[
https://issues.jboss.org/browse/JBIDE-26865?page=com.atlassian.jira.plugi...
]
André Dietisheim edited comment on JBIDE-26865 at 9/26/19 7:12 AM:
-------------------------------------------------------------------
Commons-validator depends on commons-beanutils. commons-beanutils was updated to 1.9.4 but
commons-validator still uses the old 1.9.2 version.
Nevertheless we only use commons-validator proper, we're not using the
commons-beanutils bits:
* we only use URLValidator and DomainValidator (which dont use beanutils)
* consistently, we only copy commons-validator into our lib/ folder, none of it's
dependencies:
{code:title=https://github.com/jbosstools/jbosstools-openshift/blob/master/plugins/org.jboss.tools.openshift.ui/pom.xml#L39}
<configuration>
<skip>false</skip>
<outputDirectory>${basedir}/lib/</outputDirectory>
<!-- baseVersion is to avoid SNAPSHOT dependencies being copied
with
ever daily changing timestamp -->
<useBaseVersion>true</useBaseVersion>
<artifactItems>
<artifactItem>
<groupId>commons-validator</groupId>
<artifactId>commons-validator</artifactId>
<version>${commons-validator.version}</version>
</artifactItem>
</artifactItems>
</configuration>
{code}
was (Author: adietish):
commons-beanutils was updated to 1.9.4 but the dependency wasn't updated in
commons-validator.
Nevertheless we only use commons-validator proper, we're not using the
commons-beanutils bits:
* we only use URLValidator and DomainValidator (which dont use beanutils)
* consistently, we only copy commons-validator into our lib/ folder, none of it's
dependencies:
{code:title=https://github.com/jbosstools/jbosstools-openshift/blob/master/plugins/org.jboss.tools.openshift.ui/pom.xml#L39}
<configuration>
<skip>false</skip>
<outputDirectory>${basedir}/lib/</outputDirectory>
<!-- baseVersion is to avoid SNAPSHOT dependencies being copied
with
ever daily changing timestamp -->
<useBaseVersion>true</useBaseVersion>
<artifactItems>
<artifactItem>
<groupId>commons-validator</groupId>
<artifactId>commons-validator</artifactId>
<version>${commons-validator.version}</version>
</artifactItem>
</artifactItems>
</configuration>
{code}
Fix security warnig due to commons-validator 1.6
------------------------------------------------
Key: JBIDE-26865
URL:
https://issues.jboss.org/browse/JBIDE-26865
Project: Tools (JBoss Tools)
Issue Type: Enhancement
Components: openshift
Affects Versions: 4.13.0.AM1
Reporter: Jeff MAURY
Assignee: André Dietisheim
Priority: Major
Fix For: 4.13.0.Final
commons validator 1.6 has a dependency to commons-beanutils 1.9.2 which has a security
vulnerability.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)