[MDEP-775] Update velocity-tools from 2.0 to a newer version that doesn't depend on struts 1.3.8

[jira-importer]

Gazy Mahomar opened MDEP-775 and commented

The Dependency plugin depends on org.apache.velocity:velocity-tools:2.0, which in turn depends on org.apache.struts:struts-core 1.3.8. As mentioned in MDEP-626, struts-core:1.3.8 has several CVEs against it. For those of us with overzealous IT departments in corporate environments, this presents a problem, as the struts-core:1.3.8 jar constantly triggers vulnerability checks. 

Would it be possible to update velocity-tools to a newer version without struts?

---

No further details from MDEP-775

[jira-importer]

Michael Osipov commented

Struts isn't used at all. There is no threat. You can exclude it if you want. Tell you IT department that their scans are superficially useless.

Ultimately, you need to find a committer who's willing to commit and do a release. Where are you located?

[jira-importer]

Gazy Mahomar commented

Heh. I already did. You try getting a large corporation's IT department to listen.

In all seriousness, I've tried excluding, to no avail. Maybe I did something wrong, considering this is a plugin and not a regular dependency. I'll check my work again.

Hell, I'll commit myself if there's really no issues and my request is accepted. I just didn't want to deal with having to update code to use a new lib version with breaking changes or deal with issues from excluding a dependency in a code base I'm not familiar with. As to where I'm located, NL, but with a US corporate overlord in desperate need of less red tape.

[jira-importer]

Michael Osipov commented

Please check and let me know. If your employer is so strigent they would be likely able to sponsor this to remove this, cough cough, vulnerability.

[jira-importer]

Gazy Mahomar commented

No joy. At this point I'm no longer sure if the issue is coming from this plugin. After checking out the repo and taking a look,  it's clear to me that MDEP-626 should have removed all references to struts. I can't tell where it's coming from, other than it's getting re-downloaded any time I run dependency:tree. Also, dependency:resolve-plugins shows no plugins that depend (in)directly on struts (and running it also downloads struts), so I'm at a loss.

I honestly think this issue can be closed, unless someone else wants to look into it. Thanks for the quick response and sorry for the noise.

I guess I'll just create a minutely cron job that removes struts from my local repo...

[jira-importer]

Michael Osipov commented

I don't see Struts here: https://maven.apache.org/plugins/maven-deploy-plugin/dependencies.html

[jira-importer]

Gazy Mahomar commented

Hence my confusion.

[jira-importer]

Michael Osipov commented

Please clarify internally at work.

[jira-importer]

Gazy Mahomar commented

I will see what IT has to say. You can go ahead and close this issue, as far as I'm concerned. Thanks for the help.