You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@maven.apache.org by "Kotamarti, Usha" <us...@bofa.com.INVALID> on 2020/02/18 20:44:15 UTC
Velocity and Struts dependencies causing vulnerabilities
Hello,
We have an issue with version of the Velocity and Struts taglib, tiles and core jars that Maven maven-pmd-plugin and maven-checkstyle-plugin are using.
Velocity version 2.0 and Struts 1.3.8 have security vulnerabilities.
These 2 plugins need to be upgraded to use velocity-tools version 3.0 and Struts 2.3.x or 2.5.x. Do you have a plan to do that ? If not, would you please
let us know if there is a workaround to explicitly specify which versions of Velocity and Struts we would like pmd-plugiun and checkstyle-plugin to use?
Thank you!
Usha Kotamarti
----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.
Re: Velocity and Struts dependencies causing vulnerabilities
Posted by Martin Gainty <mg...@hotmail.com>.
usha could you repost this issue to user@struts.apache.org?
if struts-taglib has a security vulnerability Lukasz and the Struts Team should be able to fix it
Bon Chance
martin-
________________________________
From: Hervé BOUTEMY <he...@free.fr>
Sent: Tuesday, February 18, 2020 4:45 PM
To: Maven Users List <us...@maven.apache.org>
Subject: Re: Velocity and Struts dependencies causing vulnerabilities
Hi,
We have a plan: instead of upgrading, we'll remove the dependencies, see
https://issues.apache.org/jira/browse/DOXIASITETOOLS-215
Doxia Sitetools 1.9.2 release is planned in a few days, then we'll need to
release every reporting plugin after.
Notice that these components are vulnerable, but they are used in Maven
plugins, not in a web application, then the vulnerability is not really
accessible: there is no real issue other than unused dependencies pulled by
reporting plugins.
Regards,
Hervé
Le mardi 18 février 2020, 21:44:15 CET Kotamarti, Usha a écrit :
> Hello,
>
> We have an issue with version of the Velocity and Struts taglib, tiles and
> core jars that Maven maven-pmd-plugin and maven-checkstyle-plugin are
> using. Velocity version 2.0 and Struts 1.3.8 have security vulnerabilities.
>
> These 2 plugins need to be upgraded to use velocity-tools version 3.0 and
> Struts 2.3.x or 2.5.x. Do you have a plan to do that ? If not, would you
> please let us know if there is a workaround to explicitly specify which
> versions of Velocity and Struts we would like pmd-plugiun and
> checkstyle-plugin to use?
>
> Thank you!
> Usha Kotamarti
>
>
>
> ----------------------------------------------------------------------
> This message, and any attachments, is for the intended recipient(s) only,
> may contain information that is privileged, confidential and/or proprietary
> and subject to important terms and conditions available at
> http://www.bankofamerica.com/emaildisclaimer. If you are not the intended
> recipient, please delete this message.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org
Re: Velocity and Struts dependencies causing vulnerabilities
Posted by Hervé BOUTEMY <he...@free.fr>.
Hi,
We have a plan: instead of upgrading, we'll remove the dependencies, see
https://issues.apache.org/jira/browse/DOXIASITETOOLS-215
Doxia Sitetools 1.9.2 release is planned in a few days, then we'll need to
release every reporting plugin after.
Notice that these components are vulnerable, but they are used in Maven
plugins, not in a web application, then the vulnerability is not really
accessible: there is no real issue other than unused dependencies pulled by
reporting plugins.
Regards,
Hervé
Le mardi 18 février 2020, 21:44:15 CET Kotamarti, Usha a écrit :
> Hello,
>
> We have an issue with version of the Velocity and Struts taglib, tiles and
> core jars that Maven maven-pmd-plugin and maven-checkstyle-plugin are
> using. Velocity version 2.0 and Struts 1.3.8 have security vulnerabilities.
>
> These 2 plugins need to be upgraded to use velocity-tools version 3.0 and
> Struts 2.3.x or 2.5.x. Do you have a plan to do that ? If not, would you
> please let us know if there is a workaround to explicitly specify which
> versions of Velocity and Struts we would like pmd-plugiun and
> checkstyle-plugin to use?
>
> Thank you!
> Usha Kotamarti
>
>
>
> ----------------------------------------------------------------------
> This message, and any attachments, is for the intended recipient(s) only,
> may contain information that is privileged, confidential and/or proprietary
> and subject to important terms and conditions available at
> http://www.bankofamerica.com/emaildisclaimer. If you are not the intended
> recipient, please delete this message.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org