I'll have a look, tickets like GEOT-6354 are the things keeping the library alive (sponsored changes), so that everyone else can use and complain for free ;-)
Regards Andrea Il mar 24 set 2019, 21:35 mark <mc.pr...@gmail.com> ha scritto: > Pretty sure this is not just gt-solr; I've seen an version bump to 22.x PR > flagged as bringing in those vulnerabilities and we don't have an explicit > gt-solr dependency in our project. > > looking further this seems to be caused by the jgridshift dependency in > various places, eg. org.geotools.xsd:gt-xsd-gml3 is affected as well: > > [ [1;34mINFO [m] +- org.geotools.xsd:gt-xsd-gml3:jar:22.0:compile > [ [1;34mINFO [m] | +- org.geotools:gt-referencing:jar:22.0:compile > [ [1;34mINFO [m] | | +- org.ejml:ejml-ddense:jar:0.34:compile > [ [1;34mINFO [m] | | | \- org.ejml:ejml-core:jar:0.34:compile > [ [1;34mINFO [m] | | +- org.geotools:gt-metadata:jar:22.0:compile > [ [1;34mINFO [m] | | | \- org.geotools:gt-opengis:jar:22.0:compile > [ [1;34mINFO [m] | | | \- > systems.uom:systems-common-java8:jar:0.7.2:compile > [ [1;34mINFO [m] | | | +- tec.uom:uom-se:jar:1.0.8:compile > [ [1;34mINFO [m] | | | | +- > javax.measure:unit-api:jar:1.0:compile > [ [1;34mINFO [m] | | | | \- > tec.uom.lib:uom-lib-common:jar:1.0.2:compile > [ [1;34mINFO [m] | | | +- si.uom:si-quantity:jar:0.7.1:compile > [ [1;34mINFO [m] | | | \- si.uom:si-units-java8:jar:0.7.1:compile > [ [1;34mINFO [m] | | +- jgridshift:jgridshift:jar:1.1:compile > [ [1;34mINFO [m] | | | +- javax:javaee-api:jar:7.0:compile > [ [1;34mINFO [m] | | | | \- com.sun.mail:javax.mail:jar:1.5.0:compile > [ [1;34mINFO [m] | | | | \- > javax.activation:activation:jar:1.1:compile > [ [1;34mINFO [m] | | | \- org.apache.axis:axis:jar:1.4:compile > [ [1;34mINFO [m] | | \- > net.sf.geographiclib:GeographicLib-Java:jar:1.49:compile > > and gt-main > > [ [1;34mINFO [m] +- org.geotools:gt-main:jar:22.0:compile > [ [1;34mINFO [m] | +- org.geotools:gt-referencing:jar:22.0:compile > [ [1;34mINFO [m] | | +- org.ejml:ejml-ddense:jar:0.34:compile > [ [1;34mINFO [m] | | | \- org.ejml:ejml-core:jar:0.34:compile > [ [1;34mINFO [m] | | +- org.geotools:gt-metadata:jar:22.0:compile > [ [1;34mINFO [m] | | | \- org.geotools:gt-opengis:jar:22.0:compile > [ [1;34mINFO [m] | | | \- > systems.uom:systems-common-java8:jar:0.7.2:compile > [ [1;34mINFO [m] | | | +- tec.uom:uom-se:jar:1.0.8:compile > [ [1;34mINFO [m] | | | | +- > javax.measure:unit-api:jar:1.0:compile > [ [1;34mINFO [m] | | | | \- > tec.uom.lib:uom-lib-common:jar:1.0.2:compile > [ [1;34mINFO [m] | | | +- si.uom:si-quantity:jar:0.7.1:compile > [ [1;34mINFO [m] | | | \- si.uom:si-units-java8:jar:0.7.1:compile > [ [1;34mINFO [m] | | +- jgridshift:jgridshift:jar:1.1:compile > [ [1;34mINFO [m] | | | +- javax:javaee-api:jar:7.0:compile > [ [1;34mINFO [m] | | | | \- com.sun.mail:javax.mail:jar:1.5.0:compile > [ [1;34mINFO [m] | | | | \- > javax.activation:activation:jar:1.1:compile > [ [1;34mINFO [m] | | | \- org.apache.axis:axis:jar:1.4:compile > > > From a quick search this seems to have been caused by bumping the > jgridshift version to 1.1 in d4878ae1a5e66e49bf4c0eb92c6129bd43bc550e > ([GEOT-6354] GeoTools cannot open the GDA94 -> GDA2020 grid shift files) > > jgridshift 1.0 didn't have the j2ee or axis dependencies, so anything up > and including 21.3 is OK wr. these vulns. > > Since the bump seems to fix a very specific issue you may be able to > downgrade to 1.0 and live with that issue or add exclusions for the axis > and j2ee dependencies and possibly have malfunctioning referencing, I have > yet to try either. > > Mark > > > On 9/24/19 7:10 PM, Aaron Hoffer wrote: > > We would like to upgrade our gt-solr dependency to 22.0. However, it > contains the Apache Axis library. That library has some known > vulnerabilities > > axis-1.4.jar (pkg:maven/org.apache.axis/axis@1.4, > cpe:2.3:a:apache:axis:1.4:*:*:*:*:*:*:*) : CVE-2012-5784, CVE-2014-3596, > CVE-2018-8032, CVE-2019-0227 > > In general, we are not allowed to use a dependency with a CVSS score of > 5.0 or greater. I'm not sure what to do. > > > Here is the dependency tree: > > +--- *org.geotools:gt-solr:22.0* > | +--- org.geotools:gt-main:22.0 > | | +--- org.geotools:gt-referencing:22.0 > ... cut ... > | | | +--- jgridshift:jgridshift:1.1 > | | | | +--- javax:javaee-api:7.0 > | | | | | \--- com.sun.mail:javax.mail:1.5.0 > | | | | | \--- javax.activation:activation:1.1 > | | | | \--- * org.apache.axis:axis:1.4* > > > _______________________________________________ > GeoTools-GT2-Users mailing > listGeoTools-GT2-Users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/geotools-gt2-users > > > _______________________________________________ > GeoTools-GT2-Users mailing list > GeoTools-GT2-Users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geotools-gt2-users >
_______________________________________________ GeoTools-GT2-Users mailing list GeoTools-GT2-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geotools-gt2-users
