[DOXIASITETOOLS-229] Struts Core 1.3.10 has CVE problems - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Dependency upgrade
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.9.1
Fix Version/s: 1.9.2
Component/s: Site renderer
Labels:
None

Description

When publishing artifacts to Sonatype OSSRH staging repositories, Sonatype sends an automatic vulnerability report, such as this one.

As you can see, it complains about Struts Core 1.3.10. When running mvn dependency:tree on my project, I see this (shortened):

+- org.apache.maven.doxia:doxia-site-renderer:jar:1.9.1:compile
|  +- org.apache.velocity:velocity-tools:jar:2.0:compile
|  |  +- org.apache.struts:struts-core:jar:1.3.10:compile
|  |  |  \- antlr:antlr:jar:2.7.2:compile
|  |  +- org.apache.struts:struts-taglib:jar:1.3.8:compile
|  |  \- org.apache.struts:struts-tiles:jar:1.3.8:compile

Dependency-managing to Site Renderer 1.9.2 makes no difference, because it still depends on Velocity Tools 2.0 and thus indirectly on Struts Core 1.3.10.

Can this be fixed? Meanwhile, is there any compatible Struts Core version without the 17 CVEs listed in that report, which I can manage the dependency to in order to get a clean report next time?

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

image-2021-07-02-10-15-09-868.png
02/Jul/21 03:15
110 kB
Alexander Kriegisch
screenshot-1.png
01/Jul/21 03:22
109 kB
Alexander Kriegisch

Issue Links

is fixed by

DOXIASITETOOLS-215 avoid reporting plugins pulling in Struts 1.3.8 jar

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Alexander Kriegisch

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 28/May/21 12:07

Updated:: 02/Jul/21 07:45

Resolved:: 01/Jul/21 06:18