Genome annotation editor, with a Java servlet backend and a Javascript client that runs in a web browser as a JBrowse plugin
@scottcain looks like it's a problem with grails: grails/grails-core#11825. I realized it wasn't just docker, I couldn't build Apollo locally, either. Hopefully I'll have a fix in develop soon: GMOD/Apollo#2624.
Sorry, just put this on the twitters. Building a genome browser from neo4j: https://twitter.com/precogincog/status/1405612735077908481 . Not sure if the title is misleading, but its still kind of interesting.
@childers for now (sorry for a very late response), you can use apache + https://genomearchitect.readthedocs.io/en/latest/OpenIDConnectAuthentication.html?highlight=REMOTE#apollo-configuration
Does Apollo support java 17? I know the docs say 8+ but that is a pretty big jump
If you've got a list of of organism common names or so, use arrow
https://github.com/galaxy-genome-annotation/python-apollo you can pretty quickly write a loop in bash to call the delete organism function
(and of course, our devops guy says to me again: “ you should really create a base container that has a chado database already in it”. yeah, yeah, I know.)
2 replies
so, just need to merge that in
probably a few other places as well
Oh yeah no worries, didn't know if you knew, and yeah new moving parts is always more work, totally get it.
Hour and a half to rebuild
Oof yeah that's a mood.
I did not see the issue before, thanks for the post.
"Upper IT" at aTm is very involved right now, and some of it is about 1.X. However, I just got out of a meeting and I'll know over the next few days about how much they want to treat it as an actual problem. I'll keep y'all posted on what is found out.
Yeah, the latest one applies under non standard configuration with something related to JMS toggled. I added it to that GitHub issue, but probably not affecting most folks
Once we've seen that there are many critical and high issues, we can't ignore it. I am really unqualified in terms of Java development, but am tryin to slog through updating components. Is there anyone on the JBrowse/Apollo dev team or other developers that are interested in coming together to help update test these updates?
@childers it is using 1.2.17 . . . not sure all of the risks, but here: https://logging.apache.org/log4j/2.x/security.html . . mostly log4j 1 isn't affected for most of these.
No, not suggesting ignoring it, just that the exploit not applying to most users means it's a lot lower of a priority. The list Colin posted was definitely full of things to address, but for a lot we shouldn't discard that the exploits simply don't work for many instances, that should factor in the "panic patching" calculation a bit.
@hexylena:matrix.org Apologies for my language there, I didn't think that the list of errors was being ignored, it's good to see that there is interest to bring the dependencies up to date. I am concerned because I read the earlier statements as dismissive of the critical and high vulnerabilities. Just because the log4j is not impacted by this critical vulnerability, there is another critical vulnerability that affects the version that is being used.
Oh no worries, apologies for coming across dismissive, I can see that interpretation for sure. I wish I had bandwidth to work on any of these myself
I think I personally am stuck with defense in depth and locking it down as much as possible, not sure what else we can do, it's such a long list
And worse it looks like less than half have a fix available which is not great
I can't remember if we posted it or not, but for other large Apollo users, we built this to work around slow loading of large large organism lists. For hundreds of organisms it can take load times from 10 minutes to 30 seconds. https://github.com/galaxy-genome-annotation/apolpi/
There aren't that many routes with this issue that a shim works fine
I’m going to create an Apollo instance for AGR that has the NIH origanisms in it (human, rat, mouse, zebrafish, worm, fly and yeast) in it, and (presumably) back it with Chado as a demonstration with the idea of promoting it as the tool to be used by sequence curators at the respective MODs to use. Can I just fire up docker-compose with Apollo and Chado and I’m off to the races?
(actually, the only organisms in it might be yeast, worm and fly, at least to start)
If you want to use the postgresql db it sets up that's fine, I was just thinking your DB would be in your Chado docker image instead. TBH I don't really know how to integrate Apollo and Chado, but looking at the docs you might still need the buildt-in postgresql since Chado is just for exporting: https://genomearchitect.readthedocs.io/en/latest/ChadoExport.html
FYI @scottcain @hexylena:matrix.org had one setup long ago that used a compose file if that helps. However like @garrettjstevens said Chado should be baked in already. Looks like its using 1.31 here: https://github.com/GMOD/Apollo/blob/develop/Dockerfile#L37 . . if you just fix this line you can get one here, but converting these to use docker compose shouldn't be that hard either.
I've been trying to move the log4j issues in apollo2.x forward with really limited success. Right now I'm trying to use the bridge files to get Apollo2 to the current log4j version without having to recode anything but it isn't working. It's building, and the deploy says it works, but the deployed WAR isn't recognized.
https://logging.apache.org/log4j/2.x/log4j-1.2-api/index.html
https://logging.apache.org/log4j/2.x/log4j-1.2-api/index.html