You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Richard O'Sullivan (Jira)" <ji...@apache.org> on 2022/08/03 15:15:00 UTC
[jira] [Commented] (MSHARED-848) Code Improvement in ReaderFactory to get rid of commons-io dependency
[ https://issues.apache.org/jira/browse/MSHARED-848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17574761#comment-17574761 ]
Richard O'Sullivan commented on MSHARED-848:
--------------------------------------------
Apache Commons IO before 2.7 is vulnerable to [https://nvd.nist.gov/vuln/detail/CVE-2021-29425], Improper Limitation of a Pathname to a Restricted Directory". The NIST NVD Severity Score is 4.8, MEDIUM. Since the latest Long-Term Support (LTS) version of Java is now V17, the update to commons-io 2.7 or higher or removal of same should be reconsidered.
> Code Improvement in ReaderFactory to get rid of commons-io dependency
> ---------------------------------------------------------------------
>
> Key: MSHARED-848
> URL: https://issues.apache.org/jira/browse/MSHARED-848
> Project: Maven Shared Components
> Issue Type: Improvement
> Components: maven-shared-utils
> Affects Versions: maven-shared-utils-3.3.3
> Reporter: Karl Heinz Marbaise
> Priority: Minor
>
> Currently the dependency to:
> {code:xml}
> <dependency>
> <groupId>commons-io</groupId>
> <artifactId>commons-io</artifactId>
> <version>2.6</version>
> </dependency>
> {code}
> is only needed within the class {{ReaderFactory}} which imports {{org.apache.commons.io.input.XmlStreamReader}}.
> The question: Can that be replaced with something different? In consequence we could get rid of the dependency on {{commons-io}}.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)