Eclipse Kapua™ 1.1.0 Release Review

Type
Release
State
Successful
End Date of the Review Period

Reviews run for a minimum of one week. The outcome of the review is decided on this date. This is the last day to make comments or ask questions about this review.

Project
Eclipse Kapua™
Release

1.1.0

Description

Eclipse Kapua 1.1.0 is aimed at improving and consolidate the following areas:

  • Device Connectivity
  • Message Routing
  • Device Management
  • Data Management
  • Security
  • Administration Console
  • REST API Documentation

A total of 365 issues have been closed in this version from the previous 1.0.0 release.

The most notable features and changes introduced by this release are:

  • Full Eclipse Kura DEPLOY-V2 support. In Kapua 1.1.0, compatibility with the Eclipse Kura DEPLOY-V2 Request Handler has been enhanced, extending the support to all the non-mandatory options for the Package Download Request. More info at Eclipse Kura MQTT Namespace. This enable the user to have more control over the Package Download capabilities offered by the Kura framework, to suit different constrained scenarios (i.e. a Kura device with very low connectivity bandwidth) or different kinds of downloaded files (i.e. OSGi bundle or executable script).
  • Long Running Operations can now provide a real time feedback on their execution. Device Jobs feature has been enhanced to support tracking asynchronous operations. This enables a full support of long running Device management operations (i.e. interaction with Kura DEPLOY-V2) and the capability to create chain of operations on the Device Job targets. Alongside this improvement comes the history of all package management operations executed on a Devices both with interactive management and batch jobs.
  • A Device Job can now be scheduled to start as soon as Targets connect to Kapua. This feature is very handy when the Devices connects according to a due tight schedule in order to save bandwidth or due to limited connectivity. This feature allows Devices to be processed as soon as they connect, allowing concurrent processing.
  • A new REST API has been implemented to retrieve all the permissions and the Access Token related to a user session. This way, retrieving all the permissions for a given user is way easier, getting all the permissions with a single REST call instead of performing 5 different calls to the currently available APIs.
  • SwaggerUI, that is currently used in the REST API container to provide documentation, has been upgraded to 3.23.0 in order to support OpenAPI 3.0 specification files and resolve security issues in the previous version.
  • Kapua datastore service now supports Basic HTTP Authentication to the Elasticsearch instance.
  • Environment parameters have been added to Docker containers (Broker, REST API and Console) in order to inject certificates used to establish SSL connections.
API Certification

The project leadership certifies that the APIs in this release are "Eclipse Quality".

Security Issues

The following CVEs have been addressed in this release:

  • Upgraded SwaggerUI version from 2.1.4 to 3.23.0 - CVE-2016-5682 - CWE-79
  • Upgraded protobuf-java version from 2.6.1 to 3.8.0 - CVE-2015-5237 - CWE-119
  • Upgraded jackson-databind version from 2.9.9 to 2.9.9.1 - CVE-2019-12814 - CWE-200; CVE-2019-12384 - CWE-502
  • Upgraded commons-beanutils version from 1.9.2 to 1.9.3 - CVE-2014-0114 - CWE-20
  • Upgraded commons-collections version from 3.2.1 to 3.2.2 - CVE-2015-7501 - CWE-502
  • Upgraded Guava version from 19.0 to 27.1-jre - CVE-2018-10237 - CWE-119
  • Upgraded Qpid Jms Client version from 0.24.0 to 0.40.0 - CVE-2018-17187 - CWE-300
  • Upgraded Jackson Databind version from 2.8.6 to 2.9.9 - CVE-2018-14718 - CWE-502
  • Upgraded Slf4j-api version from 25.0 to 26.0 - CVE-2018-8088 - CWE-502
  • Upgraded Logback version from 1.1.8 to 1.2.3 - CVE-2017-5929 - CWE-502
  • Upgraded H2 version from 1.4.192 to 1.4.199 - CVE-2018-10054 - CWE-94
  • Upgraded Jetty from 9.4.6 to 9.4.12 - CVE-2018-12545 - CWE-20; CVE-2018-12536 - CWE-200; CVE-2017-9735 - CWE-200; CVE-2017-7657 - CWE-190
  • Removed Apache POI version 3.11 - CVE-2017-5644 - CWE-399
Non-Code Aspects

The Test Framework has been refactored to improve reusing of code (especially Cucumber Steps) among the whole project. Also, Docker containers are now used for integration tests instead of embedded servers.

Conforms To UI/UX Guidelines
Not verified
Usability Details

The team has put a lot of effort to improve the usability of the Administration Console, constantly improving the views and integrating community feedback.

Some effort has been put also in improving ergonomics for REST APIs; the new LoginInfo REST API is specifically geared towards improving the usability of whole Permissions feature, allowing to retrieve all the permissions for a single user with a single REST API call.

Communities

A new communication channel has been established opening a Gitter room for Kapua. This has allowed a more direct interaction with the users, with a few report that resulted in issues that have the been fixed in a short time. Also, it reduced the amount of Github issues that were just questions or support request, keeping the issue database cleaner.