[jbosstools-issues] [JBoss JIRA] (JBIDE-26865) Fix security warnig due to commons-validator 1.6
André Dietisheim (Jira)
issues at jboss.org
Thu Sep 26 07:14:00 EDT 2019
[ https://issues.jboss.org/browse/JBIDE-26865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13789454#comment-13789454 ]
André Dietisheim edited comment on JBIDE-26865 at 9/26/19 7:13 AM:
-------------------------------------------------------------------
Commons-validator depends on commons-beanutils. commons-beanutils was updated to 1.9.4 but commons-validator still uses the old 1.9.2 version.
Nevertheless we only use commons-validator proper, we're not using the commons-beanutils bits that it depends on for certain validators:
* we only use URLValidator and DomainValidator (which dont use beanutils)
* consistently, we only copy commons-validator into our lib/ folder, none of it's dependencies:
{code:title=https://github.com/jbosstools/jbosstools-openshift/blob/master/plugins/org.jboss.tools.openshift.ui/pom.xml#L39}
<configuration>
<skip>false</skip>
<outputDirectory>${basedir}/lib/</outputDirectory>
<!-- baseVersion is to avoid SNAPSHOT dependencies being copied with
ever daily changing timestamp -->
<useBaseVersion>true</useBaseVersion>
<artifactItems>
<artifactItem>
<groupId>commons-validator</groupId>
<artifactId>commons-validator</artifactId>
<version>${commons-validator.version}</version>
</artifactItem>
</artifactItems>
</configuration>
{code}
was (Author: adietish):
Commons-validator depends on commons-beanutils. commons-beanutils was updated to 1.9.4 but commons-validator still uses the old 1.9.2 version.
Nevertheless we only use commons-validator proper, we're not using the commons-beanutils bits:
* we only use URLValidator and DomainValidator (which dont use beanutils)
* consistently, we only copy commons-validator into our lib/ folder, none of it's dependencies:
{code:title=https://github.com/jbosstools/jbosstools-openshift/blob/master/plugins/org.jboss.tools.openshift.ui/pom.xml#L39}
<configuration>
<skip>false</skip>
<outputDirectory>${basedir}/lib/</outputDirectory>
<!-- baseVersion is to avoid SNAPSHOT dependencies being copied with
ever daily changing timestamp -->
<useBaseVersion>true</useBaseVersion>
<artifactItems>
<artifactItem>
<groupId>commons-validator</groupId>
<artifactId>commons-validator</artifactId>
<version>${commons-validator.version}</version>
</artifactItem>
</artifactItems>
</configuration>
{code}
> Fix security warnig due to commons-validator 1.6
> ------------------------------------------------
>
> Key: JBIDE-26865
> URL: https://issues.jboss.org/browse/JBIDE-26865
> Project: Tools (JBoss Tools)
> Issue Type: Enhancement
> Components: openshift
> Affects Versions: 4.13.0.AM1
> Reporter: Jeff MAURY
> Assignee: André Dietisheim
> Priority: Major
> Fix For: 4.13.0.Final
>
>
> commons validator 1.6 has a dependency to commons-beanutils 1.9.2 which has a security vulnerability.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the jbosstools-issues
mailing list