You might want to consider checkstyle also, I noticed it was missing in your update.
Thanks On Tue, 3 Feb 2026 at 7:47 PM, Daan Hoogland <[email protected]> wrote: > On Tue, Feb 3, 2026 at 2:52 PM Rajiv Jain < > [email protected]> wrote: > > > Hello, > > > > I am a member of the NetApp team and currently developing a storage > plugin > > for ONTAP storage. As part of this effort, we recently submitted a pull > > request for community review. > > > > During our development and testing, we identified a security > vulnerability > > in the CloudStack development setup related to the presence of the > > struts-core-1.3.8.jar dependency. Upon further triage, we determined that > > this dependency is introduced transitively through the following Maven > > plugins currently in use: > > > > - maven-checkstyle-plugin version 3.1.0 > > - maven-dependency-plugin version 3.1.1 > > - maven-site-plugin version 3.8.2 > > > > These plugin versions are significantly outdated and indirectly pull in > the > > vulnerable Struts dependency. To evaluate the impact of upgrading, we > > updated these plugins to more recent releases aligned with 2024 versions: > > > > - maven-checkstyle-plugin version 3.6.0 > > - maven-dependency-plugin version 3.8.1 > > - maven-site-plugin version 3.10 > > > I am testing with > > <cs.dependency-plugin.version>3.9.0</cs.dependency-plugin.version> > > <cs.site-plugin.version>3.21.0</cs.site-plugin.version> > > to have tried the very latest. PR coming up. > > > > Following these upgrades, we performed a full compilation of the > CloudStack > > codebase, which completed successfully without any issues. > > > > Given the security implications and the successful build results, I would > > like to propose upgrading these Maven plugin versions to the newer > > releases. Please let us know if you foresee any compatibility concerns or > > potential issues with adopting these changes, or if there are additional > > validation steps you would recommend. > > > > Thank you for your time and consideration. > > > > Best regards, > > *Rajiv Jain* > > Senior Engineer, NetApp > > > > > -- > Daan >
