Most of the uses in the codebase are transitive, from others commons dependencies, so you would need to check that we don't use the bits of those dependencies that require it and then specifically exclude it, otherwise you won't actually be able to get rid of it.
On Wed, 21 Aug 2024 at 16:18, Justin Bertram <jbert...@apache.org> wrote: > > The ActiveMQ Artemis code-base doesn't use > org.apache.commons.collections.list.SetUniqueList so this problem doesn't > apply. > > That said, moving to commons-collections4 is a good idea. I've opened > ARTEMIS-5006 [1] for this. > > > Justin > > [1] https://issues.apache.org/jira/browse/ARTEMIS-5006 > > On Wed, Aug 21, 2024 at 9:17 AM <apa...@materne.de> wrote: > > > Hello, > > > > > > > > the security scanner in my company raised an issue with > > commons-collections, > > which is a transative dependency from Artemis: > > > > > > > > Part of our „mvn dependeny:tree“ > > > > +- org.apache.activemq:artemis-junit-5:jar:2.36.0:test > > > > +- org.apache.activemq:artemis-server:jar:2.31.2:test > > > > \- commons-collections:commons-collections:jar:3.2.2:compile > > > > > > > > AFAIK the 3.x of commons-collections is EOL in favor to collections4 – also > > with new GAV coordinates > > > > <groupId>org.apache.commons</groupId> > > > > <artifactId>commons-collections4</artifactId> > > > > > > > > > > > > Some details about that security issue: > > > > > > > > Score > > > > vulnerability sonatype-2024-3350 with severity >= 7 (severity = 8.7) > > > > > > > > Explanation > > > > The Apache commons-collections packages are vulnerable to a Denial of > > Service (DoS) attack. The add() method of the SetUniqueList class > > mishandles > > the order of operations when invoking its parent List implementation. > > Consequently, adding an instance of itself results in infinite recursion > > and > > deviates from the behavior defined by the standard JRE List contract. A > > remote attacker who can cause an application to add SetUniqueList instances > > to themselves can exploit this vulnerability to crash the affected > > application with a StackOverflowError exception. > > > > > > > > Version Affected > > > > [3.2,3.2.2] > > > > > > > > Root Cause > > > > > > > > > > > > commons-collections-3.2.2.redhat-2.jarorg/apache/commons/collections/list/Se > > tUniqueList.class[3.0, ) > > > > > > > > Advisories > > > > > > > > Project > > > > https://issues.apache.org/jira/browse/COLLECTIONS-701 > > > > > > > > CVSS Details > > > > > > > > Sonatype CVSS 4 > > > > 8.7 > > > > CVSS Vector > > > > CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N > > > > > > > > > > > > That issue is fixed for 4.3. > > > > > > > > > > > > Do you plan to update to collections4? > > > > > > > > > > > > > > > > cheers > > > > Jan Matèrne > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@activemq.apache.org For additional commands, e-mail: dev-h...@activemq.apache.org For further information, visit: https://activemq.apache.org/contact
