[
https://issues.apache.org/jira/browse/JCRVLT-640?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17558509#comment-17558509
]
Konrad Windszus commented on JCRVLT-640:
----------------------------------------
At least depending on {{org.apache.sling.jcr.api}} to get the repository
instance from the servlet is necessary. Using it has the drawback that the RCP
API would either need to rely on a service session or an admin session. Both
options require additional authentication with the servlet, so probably not a
good idea. For now we only get rid of the Sling JSON and Classloader
dependencies.
> RCP bundle: Get rid of Sling dependencies
> -----------------------------------------
>
> Key: JCRVLT-640
> URL: https://issues.apache.org/jira/browse/JCRVLT-640
> Project: Jackrabbit FileVault
> Issue Type: Improvement
> Reporter: Konrad Windszus
> Assignee: Konrad Windszus
> Priority: Major
>
> The RCP bundle should not depend on any Sling bundles. This would also fix
> the vulnerability issue currently detected in Sling API failing the build:
> {code}
> One or more dependencies were identified with known vulnerabilities in Apache
> Jackrabbit FileVault RCP Server Bundle:
> org.apache.sling.api-2.16.4.jar
> (pkg:maven/org.apache.sling/[email protected],
> cpe:2.3:a:apache:sling:2.16.4:*:*:*:*:*:*:*,
> cpe:2.3:a:apache:sling_api:2.16.4:*:*:*:*:*:*:*) : CVE-2022-32549
> {code}
> (https://ci-builds.apache.org/blue/organizations/jenkins/Jackrabbit%2Ffilevault/detail/master/135/pipeline)
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
