Doing a mvn:dependency:tree, I found this:
[INFO]
------------------------------------------------------------------------
[INFO] Building Application Schema DataAccess 15-SNAPSHOT
[INFO]
------------------------------------------------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ gt-app-schema
---
[INFO] org.geotools:gt-app-schema:jar:15-SNAPSHOT
[INFO] +- org.geotools:gt-complex:jar:15-SNAPSHOT:compile
[INFO] \- org.geotools:gt-complex:jar:tests:15-SNAPSHOT:compile
It looks like gt-app-schema depends upon the gt-complex test jar
(transitivley by way of gt-complex?). gt-app-schema is not depended upon by
anything in this way, so its test jar is not included.
Torben
On Fri, Aug 12, 2016 at 5:43 PM, Ben Caradoc-Davies <b...@transient.nz>
wrote:
> Torben,
>
> neither are blockers, just observations, and I agree that addressing them
> should be deferred for future work. Including tests jars causes no harm.
> commons-beanutils is only a vulnerability in specific types of
> applications. There is also a hardcoded commons-beanutils 1.7.0 in
> gt-app-schema.
>
> Kind regards,
> Ben.
>
>
> On 13/08/16 12:33, Torben Barsballe wrote:
>
>> Ben:
>> (1) Doing a mvn dependency:tree shows that the commons-beanutils jar is
>> coming from gt-imagemosaic. This is probably something we should fix.
>> Talking to Kevin, upgrading this will include a version update of the jar,
>> so will need some testing. Also note that the gt-imagemosaic jar is a
>> dependancy for several other geotools modules.
>>
>> (2) I just took a look at the GeoTools 15.1 bin, and it also contains
>> gt-complex-15.1-tests.jar. I am equally curious as to why this is
>> included,
>> although perhaps not curious enough for it to hold up this milestone
>> release.
>>
>> I am going to move forward with the milestone release, but we should
>> definately keep both these issues in mind moving forward (and also take a
>> look at GeoTools 15, as it is affected by both these issues).
>>
>> Torben
>>
>>
>> On Fri, Aug 12, 2016 at 5:17 PM, Ben Caradoc-Davies <b...@transient.nz>
>> wrote:
>>
>> Looking through the bin.zip, I noticed:
>>>
>>> (1) commons-beanutils-1.7.0.jar is present. This JAR was removed from
>>> GeoServer and replaced with the customised commons-beanutils-1.9.2-noclas
>>> sprop.jar
>>> because it enabled a remote code execution vulnerability. See Kevin and
>>> Andrea for details. Should GeoTools ship 1.7.0 or switch to
>>> 1.9.2-noclassprop to protect GeoTools users?
>>>
>>> (2) gt-complex-16-M0-tests.jar is present. This is the only *-tests.jar
>>> included in the bin-zip. I wonder why?
>>>
>>> All the other contents look sane to me.
>>>
>>> Kind regards,
>>> Ben.
>>>
>>>
>>> On 13/08/16 11:50, Torben Barsballe wrote:
>>>
>>> The GeoTools 16-M0 release artifacts available for testing from:
>>>> http://ares.boundlessgeo.com/geotools/release/16-M0/
>>>>
>>>> Torben
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------
>>>> ------------------
>>>> What NetFlow Analyzer can do for you? Monitors network bandwidth and
>>>> traffic
>>>> patterns at an interface-level. Reveals which users, apps, and protocols
>>>> are
>>>> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
>>>> J-Flow, sFlow and other flows. Make informed decisions using capacity
>>>> planning reports. http://sdm.link/zohodev2dev
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> GeoTools-Devel mailing list
>>>> GeoTools-Devel@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/geotools-devel
>>>>
>>>>
>>>> --
>>> Ben Caradoc-Davies <b...@transient.nz>
>>> Director
>>> Transient Software Limited <http://transient.nz/>
>>> New Zealand
>>>
>>>
>>
> --
> Ben Caradoc-Davies <b...@transient.nz>
> Director
> Transient Software Limited <http://transient.nz/>
> New Zealand
>
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. http://sdm.link/zohodev2dev
_______________________________________________
GeoTools-Devel mailing list
GeoTools-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geotools-devel
