[
https://issues.apache.org/jira/browse/DOXIASITETOOLS-229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17372345#comment-17372345
]
Alexander Kriegisch edited comment on DOXIASITETOOLS-229 at 7/1/21, 3:23 AM:
-----------------------------------------------------------------------------
In the 1.10 release notes posted on the mailing list, I am missing this issue.
I guess you should assign it the correct target version and close it. A
before/after version bump `mvn dependency:tree` shows that Struts indeed is
gone, i.e. I can now remove my dependency excludes:
!screenshot-1.png!
BTW, I wonder why this was still an issue after DOXIASITETOOLS-215 was marked
as resolved before. But anyway, now it seems to be done for good.
was (Author: kriegaex):
In the 1.10 release notes posted on the mailing list, I am missing this issue.
I guess you should assign it the correct taret version and close it. A
before/after version bump `mvn dependency:tree` shows that Struts indeed is
gone, i.e. I can now remove my dependency excludes:
!screenshot-1.png!
> Struts Core 1.3.10 has CVE problems
> -----------------------------------
>
> Key: DOXIASITETOOLS-229
> URL: https://issues.apache.org/jira/browse/DOXIASITETOOLS-229
> Project: Maven Doxia Sitetools
> Issue Type: Dependency upgrade
> Components: Site renderer
> Affects Versions: 1.9.1, 1.9.2
> Reporter: Alexander Kriegisch
> Priority: Major
> Attachments: screenshot-1.png
>
>
> When publishing artifacts to Sonatype OSSRH staging repositories, Sonatype
> sends an automatic vulnerability report, such as [this
> one|https://sbom.lift.sonatype.com/report/T1-0ff0976f7f21c391f20f-dfa463bcb34dd-1622198289-07472a4d66b24ea4b4311d99cb12c09f].
> As you can see, it complains about Struts Core 1.3.10. When running {{mvn
> dependency:tree}} on my project, I see this (shortened):
> {code}
> +- org.apache.maven.doxia:doxia-site-renderer:jar:1.9.1:compile
> | +- org.apache.velocity:velocity-tools:jar:2.0:compile
> | | +- org.apache.struts:struts-core:jar:1.3.10:compile
> | | | \- antlr:antlr:jar:2.7.2:compile
> | | +- org.apache.struts:struts-taglib:jar:1.3.8:compile
> | | \- org.apache.struts:struts-tiles:jar:1.3.8:compile
> {code}
> Dependency-managing to Site Renderer 1.9.2 makes no difference, because it
> still depends on Velocity Tools 2.0 and thus indirectly on Struts Core 1.3.10.
> Can this be fixed? Meanwhile, is there any compatible Struts Core version
> without the 17 CVEs listed in that report, which I can manage the dependency
> to in order to get a clean report next time?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
