Hi, so checking it's a spurious dependency, wrongly marked as compile instead of test, it's actually just used by a test. For the time being you should just safely exclude it, I'll make another release of the jgridshift fork to adjust the dependency type
Cheers Andrea On Tue, Sep 24, 2019 at 10:31 PM Andrea Aime <andrea.a...@geo-solutions.it> wrote: > I'll have a look, tickets like GEOT-6354 are the things keeping the > library alive (sponsored changes), so that everyone else can use and > complain for free ;-) > > Regards > Andrea > > Il mar 24 set 2019, 21:35 mark <mc.pr...@gmail.com> ha scritto: > >> Pretty sure this is not just gt-solr; I've seen an version bump to 22.x >> PR flagged as bringing in those vulnerabilities and we don't have an >> explicit gt-solr dependency in our project. >> >> looking further this seems to be caused by the jgridshift dependency in >> various places, eg. org.geotools.xsd:gt-xsd-gml3 is affected as well: >> >> [ [1;34mINFO [m] +- org.geotools.xsd:gt-xsd-gml3:jar:22.0:compile >> [ [1;34mINFO [m] | +- org.geotools:gt-referencing:jar:22.0:compile >> [ [1;34mINFO [m] | | +- org.ejml:ejml-ddense:jar:0.34:compile >> [ [1;34mINFO [m] | | | \- org.ejml:ejml-core:jar:0.34:compile >> [ [1;34mINFO [m] | | +- org.geotools:gt-metadata:jar:22.0:compile >> [ [1;34mINFO [m] | | | \- org.geotools:gt-opengis:jar:22.0:compile >> [ [1;34mINFO [m] | | | \- >> systems.uom:systems-common-java8:jar:0.7.2:compile >> [ [1;34mINFO [m] | | | +- tec.uom:uom-se:jar:1.0.8:compile >> [ [1;34mINFO [m] | | | | +- >> javax.measure:unit-api:jar:1.0:compile >> [ [1;34mINFO [m] | | | | \- >> tec.uom.lib:uom-lib-common:jar:1.0.2:compile >> [ [1;34mINFO [m] | | | +- si.uom:si-quantity:jar:0.7.1:compile >> [ [1;34mINFO [m] | | | \- si.uom:si-units-java8:jar:0.7.1:compile >> [ [1;34mINFO [m] | | +- jgridshift:jgridshift:jar:1.1:compile >> [ [1;34mINFO [m] | | | +- javax:javaee-api:jar:7.0:compile >> [ [1;34mINFO [m] | | | | \- com.sun.mail:javax.mail:jar:1.5.0:compile >> [ [1;34mINFO [m] | | | | \- >> javax.activation:activation:jar:1.1:compile >> [ [1;34mINFO [m] | | | \- org.apache.axis:axis:jar:1.4:compile >> [ [1;34mINFO [m] | | \- >> net.sf.geographiclib:GeographicLib-Java:jar:1.49:compile >> >> and gt-main >> >> [ [1;34mINFO [m] +- org.geotools:gt-main:jar:22.0:compile >> [ [1;34mINFO [m] | +- org.geotools:gt-referencing:jar:22.0:compile >> [ [1;34mINFO [m] | | +- org.ejml:ejml-ddense:jar:0.34:compile >> [ [1;34mINFO [m] | | | \- org.ejml:ejml-core:jar:0.34:compile >> [ [1;34mINFO [m] | | +- org.geotools:gt-metadata:jar:22.0:compile >> [ [1;34mINFO [m] | | | \- org.geotools:gt-opengis:jar:22.0:compile >> [ [1;34mINFO [m] | | | \- >> systems.uom:systems-common-java8:jar:0.7.2:compile >> [ [1;34mINFO [m] | | | +- tec.uom:uom-se:jar:1.0.8:compile >> [ [1;34mINFO [m] | | | | +- >> javax.measure:unit-api:jar:1.0:compile >> [ [1;34mINFO [m] | | | | \- >> tec.uom.lib:uom-lib-common:jar:1.0.2:compile >> [ [1;34mINFO [m] | | | +- si.uom:si-quantity:jar:0.7.1:compile >> [ [1;34mINFO [m] | | | \- si.uom:si-units-java8:jar:0.7.1:compile >> [ [1;34mINFO [m] | | +- jgridshift:jgridshift:jar:1.1:compile >> [ [1;34mINFO [m] | | | +- javax:javaee-api:jar:7.0:compile >> [ [1;34mINFO [m] | | | | \- com.sun.mail:javax.mail:jar:1.5.0:compile >> [ [1;34mINFO [m] | | | | \- >> javax.activation:activation:jar:1.1:compile >> [ [1;34mINFO [m] | | | \- org.apache.axis:axis:jar:1.4:compile >> >> >> From a quick search this seems to have been caused by bumping the >> jgridshift version to 1.1 in d4878ae1a5e66e49bf4c0eb92c6129bd43bc550e >> ([GEOT-6354] GeoTools cannot open the GDA94 -> GDA2020 grid shift files) >> >> jgridshift 1.0 didn't have the j2ee or axis dependencies, so anything up >> and including 21.3 is OK wr. these vulns. >> >> Since the bump seems to fix a very specific issue you may be able to >> downgrade to 1.0 and live with that issue or add exclusions for the axis >> and j2ee dependencies and possibly have malfunctioning referencing, I have >> yet to try either. >> >> Mark >> >> >> On 9/24/19 7:10 PM, Aaron Hoffer wrote: >> >> We would like to upgrade our gt-solr dependency to 22.0. However, it >> contains the Apache Axis library. That library has some known >> vulnerabilities >> >> axis-1.4.jar (pkg:maven/org.apache.axis/axis@1.4, >> cpe:2.3:a:apache:axis:1.4:*:*:*:*:*:*:*) : CVE-2012-5784, CVE-2014-3596, >> CVE-2018-8032, CVE-2019-0227 >> >> In general, we are not allowed to use a dependency with a CVSS score of >> 5.0 or greater. I'm not sure what to do. >> >> >> Here is the dependency tree: >> >> +--- *org.geotools:gt-solr:22.0* >> | +--- org.geotools:gt-main:22.0 >> | | +--- org.geotools:gt-referencing:22.0 >> ... cut ... >> | | | +--- jgridshift:jgridshift:1.1 >> | | | | +--- javax:javaee-api:7.0 >> | | | | | \--- com.sun.mail:javax.mail:1.5.0 >> | | | | | \--- javax.activation:activation:1.1 >> | | | | \--- * org.apache.axis:axis:1.4* >> >> >> _______________________________________________ >> GeoTools-GT2-Users mailing >> listGeoTools-GT2-Users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/geotools-gt2-users >> >> >> _______________________________________________ >> GeoTools-GT2-Users mailing list >> GeoTools-GT2-Users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/geotools-gt2-users >> > -- Regards, Andrea Aime == GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it ------------------------------------------------------- *Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.*
_______________________________________________ GeoTools-GT2-Users mailing list GeoTools-GT2-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geotools-gt2-users
