You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Richard O'Sullivan (Jira)" <ji...@apache.org> on 2022/08/03 15:15:00 UTC

[jira] [Commented] (MSHARED-848) Code Improvement in ReaderFactory to get rid of commons-io dependency

    [ https://issues.apache.org/jira/browse/MSHARED-848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17574761#comment-17574761 ] 

Richard O'Sullivan commented on MSHARED-848:
--------------------------------------------

Apache Commons IO before 2.7 is vulnerable to [https://nvd.nist.gov/vuln/detail/CVE-2021-29425], Improper Limitation of a Pathname to a Restricted Directory". The NIST NVD Severity Score is 4.8, MEDIUM. Since the latest Long-Term Support (LTS) version of Java is now V17, the update to commons-io 2.7 or higher or removal of same should be reconsidered.

> Code Improvement in ReaderFactory to get rid of commons-io dependency
> ---------------------------------------------------------------------
>
>                 Key: MSHARED-848
>                 URL: https://issues.apache.org/jira/browse/MSHARED-848
>             Project: Maven Shared Components
>          Issue Type: Improvement
>          Components: maven-shared-utils
>    Affects Versions: maven-shared-utils-3.3.3
>            Reporter: Karl Heinz Marbaise
>            Priority: Minor
>
> Currently the dependency to:
> {code:xml}
>     <dependency>
>       <groupId>commons-io</groupId>
>       <artifactId>commons-io</artifactId>
>       <version>2.6</version>
>     </dependency>
> {code}
> is only needed within the class {{ReaderFactory}} which imports {{org.apache.commons.io.input.XmlStreamReader}}.
> The question: Can that be replaced with something different? In consequence we could get rid of the dependency on {{commons-io}}.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)