Priti Rane created DROOLS-5212:
----------------------------------
Summary: Latest Drools-compiler version has dependency of
xstream-1.4.11.1.jar which causing HIGH vulnerability CVE-2013-7285
Key: DROOLS-5212
URL:
https://issues.redhat.com/browse/DROOLS-5212
Project: Drools
Issue Type: Enhancement
Reporter: Priti Rane
Assignee: Mario Fusco
All drools compiler versions after 7.21.0.Final are using xstream version 1.14.11.1. We
are using anchore engine for vulnerability scan and it is giving HIGH vulnerability
CVE-2013-7285 -
https://nvd.nist.gov/vuln/detail/CVE-2013-7285. There is a workaround to
implement the security framework. However we are using kie-ci jar which has the
drools-compiler dependency. So to resolve this , we have to implement the workaround in
drools-compiler source code and build the jar and use it. But this solution is not
maintainable.
Is there any plans to implement the security framework in next version of drools-compiler
?
--
This message was sent by Atlassian Jira
(v7.13.8#713008)