You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Michael Osipov (Jira)" <ji...@apache.org> on 2021/05/28 14:39:00 UTC

[jira] [Commented] (DOXIASITETOOLS-229) Struts Core 1.3.10 has CVE problems

    [ https://issues.apache.org/jira/browse/DOXIASITETOOLS-229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17353385#comment-17353385 ] 

Michael Osipov commented on DOXIASITETOOLS-229:
-----------------------------------------------

Doxia does not use Struts. The code in Velocity Tools solely exists if you really use Struts.

> Struts Core 1.3.10 has CVE problems
> -----------------------------------
>
>                 Key: DOXIASITETOOLS-229
>                 URL: https://issues.apache.org/jira/browse/DOXIASITETOOLS-229
>             Project: Maven Doxia Sitetools
>          Issue Type: Dependency upgrade
>          Components: Site renderer
>    Affects Versions: 1.9.1, 1.9.2
>            Reporter: Alexander Kriegisch
>            Priority: Major
>
> When publishing artifacts to Sonatype OSSRH staging repositories, Sonatype sends an automatic vulnerability report, such as [this one|https://sbom.lift.sonatype.com/report/T1-0ff0976f7f21c391f20f-dfa463bcb34dd-1622198289-07472a4d66b24ea4b4311d99cb12c09f].
> As you can see, it complains about Struts Core 1.3.10. When running {{mvn dependency:tree}} on my project, I see this (shortened):
> {code}
> +- org.apache.maven.doxia:doxia-site-renderer:jar:1.9.1:compile
> |  +- org.apache.velocity:velocity-tools:jar:2.0:compile
> |  |  +- org.apache.struts:struts-core:jar:1.3.10:compile
> |  |  |  \- antlr:antlr:jar:2.7.2:compile
> |  |  +- org.apache.struts:struts-taglib:jar:1.3.8:compile
> |  |  \- org.apache.struts:struts-tiles:jar:1.3.8:compile
> {code}
> Dependency-managing to Site Renderer 1.9.2 makes no difference, because it still depends on Velocity Tools 2.0 and thus indirectly on Struts Core 1.3.10.
> Can this be fixed? Meanwhile, is there any compatible Struts Core version without the 17 CVEs listed in that report, which I can manage the dependency to in order to get a clean report next time?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)