Release Notes
Making open source more inclusive
Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.
1. Introduction
Migration Toolkit for Applications 7.0 accelerates large-scale application modernization efforts across hybrid cloud environments on Red Hat OpenShift. This solution provides insight throughout the adoption process, at both the portfolio and application levels: inventory, assess, analyze, and manage applications for faster migration to OpenShift via the user interface.
2. MTA 7-0-3
2.1. Known issues
This section provides highlighted known issues in Migration Toolkit for Applications (MTA) version 7.0.3:
Applications page loads slowly when there are many applicationsWhen the Application Inventory has to list many applications, the page loads slowly. Currently, there is no workaround available. (MTA-2497)
MTA 7.0.2 and 7.0.3 fail to run analysis on a directory of multiple applications. The cause of this failure is that the analyzer is expecting a pom.xml file in the root directory. (MTA-2765)
For a complete list of all known issues in this release, see the list of Known Issues in Jira.
2.1.1. CLI known issues
The CLI is built and distributed with support for Microsoft Windows.
However, when running any container image based on Red Hat Enterprise Linux 9 (RHEL9) or Universal Base Image 9 (UBI9), the following error can be returned when starting the container:
Fatal glibc error: CPU does not support x86-64-v2This error is caused because Red Hat Enterprise Linux 9 or Universal Base Image 9 container images must be run on a CPU architecture that supports x86-64-v2.
For more details, see (Running Red Hat Enterprise Linux 9 (RHEL) or Universal Base Image (UBI) 9 container images fail with "Fatal glibc error: CPU does not support x86-64-v2").
CLI runs the container runtime correctly. However, different container runtime configurations are not supported.
Although unsupported, you can run CLI with Docker instead of Podman, which would resolve this issue.
To achieve this, you replace the PODMAN_BIN path with the path to Docker.
For example, if you experience this issue, instead of issuing:
PODMAN_BIN=/usr/local/bin/docker mta-cli analyzeYou replace PODMAN_BIN with the path to Docker:
<Docker Root Dir>=/usr/local/bin/docker mta-cli analyzeWhile this is not supported, it would allow you to explore CLI while you work to upgrade your hardware or move to hardware that supports x86_64-v2.
2.2. Resolved issues
This section provides highlighted issues that have been resolved in Migration Toolkit for Applications (MTA) version 7.0.3.
webpack-dev-middleware package, where it failed to validate the supplied URL address sufficientlyA flaw was found in versions of the webpack-dev-middleware package before versions 7.1.0 and 6.1.2, in which it failed to validate the supplied URL address sufficiently before returning local files. This flaw allowed an attacker to craft URLs to return arbitrary local files from the developer’s machine. The lack of normalization before calling the middleware also allowed the attacker to perform path traversal attacks on the target environment.
For more details, see (CVE-2024-29180).
net/http, x/net/http2: unlimited number of CONTINUATION frames can cause a denial-of-service (DoS) attackA flaw was discovered with the implementation of the HTTP/2 protocol in the Go programming language. There were insufficient limitations on the number of CONTINUATION frames sent within a single stream. An attacker could potentially exploit this to cause a denial-of-service (DoS) attack.
For more details, see (CVE-2023-45288).
A flaw was found in Axios that may expose the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host. This issue can allow a remote attacker to bypass security measures and view sensitive data.
For more details, see (CVE-2023-45857).
go-resty: HTTP request body disclosure in github.com/go-resty/resty/v2A race condition in go-resty can result in HTTP request body disclosure across requests. The race condition can be triggered when sync.Pool.Put is called with the same bytes.Buffer more than once during request retries. This can lead to a situation where an unrelated server receives the request body, potentially exposing sensitive information.
For more details, see (CVE-2023-45286).
A flaw was found in Adobe CSS Tools. Operation input validation may result in a minor denial of service while parsing malicious CSS with the parse component. User interaction and privileges are not required to jeopardize an environment.
For more details, see (CVE-2023-26364).
crypto/tls: Timing Side Channel Attack in an RSA-Based TLS Key exchangesA flaw was found in the Golang crypto/tls standard library. In versions before 1.20, the package was vulnerable to a Timing side-channel attack by observing the time it took for RSA-based Transport Layer Security (TLS) key exchanges, which was not constant. The flaw allowed for potential timing attacks, where the removal of PKCS#1 padding could have leaked and potentially exposed session key bits.
For more details, see (CVE2023-45287).
net/http/internal: denial of service (DoS) caused by resource consumption from HTTP requestsA flaw was found in the Golang net/http/internal package that could cause a malicious HTTP sender to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. This flaw could cause the receiver to fail to read the response, possibly leading to a denial of service (DoS).
For more details, see (CVE-2023-39326).
css-toolsA Regular Expression Denial of Service (ReDoS) flaw was found in Adobe’s css-tools, versions 4.3.1 and earlier, when parsing CSS. This vulnerability could lead to a denial of service when attempting to parse CSS due to improper input validation and could allow an attacker to use an input string to cause a denial of service, especially when attempting to parse CSS.
For more details, see (CVE-2023-48631).
follow-redirects package: Improper Input Validation caused by the improper handling of URLs by the url.parse() function An Improper Input Validation flaw was found in the follow-redirects package, in versions before 1.15.4. due to the improper handling of URLs by the url.parse() function. This flaw could be exploited by manipulating the hostname when the new URL() throws an error, leading to a misinterpretation and potential redirection of traffic to a malicious site.
For more details, see (CVE-2023-26159).
A flaw was found in the protojson.Unmarshal function that could cause the function to enter an infinite loop when unmarshaling certain forms of invalid JSON messages. This condition could occur when unmarshaling into a message that contained a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option was set in a JSON-formatted message.
For more details, see (CVE-2024-24786).
follow-redirects package: could cause a possible credential leakA flaw was found in versions of the follow-redirects package before 1.1.5. This flaw occurs when follow-redirects handles cross-domain redirects. It fails to clear the proxy-authentication header, which may contain credentials, while it clears the authorization header. As a result, this vulnerability could potentially lead to the leak of sensitive credentials.
For more details, see (CVE-2024-28849).
In MTA 7.0.2, running two questionnaires displayed the Assessment status as Not started instead of In progress. With this update, the problem has been resolved. As a result, the Assessment status shows In progress after one questionnaire or archetype is started.
In MTA 7.0.2, connecting to a Jira server using basic authentication, meaning username and password, failed. This issue has been resolved in MTA 7.0.3. (MTA-2427)
Enable insecure communication switchIn MTA 7.0.2, it was not possible to enable on the Enable insecure communication switch when creating or editing a Jira instance. This issue has been resolved in MTA 7.0.3. (MTA-2426)
In MTA 7.0.2, the binary analysis failed for a Java archive (JAR) file that had no external dependencies. This issue has been resolved in MTA 7.0.3. (MTA-2661)
In previous releases of MTA, the IntelliJ IDE plugin key map actions are not functioning as expected. Even though the MTA extension opens, it does not focus on it. Therefore, the other actions will not work. (MTA-2460)
For a complete list of all issues resolved in this release, see the list of Resolved Issues in Jira.
3. MTA 7-0-2
3.1. New features
This section describes the new features and improvements of the Migration Toolkit for Applications (MTA) 7.0.2.
In MTA 7.0.2, multiarch support for for MTA CLI is introduced. Multiarch support includes both ARM architecture on Linux machines and Apple Silicon Macs.
3.2. Known issues
Migration Toolkit for Applications (MTA) version 7.0.2 has the following known issues.
In MTA 7.0.2, connecting to a Jira server using basic authentication, meaning username and password, fails. This issue is scheduled to be resolved in MTA 7.1.0. (MTA-2427)
In MTA 7.0.2, it is not possible to turn on the Enable insecure communication switch when creating or editing a Jira instance. This issue is scheduled to be resolved in MTA 7.0.3. (MTA-2426)
MTA 7.0.2 and 7.0.3 fails to run analysis on a directory of multiple applications. The cause of this failure is caused as the analyzer is expecting a pom.xml file in the root directory. (MTA-2765)
For a complete list of all known issues in this release, see the list of Known Issues in Jira.
3.2.1. CLI known issues
The CLI is built and distributed with support for Microsoft Windows.
However, when running any container image based on Red Hat Enterprise Linux 9 (RHEL9) or Universal Base Image 9 (UBI9), the following error can be returned when starting the container:
Fatal glibc error: CPU does not support x86-64-v2This error is caused because Red Hat Enterprise Linux 9 or Universal Base Image 9 container images must be run on a CPU architecture that supports x86-64-v2.
For more details, see (Running Red Hat Enterprise Linux 9 (RHEL) or Universal Base Image (UBI) 9 container images fail with "Fatal glibc error: CPU does not support x86-64-v2").
CLI runs the container runtime correctly. However, different container runtime configurations are not supported.
Although unsupported, you can run CLI with Docker instead of Podman, which would resolve this issue.
To achieve this, you replace the PODMAN_BIN path with the path to Docker.
For example, if you experience this issue, instead of issuing:
PODMAN_BIN=/usr/local/bin/docker mta-cli analyzeYou replace PODMAN_BIN with the path to Docker:
<Docker Root Dir>=/usr/local/bin/docker mta-cli analyzeWhile this is not supported, it would allow you to explore CLI while you work to upgrade your hardware or move to hardware that supports x86_64-v2.
3.3. Resolved issues
The following highlighted issues have been resolved in Migration Toolkit for Applications (MTA) version 7.0.2.
A flaw was found in versions of the Golang standard library go/parser, before Go 1.17.12 and Go 1.18.4. When calling any Parse functions on the Go source code, which contains deeply nested types or declarations, a panic can occur due to stack exhaustion. This issue allows an attacker to impact system availability.
For more details, see (CVE-2022-1962).
In previous versions of MTA 7.0, there was an issue with the Command-line interface (CLI) not functioning as expected on ARM CPU architecture.
-
MTA CLI does not work on Mac ARM-based machines. (MTA-2160)
-
MTA CLI does not work on Linux ARM-based machines. (MTA-2351)
These issues have been resolved in MTA 7.0.2.
In previous versions of MTA 7.0, the text below graphs was missing on the Reports page. This has been resolved in MTA 7.0.2. (MTA-1868)
In progress instead of Not startedIn previous versions of MTA 7.0, the Assessment status was In progress instead of Not started when the application was associated with an archived questionnaire. This has been resolved in MTA 7.0.2. (MTA-1956)
Use Refresh Tokens breaks MTA UIIn previous versions of MTA, turning off the Use Refresh Tokens, which is a feature in the Red Hat build of Keycloak, could have adversely impacted MTA. This has been resolved in MTA 7.0.2. (MTA-1255)
In previous versions of MTA 7.0, exporting a questionnaire could include unnecessary metadata. This unnecessary metadata had the potential to make reimporting the questionnaire a more difficult task, as it might conflict with already existing data. This has been resolved in MTA 7.0.2, with exports not including any environment-specific data. (MTA-1721)
In previous versions of MTA, source and dependency analysis of applications built with Java Development Kits (JDKs) earlier than version 11 could fail before compilation was completed. This has been resolved in MTA 7.0.2. (MTA-1785)
In previous versions of MTA 7.0, the application drawer incorrectly showed that the associated archetypes had been assessed, when there were no required questionnaires and when an application was associated with unassessed archetypes. This has been resolved in MTA 7.0.2. (MTA-1967)
In previous versions of MTA 7.0, inherited assessment tags should have been listed as assessment tags instead of archetype tags on the app drawer. This has been resolved in MTA 7.0.2. (MTA-1972)
Completed instead of Not started for inherited assessment after the questionnaire is archivedIn previous versions of MTA 7.0, the Application Assessment status showed Completed instead of Not started for inherited assessment after the questionnaire was archived. This has been resolved in MTA 7.0.2. (MTA-1973)
In previous versions of MTA 7.0, the Application inventory page showed no applications after accessing dependencies. This has been resolved in MTA 7.0.2. (MTA-2007)
In previous versions of MTA 7.0, dependencies did not filter and navigate to the affected applications, instead of showing only the affected applications. This has been resolved in MTA 7.0.2. (MTA-2008)
unable to connect message seen on the Single Application issues pageIn previous versions of MTA 7.0, on an analysis clicking on Issues and then navigating to the Single application page, no data was shown and an Unable to connect message was shown. There was an error retrieving data, showing a Check your connection and try again error. This has been resolved in MTA 7.0.2. (MTA-2047)
In previous versions of MTA 7.0, issues occasionally contained variable names instead of values. This has been resolved in MTA 7.0.2. (MTA-2067)
In previous versions of MTA 7.0, rules from technology usage appeared as issues. This has been resolved in MTA 7.0.2. (MTA-2099)
In previous versions of MTA 7.0, there was no version flag for the MTA CLI, such as mta-cli --version to show the current version installed. This has been resolved in MTA 7.0.2. (MTA-2201)
In previous versions of MTA 7.0, the Application list in the Archetype side drawer did not scale well when a large number of applications were associated with the archetype. It is likely that a massive number of applications could cause the drawer not to load properly. This has been resolved in MTA 7.0.2. (MTA-2283)
For a complete list of all issues resolved in this release, see the list of Resolved Issues in Jira.
3.4. Upgrade notes
The following are upgrade notes for Migration Toolkit for Applications (MTA)
Upgrade directly from MTA 6.2.1 to MTA 7.0.2.
In previous version of MTA 7.0.0, when MTA 6.2.1 is installed, and you attempt to switch the channel to stable-7.0, the operator upgrade succeeds, but a task in the operator pod fails. This failure resulted in existing pathfinder assessments not being migrated to MTA 7.0.0. As this bug has been resolved in MTA 7.0.1, it is suggested to upgrade directly from MTA 6.2.1 to MTA 7.0.2. MTA-2139
|
Important
|
Enabling questionnaire for assessments
On upgrading from MTA 6.2.1 to MTA 7.0.1 , completed assessment are shown as In progress. Enable the legacy Pathfinder questionnaire to see the completed status of assessment. |
In version 7.0.2 of MTA, the default size of the hub database volume has been increased to 10GiB.
If your storage class does not support volume expansion, then an upgrade from 6.2.1 to 7.0.2 will result in a failure due to the operator trying to change the volume size from 5GiB to 10GiB.
To avoid this issue, you can directly set the volume size by setting:
...
hub_database_volume_size: 5Gi
...By doing this, you will avoid the operator trying to resize the volume.
If this value was set when the previous version was deployed, there is no need to take any action, as it will work as expected.
When upgrading to MTA 7.0.0, all existing data will be retained, except for individual analysis reports for applications.
As both the analysis and reporting engines have been replaced with this version, you will be required to conduct a re-run of the analysis in order to obtain data on issues and dependencies.
4. MTA 7-0-1
4.1. Known issues
Migration Toolkit for Applications (MTA) version 7.0.1 has the following issues.
MTA CLI does not function on machines using ARM based architecture. The workaround is to use the upstream images, which will function as expected as they are built using multi-arch. To do this, issue:
RUNNER_IMG=quay.io/konveyor/kantra:latest CMD_NAME=kantra ./mta-cli analyze ...RBACWhen deleting, deactivating or degrading the role of a user, such as changing the user from Admin to Migrator, the change can take several minutes to take effect. This delay in changing the user status can pose an operational or security risk. MTA-1809
Keycloak is enabled by default. If you disable and then re-enable Keycloak, you cannot perform any actions in the MTA web console after logging in again.
This error is caused as the credential-mta-rhsso secret is updated when auth/Keycloak is disabled and re-enabled.
The suggested workaround is to restore the old password in the credential-mta-rhsso secret, after re-enabling auth. MTA-1152
The org.apache.derby.derby dependency is not analyzed. MTA-1817
The system repeatedly shows a warning message about overriding an inherited assessment when reassessing an application.
This warning, appropriate for the first assessment, incorrectly reappears on subsequent reassessments, suggesting that the application is still inheriting its assessment, even after it has been overridden. MTA-1825
For a complete list of all known issues in this release, see the list of Known Issues in Jira.
4.1.1. CLI known issues
The CLI is built and distributed with support for Microsoft Windows.
However, when running any container image based on Red Hat Enterprise Linux 9 (RHEL9) or Universal Base Image 9 (UBI9), the following error can be returned when starting the container:
Fatal glibc error: CPU does not support x86-64-v2This error is caused because Red Hat Enterprise Linux 9 or Universal Base Image 9 container images must be run on a CPU architecture that supports x86-64-v2.
For more details, see (Running Red Hat Enterprise Linux 9 (RHEL) or Universal Base Image (UBI) 9 container images fail with "Fatal glibc error: CPU does not support x86-64-v2").
CLI runs the container runtime correctly. However, different container runtime configurations are not supported.
Although unsupported, you can run CLI with Docker instead of Podman, which would resolve this issue.
To achieve this, you replace the PODMAN_BIN path with the path to Docker.
For example, if you experience this issue, instead of issuing:
PODMAN_BIN=/usr/local/bin/docker mta-cli analyzeYou replace PODMAN_BIN with the path to Docker:
<Docker Root Dir>=/usr/local/bin/docker mta-cli analyzeWhile this is not supported, it would allow you to explore CLI while you work to upgrade your hardware or move to hardware that supports x86_64-v2.
4.2. Resolved issues
The following highlighted issues have been resolved in Migration Toolkit for Applications (MTA) version 7.0.1.
In previous version of MTA 7.0.0, when MTA 6.2.1 is installed, and you attempt to switch the channel to stable-7.0, the operator upgrade succeeds, but a task in the operator pod fails. This failure resulted in existing pathfinder assessments not being migrated to MTA 7.0.0. This bug is resolved in MTA 7.0.1. MTA-2139
For a complete list of all issues resolved in this release, see the list of Resolved Issues in Jira.
4.3. Upgrade notes
The following are upgrade notes for Migration Toolkit for Applications (MTA)
Upgrade directly from MTA 6.2.1 to MTA 7.0.1.
In previous version of MTA 7.0.0, when MTA 6.2.1 is installed, and you attempt to switch the channel to stable-7.0, the operator upgrade succeeds, but a task in the operator pod fails. This failure resulted in existing pathfinder assessments not being migrated to MTA 7.0.0. As this bug has been resolved in MTA 7.0.1, it is suggested to upgrade directly from MTA 6.2.1 to MTA 7.0.1. MTA-2139
|
Important
|
Enabling questionnaire for assessments
On upgrading from MTA 6.2.1 to MTA 7.0.1 , completed assessment are shown as In progress. Enable the legacy Pathfinder questionnaire to see the completed status of assessment. |
In version 7.0.1 of MTA, the default size of the hub database volume has been increased to 10GiB.
If your storage class does not support volume expansion, then an upgrade from 6.2.1 to 7.0.1 will result in a failure due to the operator trying to change the volume size from 5GiB to 10GiB.
To avoid this issue, you can directly set the volume size by setting:
...
hub_database_volume_size: 5Gi
...By doing this, you will avoid the operator trying to resize the volume.
If this value was set when the previous version was deployed, there is no need to take any action, as it will work as expected.
When upgrading to MTA 7.0.0, all existing data will be retained, except for individual analysis reports for applications.
As both the analysis and reporting engines have been replaced with this version, you will be required to conduct a re-run of the analysis in order to obtain data on issues and dependencies.
5. MTA 7-0-0
5.1. New features
This section describes the new features and improvements of the Migration Toolkit for Applications (MTA) 7.0.0.
In MTA 7.0.0, the assessment module has been enhanced. The assessment module in this release allows you to import questionnaires using a custom YAML syntax for questionnaire definition.
In MTA 7.0.0, you can assess and analyze entire groups of applications or archetypes, according to common characteristics.
Application archetypes are defined according to criteria tags and application taxonomy. Each archetype selects how the applications are assessed according to its characteristics.
In MTA 7.0.0, you now have the ability to unlink an application from a Jira ticket, so that you can manage the links between applications and tickets more effectively. To unlink an application from a Jira ticket, click the Unlink from Jira icon in the details view of the application or in the details view of a Migration wave.
New rules that use YAML syntax to support metadata, message and tag actions, rule conditions, provider conditions for Java and Go providers, and other file tagging and characteristics.
MTA 7.0.0 produces dynamic analysis reports that collect aggregated issues and dependencies across the application portfolio. They identify portfolio-wide trends, drill down to specific lines in source code, and fully integrate with MTA User Interface (UI).
MTA 7.0.0 introduces support for Azure Red Hat OpenShift (ARO).
MTA 7.0.0 introduces support for Red Hat OpenShift on AWS (ROSA).
MTA 7.0.0 supports migrating applications written in Java and Golang implemented in Language Server Protocol (LSP).
|
Important
|
Multi-language analysis for Golang is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope. |
5.2. Known issues
Migration Toolkit for Applications (MTA) version 7.0.0 has the following issues.
If MTA 6.2.1 is installed, when attempting to switch the channel to stable-7.0, the operator upgrade succeeds, but a task in the operator pod fails. This failure results in existing pathfinder assessments not being migrated to MTA 7.0.0. This bug will be resolved in MTA 7.0.1. No assessment data will be lost, it is will simply not be visible in the UI until the release of MTA 7.0.1. MTA-2139
RBACWhen deleting, deactivating or degrading the role of a user, such as changing the user from Admin to Migrator, the change can take several minutes to take effect. This delay in changing the user status can pose an operational or security risk. MTA-1809
Keycloak is enabled by default. If you disable and then re-enable Keycloak, you cannot perform any actions in the MTA web console after logging in again.
This error is caused as the credential-mta-rhsso secret is updated when auth/Keycloak is disabled and re-enabled.
The suggested workaround is to restore the old password in the credential-mta-rhsso secret, after re-enabling auth. MTA-1152
The org.apache.derby.derby dependency is not analyzed. MTA-1817
The system repeatedly shows a warning message about overriding an inherited assessment when reassessing an application.
This warning, appropriate for the first assessment, incorrectly reappears on subsequent reassessments, suggesting that the application is still inheriting its assessment, even after it has been overridden. MTA-1825
In MTA 7.0.0, some XML custom rule files are converted to the new YAML format during analysis. The root cause is that Java search patterns that use IMPORT as location and end in .{*}, do not function as expected. MTA-2000
To resolve this issue, whenever a custom rule has a pattern ending in .{*} and location IMPORT, the pattern .{*} can be changed to {*} and the location changed to PACKAGE, as in the following example.
To view the javax-package-custom-target.windup.xml, click here.
<?xml version="1.0"?>
<ruleset xmlns="http://windup.jboss.org/schema/jboss-ruleset" id="javax-package"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://windup.jboss.org/schema/jboss-ruleset http://windup.jboss.org/schema/jboss-ruleset/windup-jboss-ruleset.xsd">
<metadata>
<description>
This ruleset evaluates whether a custom target can be used within a custom rule
</description>
<dependencies>
<addon id="org.jboss.windup.rules,windup-rules-javaee,3.0.0.Final" />
<addon id="org.jboss.windup.rules,windup-rules-java,3.0.0.Final" />
</dependencies>
<targetTechnology id="phil" versionRange="[7,8)" />
</metadata>
<rules>
<rule id="javax-package-custom-target-00001">
<when>
<javaclass references="javax{*}">
<location>PACKAGE</location>
</javaclass>
</when>
<perform>
<hint title="CUSTOM RULE for javax.* package import" effort="1" category-id="potential">
<message>`javax.*` packages must be renamed to `jakarta.*` for Jakarta EE9 compatibility.</message>
<link title="Renamed Packages" href="https://github.com/wildfly-extras/batavia/blob/master/impl/ecl/src/main/resources/org/wildfly/extras/transformer/eclipse/jakarta-renames.properties"/>
</hint>
</perform>
</rule>
</rules>
</ruleset>For a complete list of all known issues in this release, see the list of Known Issues in Jira.
5.3. Resolved issues
The following highlighted issues have been resolved in Migration Toolkit for Applications (MTA) version 7.0.0.
In previous versions of MTA, no Update Notification appeared at top of window after the fields Application, Job Function, and Business services were updated. MTA-1024
In previous versions of MTA, it was not possible to create a Jira instance (issues.stage.redhat.com) behind a proxy. MTA-849
redirect_uri validation logicA flaw was found in the redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts. The problem arises in the verifyRedirectUri method, which attempts to enforce rules on user-controllable input, but can cause a desynchronization in how Keycloak and browsers interpret URLs.
For more details, see (CVE-2023-6291).
For a complete list of all issues resolved in this release, see the list of Resolved Issues in Jira.
5.4. Upgrade notes
The following are upgrade notes for Migration Toolkit for Applications (MTA)
In version 7.0.0 of MTA, the default size of the hub database volume has been increased to 10GiB.
If your storage class does not support volume expansion, then an upgrade from 6.2.1 to 7.0.0 will result in a failure due to the operator trying to change the volume size from 5GiB to 10GiB.
To avoid this issue, you can directly set the volume size by setting:
...
hub_database_volume_size: 5Gi
...By doing this, you will avoid the operator trying to resize the volume.
If this value was set when the previous version was deployed, there is no need to take any action, as it will work as expected.
When upgrading to MTA 7.0.0, all existing data will be retained, except for individual analysis reports for applications.
As both the analysis and reporting engines have been replaced with this version, you will be required to conduct a re-run of the analysis in order to obtain data on issues and dependencies.
You can upgrade to MTA 7.0.0 from 6.2.1. It is not recommended to pursue any alternative upgrade route. If you wish to upgrade from a previous version, it is recommended to proceed in a sequential manner until you finally upgrade from MTA version 6.2.1 to 7.0.0.
5.5. Technical changes
The following technical changes have been made in Migration Toolkit for Applications (MTA) 7.0.0:
-
The Maven Plugin has been deprecated.
-
Language Server Protocol (LSP) Analyzer change.
5.5.1. Rules
Rules written in Groovy and Java are discontinued in MTA version 7.0.0. Some of the previous Groovy Java rules have been converted to YAML rules wherever possible.
An important modification to the rule’s engine is that it is no longer possible to query anything apart from the tags stored within the engine’s internal data structures. This means that all the features that were enabled by using the graph-query element in the rule are no longer available.
The Java Class child elements annotation-list, annotation-type and annotation-literal are not supported in MTA version 7.0.0.
The capabilities of <project> and <dependency> elements in the old syntax are merged into one dependency condition in the new rules syntax.
xslt element are discontinuedXML transformation capabilities offered by the xslt element are discontinued.
iteration element is discontinuedThe explicit iteration element is discontinued in MTA version 7.0.0. If a condition returns a list of items via the as construct, iteration is implied.
Test rules are not supported in MTA version 7.0.0.
Overriding a rule is discontinued in MTA version 7.0.0.
Creating custom rule categories is discontinued in MTA version 7.0.0.
In MTA version 7.0.0, any previous rules of information and optional categories will only create technology tags.
In MTA version 7.0.0, the following Java analysis capabilities have been deprecated:
-
Ability to match on specific arguments of a Java method constructor is not supported in the current version
-
Matching Java references from JavaServer Pages (JSP) files are not supported in the current version
-
Mavenizinga Java project, meaning write a POM and possibly move code around so that it builds in Maven, is discontinued.
The following functionality in Analysis reports has been deprecated:
-
Story points are shown as integers. The “level of effort” view and their mappings are deprecated in MTA version 7.0.0.
-
Transactions reports are deprecated in MTA version 7.0.0.
-
The view for “Archives shared by multiple applications” is deprecated in MTA version 7.0.0.
-
The view for “Review rule providers execution overview” deprecated in MTA version 7.0.0.