[
https://issues.apache.org/jira/browse/DOXIASITETOOLS-229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17373277#comment-17373277
]
Alexander Kriegisch commented on DOXIASITETOOLS-229:
----------------------------------------------------
Thanks [~hboutemy], with your comment all my open questions are answered and I
better understand the situation.
First, you confirmed my impression, supported by the table I posted above:
{quote}we keep major versions in sync{quote}
You also explained why your are doing it:
{quote}to ease report plugins developers life{quote}
That is really helpful. I will make sure to either follow this advice...
{quote}Best practice is to have separate version property for each
component.{quote}
or to make sure to only update versions if both are in sync and fit with each
other, like before. Both approaches work (the second one not always, only most
of the time), but now I am aware of the fact that Doxia users should not
blindly rely on it. This complements the information given by [~michael-o],
which was of course correct, just difficult for me to understand, because it
lacked context.
I am happy we got this off the table, thanks to everyone involved.
> Struts Core 1.3.10 has CVE problems
> -----------------------------------
>
> Key: DOXIASITETOOLS-229
> URL: https://issues.apache.org/jira/browse/DOXIASITETOOLS-229
> Project: Maven Doxia Sitetools
> Issue Type: Dependency upgrade
> Components: Site renderer
> Affects Versions: 1.9.1
> Reporter: Alexander Kriegisch
> Priority: Major
> Fix For: 1.9.2
>
> Attachments: image-2021-07-02-10-15-09-868.png, screenshot-1.png
>
>
> When publishing artifacts to Sonatype OSSRH staging repositories, Sonatype
> sends an automatic vulnerability report, such as [this
> one|https://sbom.lift.sonatype.com/report/T1-0ff0976f7f21c391f20f-dfa463bcb34dd-1622198289-07472a4d66b24ea4b4311d99cb12c09f].
> As you can see, it complains about Struts Core 1.3.10. When running {{mvn
> dependency:tree}} on my project, I see this (shortened):
> {code}
> +- org.apache.maven.doxia:doxia-site-renderer:jar:1.9.1:compile
> | +- org.apache.velocity:velocity-tools:jar:2.0:compile
> | | +- org.apache.struts:struts-core:jar:1.3.10:compile
> | | | \- antlr:antlr:jar:2.7.2:compile
> | | +- org.apache.struts:struts-taglib:jar:1.3.8:compile
> | | \- org.apache.struts:struts-tiles:jar:1.3.8:compile
> {code}
> Dependency-managing to Site Renderer 1.9.2 makes no difference, because it
> still depends on Velocity Tools 2.0 and thus indirectly on Struts Core 1.3.10.
> Can this be fixed? Meanwhile, is there any compatible Struts Core version
> without the 17 CVEs listed in that report, which I can manage the dependency
> to in order to get a clean report next time?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
