[
https://issues.apache.org/jira/browse/MDEP-775?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17427813#comment-17427813
]
Michael Osipov commented on MDEP-775:
-------------------------------------
Struts isn't used at all. There is no threat. You can exclude it if you want.
Tell you IT department that their scans are superficially useless.
Ultimately, you need to find a committer who's willing to commit and do a
release. Where are you located?
> Update velocity-tools from 2.0 to a newer version that doesn't depend on
> struts 1.3.8
> -------------------------------------------------------------------------------------
>
> Key: MDEP-775
> URL: https://issues.apache.org/jira/browse/MDEP-775
> Project: Maven Dependency Plugin
> Issue Type: Dependency upgrade
> Reporter: Gazy Mahomar
> Priority: Major
>
> The Dependency plugin depends on {{org.apache.velocity:velocity-tools:2.0}},
> which in turn depends on {{org.apache.struts:struts-core 1.3.8}}. As
> mentioned in MDEP-626, {{struts-core:1.3.8}} has several CVEs against it. For
> those of us with overzealous IT departments in corporate environments, this
> presents a problem, as the {{struts-core:1.3.8}} jar constantly triggers
> vulnerability checks.
> Would it be possible to update {{velocity-tools}} to a newer version without
> struts?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
