Currently maven-archetype depends on dom4j 1.6.1 which is vulnerable to CVE-2018-1000632 [1]. I filed ARCHETYPE-567 [2] to track this. In order to mitigate this vulnerability, an update to dom4j 2.1.1 is needed. dom4j 2.1.x requires Java 8+ [3]. dom4j 2.0.x would retain compatibility with Java 7 (Java 5+) but the latest release (2.0.2) is vulnerable to CVE-2018-1000632. The current dev version (2.0.3) seems to contain a fix for CVE-2018-1000632 but has been pending release for ~1 year.
I opened PR #28 [4] to make these changes. What else I should do to advance this proposal? Thanks! Tony Homer [1] https://nvd.nist.gov/vuln/detail/CVE-2018-1000632 [2] https://issues.apache.org/jira/browse/ARCHETYPE-567 [3] https://dom4j.github.io [4] https://github.com/apache/maven-archetype/pull/28
