You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Alexander Kriegisch (Jira)" <ji...@apache.org> on 2021/05/28 12:08:00 UTC
[jira] [Created] (DOXIASITETOOLS-229) Struts Core 1.3.10 has CVE
problems
Alexander Kriegisch created DOXIASITETOOLS-229:
--------------------------------------------------
Summary: Struts Core 1.3.10 has CVE problems
Key: DOXIASITETOOLS-229
URL: https://issues.apache.org/jira/browse/DOXIASITETOOLS-229
Project: Maven Doxia Sitetools
Issue Type: Dependency upgrade
Components: Site renderer
Affects Versions: 1.9.2, 1.9.1
Reporter: Alexander Kriegisch
When publishing artifacts to Sonatype OSSRH staging repositories, Sonatype sends an automatic vulnerability report, such as [this one|https://sbom.lift.sonatype.com/report/T1-0ff0976f7f21c391f20f-dfa463bcb34dd-1622198289-07472a4d66b24ea4b4311d99cb12c09f].
As you can see, it complains about Struts Core 1.3.10. When running {{mvn dependency:tree}} on my project, I see this (shortened):
{code}
+- org.apache.maven.doxia:doxia-site-renderer:jar:1.9.1:compile
| +- org.apache.velocity:velocity-tools:jar:2.0:compile
| | +- org.apache.struts:struts-core:jar:1.3.10:compile
| | | \- antlr:antlr:jar:2.7.2:compile
| | +- org.apache.struts:struts-taglib:jar:1.3.8:compile
| | \- org.apache.struts:struts-tiles:jar:1.3.8:compile
{code}
Dependency-managing to Site Renderer 1.9.2 makes no difference, because it still depends on Velocity Tools 2.0 and thus indirectly on Struts Core 1.3.10.
Can this be fixed? Meanwhile, is there any compatible Struts Core version without the 17 CVEs listed in that report, which I can manage the dependency to in order to get a clean report next time?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)