Yes, I couldn't quite tell the impelmentation of the dependency from the
dependency-tree output, but the pom.xml shows the dependency more
accurately.
Indeed we did.
Torben
On Fri, Aug 12, 2016 at 5:58 PM, Ben Caradoc-Davies <b...@transient.nz>
wrote:
> Yes, but the dependency is a direct dependency with incorrect scope, not
> transitive.
>
> We sent our emails at the same moment. :-)
>
> Kind regards,
> Ben.
>
>
> On 13/08/16 12:54, Torben Barsballe wrote:
>
>> Doing a mvn:dependency:tree, I found this:
>>
>> [INFO]
>> ------------------------------------------------------------------------
>> [INFO] Building Application Schema DataAccess 15-SNAPSHOT
>> [INFO]
>> ------------------------------------------------------------------------
>> [INFO]
>> [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ gt-app-schema
>> ---
>> [INFO] org.geotools:gt-app-schema:jar:15-SNAPSHOT
>> [INFO] +- org.geotools:gt-complex:jar:15-SNAPSHOT:compile
>> [INFO] \- org.geotools:gt-complex:jar:tests:15-SNAPSHOT:compile
>>
>> It looks like gt-app-schema depends upon the gt-complex test jar
>> (transitivley by way of gt-complex?). gt-app-schema is not depended upon
>> by
>> anything in this way, so its test jar is not included.
>>
>>
>> Torben
>>
>> On Fri, Aug 12, 2016 at 5:43 PM, Ben Caradoc-Davies <b...@transient.nz>
>> wrote:
>>
>> Torben,
>>>
>>> neither are blockers, just observations, and I agree that addressing them
>>> should be deferred for future work. Including tests jars causes no harm.
>>> commons-beanutils is only a vulnerability in specific types of
>>> applications. There is also a hardcoded commons-beanutils 1.7.0 in
>>> gt-app-schema.
>>>
>>> Kind regards,
>>> Ben.
>>>
>>>
>>> On 13/08/16 12:33, Torben Barsballe wrote:
>>>
>>> Ben:
>>>> (1) Doing a mvn dependency:tree shows that the commons-beanutils jar is
>>>> coming from gt-imagemosaic. This is probably something we should fix.
>>>> Talking to Kevin, upgrading this will include a version update of the
>>>> jar,
>>>> so will need some testing. Also note that the gt-imagemosaic jar is a
>>>> dependancy for several other geotools modules.
>>>>
>>>> (2) I just took a look at the GeoTools 15.1 bin, and it also contains
>>>> gt-complex-15.1-tests.jar. I am equally curious as to why this is
>>>> included,
>>>> although perhaps not curious enough for it to hold up this milestone
>>>> release.
>>>>
>>>> I am going to move forward with the milestone release, but we should
>>>> definately keep both these issues in mind moving forward (and also take
>>>> a
>>>> look at GeoTools 15, as it is affected by both these issues).
>>>>
>>>> Torben
>>>>
>>>>
>>>> On Fri, Aug 12, 2016 at 5:17 PM, Ben Caradoc-Davies <b...@transient.nz>
>>>> wrote:
>>>>
>>>> Looking through the bin.zip, I noticed:
>>>>
>>>>>
>>>>> (1) commons-beanutils-1.7.0.jar is present. This JAR was removed from
>>>>> GeoServer and replaced with the customised
>>>>> commons-beanutils-1.9.2-noclas
>>>>> sprop.jar
>>>>> because it enabled a remote code execution vulnerability. See Kevin and
>>>>> Andrea for details. Should GeoTools ship 1.7.0 or switch to
>>>>> 1.9.2-noclassprop to protect GeoTools users?
>>>>>
>>>>> (2) gt-complex-16-M0-tests.jar is present. This is the only *-tests.jar
>>>>> included in the bin-zip. I wonder why?
>>>>>
>>>>> All the other contents look sane to me.
>>>>>
>>>>> Kind regards,
>>>>> Ben.
>>>>>
>>>>>
>>>>> On 13/08/16 11:50, Torben Barsballe wrote:
>>>>>
>>>>> The GeoTools 16-M0 release artifacts available for testing from:
>>>>>
>>>>>> http://ares.boundlessgeo.com/geotools/release/16-M0/
>>>>>>
>>>>>> Torben
>>>>>>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------
>>>>>> ------------------
>>>>>> What NetFlow Analyzer can do for you? Monitors network bandwidth and
>>>>>> traffic
>>>>>> patterns at an interface-level. Reveals which users, apps, and
>>>>>> protocols
>>>>>> are
>>>>>> consuming the most bandwidth. Provides multi-vendor support for
>>>>>> NetFlow,
>>>>>> J-Flow, sFlow and other flows. Make informed decisions using capacity
>>>>>> planning reports. http://sdm.link/zohodev2dev
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> GeoTools-Devel mailing list
>>>>>> GeoTools-Devel@lists.sourceforge.net
>>>>>> https://lists.sourceforge.net/lists/listinfo/geotools-devel
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>> Ben Caradoc-Davies <b...@transient.nz>
>>>>> Director
>>>>> Transient Software Limited <http://transient.nz/>
>>>>> New Zealand
>>>>>
>>>>>
>>>>>
>>>> --
>>> Ben Caradoc-Davies <b...@transient.nz>
>>> Director
>>> Transient Software Limited <http://transient.nz/>
>>> New Zealand
>>>
>>>
>>
> --
> Ben Caradoc-Davies <b...@transient.nz>
> Director
> Transient Software Limited <http://transient.nz/>
> New Zealand
>
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. http://sdm.link/zohodev2dev
_______________________________________________
GeoTools-Devel mailing list
GeoTools-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geotools-devel
