Library Updates

Objective

After completing this lesson, you will be able to identify updates to libraries used by SAP Commerce Cloud

Microsoft Azure Storage Client SDK 8.6.6 Replaced with Selected Microsoft Azure Java Client Libraries 12.x

The unsupported Microsoft Azure Storage Client SDK 8.6.6 library has been removed and replaced with selected Microsoft Azure Java Client 12.x libraries.

The official support for Microsoft Azure Storage Client SDK 8.6.6 ended in September 2024. For more information on the retirement of this version of the library, see Retirement notice: The legacy Azure Storage Java client libraries will be retired on 13 September 2024. To ensure that SAP Commerce Cloud isn't shipped with the unsupported library that might contain security vulnerabilities, the Microsoft Azure Storage Client SDK 8.6.6 library has been removed. The following Microsoft Azure Java Client 12.x libraries were introduced in the 2211.28 update release as a replacement for Microsoft Azure Storage Client SDK 8.6.6:

  • Microsoft Azure Client Library For Blob Storage
  • Microsoft Azure Client Library For File Share Storage
  • Microsoft Azure Client Library For Queue Storage

For detailed migration steps, see Upgrading to Selected Microsoft Azure Java Client 12.x Libraries.

After migrating, you can test the Cloud Hot Folders in your local environment. For more information, see Testing Cloud Hot Folders in a Local Environment and 2817992.

Why?

Using unsupported libraries could expose you to security vulnerabilities.

Hibernate Validator Library Update

The Hibernate Validator library has been updated to the 6.2.5Final version to mitgate reported vulnerabilities in the 6.1.5Final version.

Why?

This update to Hibernate Validator mitigates potential security vulnerabilities, enhancing the overall safety and integrity of your platform. While the update may impact your custom code implementation, it aligns with best practices for secure software development, ensuring your business operations remain protected against potential threats.

What's Changed?

In the new version, library maintainers introduced changes that can impact your code implementation. Here the main changes that were introduced:

  • The @SafeHtml validator has been removed with no replacement.

  • Expression Language has been disabled for custom violations by default.

  • Expression Language Bean methods execution is disabled for constraints by default.

For detailed information please refer to the Hibernate Validator release notes in the Related information section.

Applying the secure by default principle SAP Commerce Cloud doesn't relax the new expression language default settings applied in the new version of the library. If your project requires any adjustment of the default configuration of the expression language feature, refer to the official Hibernate Validator documentation.

Error messages using constraint parameters interpolation (syntax: {parameter_name}) shouldn't be affected by this change in the Hibernate library. For more information, see Example of Simple Constraint.

SLF4J Library Update

SLF4J library has been updated from 1.7.36 to 2.0.1.6 version.

Details

We've made two significant changes to improve environment logging:

  • Deprecated the HybrisLog4j2LoggerContextFactory and introduced a new context selector for log4j 2.

  • Updated the SLF4J API to the latest major version.

These updates streamline your logging process and keep your system aligned with the latest industry standards. The new log4j 2 configuration offers more flexibility in managing logs across different class loaders, while the SLF4J update ensures you're using the most recent version of this widely-adopted logging facade.

What's Changed?

The de.hybris.platform.util.logging.log4j2.HybrisLog4j2LoggerContextFactory is now deprecated. Instead, specify log4j2.contextSelector as de.hybris.platform.util.logging.log4j2.HybrisClassLoaderContextSelector in your platform/ext/core/resources/log4j2.component.properties file.

We've updated the slf4j-api from version 1.7.36 to 2.0.16.

Note

While this change is documented as backward compatible, you should review your custom code implementation to ensure it's not affected.

Charon Upgrade to 1.4.1

Charon has been upgraded from 1.3.0 to 1.4.1 to support the resource parameter.

The new version of Charon supports the resource parameter that can be included in requests sent to selected authorization servers.

Why?

Supporting the resource parameter allows you to use authorization servers that require this parameter to be part of requests they receive.

Learning

SAP FacebookSAP YoutubeSAP LinkedIn