[
https://issues.apache.org/jira/browse/TIKA-3777?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17543052#comment-17543052
]
Tim Allison commented on TIKA-3777:
-----------------------------------
[~tilman] had earlier raised concern about recent changes in ossindex. I
tracked down their sources for several of the CVEs, and I just don't agree. As
Tilman pointed out, they have an announcement about how they're changing their
underlying database: https://ossindex.sonatype.org/updates-notice.
Something is wonky. Centralization of these excludes will help, but I'm hoping
that they fix their db asap. I suspect builds are breaking across the land,
and I know we aren't the only project affected.
> Exclude dependencies from ossindex checks in the parent pom
> -----------------------------------------------------------
>
> Key: TIKA-3777
> URL: https://issues.apache.org/jira/browse/TIKA-3777
> Project: Tika
> Issue Type: Improvement
> Reporter: Tim Allison
> Priority: Major
>
> With ossindex starting to make a bunch of questionable calls, we need to
> exclude more and more dependencies. I had initially wanted to limit the
> dependencies in our effectively abandoned modules (agerecogniser) to the poms
> there.
> That causes problems though because we have to re-exclude dependencies in
> those modules when we add exclusions to the parent pom.
> So, we should centralize exclusions in the parent pom, even though that has
> us excluding notoriously embarrassing dependencies in parent (like log4j 1.x).
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
