previously used the airline Parser class, and I think that needs to be changed to use CliParser but the parser interface has changed a bit (e.g. a different return type for the "parse()" method) so I'm still a little unclear on how to migrate that code specifically.

Again, any help is appreciated.

Thanks,
Phil

Previously the openapi-generator code used the "required" and "allowedValues" attributes of the @Option annotation and I don't see equivalents in the newer "airline" library v2.9.0. Were these just dropped or is there some alternative that I can use?

After more digging, I've discovered the restrictions-related annotations, specifically the @required and @AllowedRawValues annotations.

As for my other issue related to the "Suggester" stuff, I was able to modify imports and make minor code changes so that everything compiles clean with the 2.9.0 version of the new airline library, although I was not able to get everything working correctly with respect to the "CommandCompletion" class in openapi-generator (linked above).

Hi @padamstx

Just coming back from the holiday break so apologies for not seeing this any sooner. It sounds like you've figured out most of the migration yourself.

For the Suggester stuff I'm afraid that's an area of the codebase that I never really touched at all other than making it continue to compile with the various refactoring that have happened over the years.

Do you have specific examples of what works/doesn't work (or works differently) with the original library versus my fork?

Hi @rvesse, it turns out that I was making these changes in my fork of the openapi-generator project for our internal use only, and we simply didn't need to retain the function that relied on the Suggester stuff, so I "fixed" the problem by simply removing that code that depended on it :)

I think at some point, the maintainers of the official open-source openapi-generator project will need to make similar changes and they will most likely want to retain that functionality. But, I'll let them do the necessary exploration to make that work :)