Velocity and Struts dependencies causing vulnerabilities

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Velocity and Struts dependencies causing vulnerabilities

Kotamarti, Usha
Hello,

We have an issue with version of the Velocity and Struts taglib, tiles and core jars that Maven maven-pmd-plugin and maven-checkstyle-plugin are using.
Velocity version 2.0 and Struts 1.3.8 have security vulnerabilities.

These 2 plugins need to be upgraded to use velocity-tools version 3.0 and Struts 2.3.x or 2.5.x.   Do you have a plan to do that ?  If not, would you please
let us know if there is a workaround to explicitly specify which versions of Velocity and Struts we would like pmd-plugiun and checkstyle-plugin to use?

Thank you!
Usha Kotamarti



----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended recipient, please delete this message.
Reply | Threaded
Open this post in threaded view
|

Re: Velocity and Struts dependencies causing vulnerabilities

Hervé BOUTEMY
Hi,

We have a plan: instead of upgrading, we'll remove the dependencies, see
https://issues.apache.org/jira/browse/DOXIASITETOOLS-215

Doxia Sitetools 1.9.2 release is planned in a few days, then we'll need to
release every reporting plugin after.

Notice that these components are vulnerable, but they are used in Maven
plugins, not in a web application, then the vulnerability is not really
accessible: there is no real issue other than unused dependencies pulled by
reporting plugins.

Regards,

Hervé

Le mardi 18 février 2020, 21:44:15 CET Kotamarti, Usha a écrit :

> Hello,
>
> We have an issue with version of the Velocity and Struts taglib, tiles and
> core jars that Maven maven-pmd-plugin and maven-checkstyle-plugin are
> using. Velocity version 2.0 and Struts 1.3.8 have security vulnerabilities.
>
> These 2 plugins need to be upgraded to use velocity-tools version 3.0 and
> Struts 2.3.x or 2.5.x.   Do you have a plan to do that ?  If not, would you
> please let us know if there is a workaround to explicitly specify which
> versions of Velocity and Struts we would like pmd-plugiun and
> checkstyle-plugin to use?
>
> Thank you!
> Usha Kotamarti
>
>
>
> ----------------------------------------------------------------------
> This message, and any attachments, is for the intended recipient(s) only,
> may contain information that is privileged, confidential and/or proprietary
> and subject to important terms and conditions available at
> http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended
> recipient, please delete this message.





---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Velocity and Struts dependencies causing vulnerabilities

mgainty
usha could you repost this issue to [hidden email]?

if struts-taglib has a security vulnerability Lukasz and the Struts Team should be able to fix it

Bon Chance
martin-

________________________________
From: Hervé BOUTEMY <[hidden email]>
Sent: Tuesday, February 18, 2020 4:45 PM
To: Maven Users List <[hidden email]>
Subject: Re: Velocity and Struts dependencies causing vulnerabilities

Hi,

We have a plan: instead of upgrading, we'll remove the dependencies, see
https://issues.apache.org/jira/browse/DOXIASITETOOLS-215

Doxia Sitetools 1.9.2 release is planned in a few days, then we'll need to
release every reporting plugin after.

Notice that these components are vulnerable, but they are used in Maven
plugins, not in a web application, then the vulnerability is not really
accessible: there is no real issue other than unused dependencies pulled by
reporting plugins.

Regards,

Hervé

Le mardi 18 février 2020, 21:44:15 CET Kotamarti, Usha a écrit :

> Hello,
>
> We have an issue with version of the Velocity and Struts taglib, tiles and
> core jars that Maven maven-pmd-plugin and maven-checkstyle-plugin are
> using. Velocity version 2.0 and Struts 1.3.8 have security vulnerabilities.
>
> These 2 plugins need to be upgraded to use velocity-tools version 3.0 and
> Struts 2.3.x or 2.5.x.   Do you have a plan to do that ?  If not, would you
> please let us know if there is a workaround to explicitly specify which
> versions of Velocity and Struts we would like pmd-plugiun and
> checkstyle-plugin to use?
>
> Thank you!
> Usha Kotamarti
>
>
>
> ----------------------------------------------------------------------
> This message, and any attachments, is for the intended recipient(s) only,
> may contain information that is privileged, confidential and/or proprietary
> and subject to important terms and conditions available at
> http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended
> recipient, please delete this message.





---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]