Alexander Kriegisch created DOXIASITETOOLS-229:
--------------------------------------------------
Summary: Struts Core 1.3.10 has CVE problems
Key: DOXIASITETOOLS-229
URL: https://issues.apache.org/jira/browse/DOXIASITETOOLS-229
Project: Maven Doxia Sitetools
Issue Type: Dependency upgrade
Components: Site renderer
Affects Versions: 1.9.2, 1.9.1
Reporter: Alexander Kriegisch
When publishing artifacts to Sonatype OSSRH staging repositories, Sonatype
sends an automatic vulnerability report, such as [this
one|https://sbom.lift.sonatype.com/report/T1-0ff0976f7f21c391f20f-dfa463bcb34dd-1622198289-07472a4d66b24ea4b4311d99cb12c09f].
As you can see, it complains about Struts Core 1.3.10. When running {{mvn
dependency:tree}} on my project, I see this (shortened):
{code}
+- org.apache.maven.doxia:doxia-site-renderer:jar:1.9.1:compile
| +- org.apache.velocity:velocity-tools:jar:2.0:compile
| | +- org.apache.struts:struts-core:jar:1.3.10:compile
| | | \- antlr:antlr:jar:2.7.2:compile
| | +- org.apache.struts:struts-taglib:jar:1.3.8:compile
| | \- org.apache.struts:struts-tiles:jar:1.3.8:compile
{code}
Dependency-managing to Site Renderer 1.9.2 makes no difference, because it
still depends on Velocity Tools 2.0 and thus indirectly on Struts Core 1.3.10.
Can this be fixed? Meanwhile, is there any compatible Struts Core version
without the 17 CVEs listed in that report, which I can manage the dependency to
in order to get a clean report next time?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
