I am looking at pmd , checkstyle 3.6.0 as you suggested is already latest. On Tue, Feb 3, 2026 at 4:04 PM Rajiv Jain < [email protected]> wrote:
> You might want to consider checkstyle also, I noticed it was missing in > your update. > > Thanks > > On Tue, 3 Feb 2026 at 7:47 PM, Daan Hoogland <[email protected]> > wrote: > > > On Tue, Feb 3, 2026 at 2:52 PM Rajiv Jain < > > [email protected]> wrote: > > > > > Hello, > > > > > > I am a member of the NetApp team and currently developing a storage > > plugin > > > for ONTAP storage. As part of this effort, we recently submitted a pull > > > request for community review. > > > > > > During our development and testing, we identified a security > > vulnerability > > > in the CloudStack development setup related to the presence of the > > > struts-core-1.3.8.jar dependency. Upon further triage, we determined > that > > > this dependency is introduced transitively through the following Maven > > > plugins currently in use: > > > > > > - maven-checkstyle-plugin version 3.1.0 > > > - maven-dependency-plugin version 3.1.1 > > > - maven-site-plugin version 3.8.2 > > > > > > These plugin versions are significantly outdated and indirectly pull in > > the > > > vulnerable Struts dependency. To evaluate the impact of upgrading, we > > > updated these plugins to more recent releases aligned with 2024 > versions: > > > > > > - maven-checkstyle-plugin version 3.6.0 > > > - maven-dependency-plugin version 3.8.1 > > > - maven-site-plugin version 3.10 > > > > > I am testing with > > > > <cs.dependency-plugin.version>3.9.0</cs.dependency-plugin.version> > > > > <cs.site-plugin.version>3.21.0</cs.site-plugin.version> > > > > to have tried the very latest. PR coming up. > > > > > > > Following these upgrades, we performed a full compilation of the > > CloudStack > > > codebase, which completed successfully without any issues. > > > > > > Given the security implications and the successful build results, I > would > > > like to propose upgrading these Maven plugin versions to the newer > > > releases. Please let us know if you foresee any compatibility concerns > or > > > potential issues with adopting these changes, or if there are > additional > > > validation steps you would recommend. > > > > > > Thank you for your time and consideration. > > > > > > Best regards, > > > *Rajiv Jain* > > > Senior Engineer, NetApp > > > > > > > > > -- > > Daan > > > -- Daan
