[
https://issues.apache.org/jira/browse/DOXIASITETOOLS-229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17372763#comment-17372763
]
Alexander Kriegisch commented on DOXIASITETOOLS-229:
----------------------------------------------------
Then it is pure chance that now both Doxia Site Tools and Doxia Sink API have
version 1.10 and the build is working? Please do be a bit more verbose,
otherwise this discussion takes much longer than needed. I know you must be
busy, but being too terse simply yields more questions from my side. I am a
user trying to contribute to the project by raising issues and also trying to
understand why the configuration in the other OSS project I am contributing to
is wrong. I am talking about Mojohaus AspectJ Maven Plugin, and the
configuration with the common version number property is like that since David
Karlsen, the former maintainer, introduced it in 2015. So this is not actually
"*my* POM configuration".
> Struts Core 1.3.10 has CVE problems
> -----------------------------------
>
> Key: DOXIASITETOOLS-229
> URL: https://issues.apache.org/jira/browse/DOXIASITETOOLS-229
> Project: Maven Doxia Sitetools
> Issue Type: Dependency upgrade
> Components: Site renderer
> Affects Versions: 1.9.1
> Reporter: Alexander Kriegisch
> Priority: Major
> Fix For: 1.9.2
>
> Attachments: screenshot-1.png
>
>
> When publishing artifacts to Sonatype OSSRH staging repositories, Sonatype
> sends an automatic vulnerability report, such as [this
> one|https://sbom.lift.sonatype.com/report/T1-0ff0976f7f21c391f20f-dfa463bcb34dd-1622198289-07472a4d66b24ea4b4311d99cb12c09f].
> As you can see, it complains about Struts Core 1.3.10. When running {{mvn
> dependency:tree}} on my project, I see this (shortened):
> {code}
> +- org.apache.maven.doxia:doxia-site-renderer:jar:1.9.1:compile
> | +- org.apache.velocity:velocity-tools:jar:2.0:compile
> | | +- org.apache.struts:struts-core:jar:1.3.10:compile
> | | | \- antlr:antlr:jar:2.7.2:compile
> | | +- org.apache.struts:struts-taglib:jar:1.3.8:compile
> | | \- org.apache.struts:struts-tiles:jar:1.3.8:compile
> {code}
> Dependency-managing to Site Renderer 1.9.2 makes no difference, because it
> still depends on Velocity Tools 2.0 and thus indirectly on Struts Core 1.3.10.
> Can this be fixed? Meanwhile, is there any compatible Struts Core version
> without the 17 CVEs listed in that report, which I can manage the dependency
> to in order to get a clean report next time?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
