On Tue, Feb 3, 2026 at 2:52 PM Rajiv Jain < [email protected]> wrote:
> Hello, > > I am a member of the NetApp team and currently developing a storage plugin > for ONTAP storage. As part of this effort, we recently submitted a pull > request for community review. > > During our development and testing, we identified a security vulnerability > in the CloudStack development setup related to the presence of the > struts-core-1.3.8.jar dependency. Upon further triage, we determined that > this dependency is introduced transitively through the following Maven > plugins currently in use: > > - maven-checkstyle-plugin version 3.1.0 > - maven-dependency-plugin version 3.1.1 > - maven-site-plugin version 3.8.2 > > These plugin versions are significantly outdated and indirectly pull in the > vulnerable Struts dependency. To evaluate the impact of upgrading, we > updated these plugins to more recent releases aligned with 2024 versions: > > - maven-checkstyle-plugin version 3.6.0 > - maven-dependency-plugin version 3.8.1 > - maven-site-plugin version 3.10 > I am testing with <cs.dependency-plugin.version>3.9.0</cs.dependency-plugin.version> <cs.site-plugin.version>3.21.0</cs.site-plugin.version> to have tried the very latest. PR coming up. > Following these upgrades, we performed a full compilation of the CloudStack > codebase, which completed successfully without any issues. > > Given the security implications and the successful build results, I would > like to propose upgrading these Maven plugin versions to the newer > releases. Please let us know if you foresee any compatibility concerns or > potential issues with adopting these changes, or if there are additional > validation steps you would recommend. > > Thank you for your time and consideration. > > Best regards, > *Rajiv Jain* > Senior Engineer, NetApp > -- Daan
