Hi Aaron, one note, a month ago we asked users to test 22-RC, if you had checked back then by now you'd have a 22.0 with a fix. Instead this way, even with a quick fix, you'll have to wait until November to get an official release without the dependency. Yep, you can work around by excluding the dependency, but next time you plan an upgrade to a .0 version, please remember to check out the RCs before hand, it's for your own benefit as well as the rest of the community
Cheers Andrea On Tue, Sep 24, 2019 at 7:44 PM Aaron Hoffer <aaron.hof...@connexta.com> wrote: > We would like to upgrade our gt-solr dependency to 22.0. However, it > contains the Apache Axis library. That library has some known > vulnerabilities > > axis-1.4.jar (pkg:maven/org.apache.axis/axis@1.4, > cpe:2.3:a:apache:axis:1.4:*:*:*:*:*:*:*) : CVE-2012-5784, CVE-2014-3596, > CVE-2018-8032, CVE-2019-0227 > > In general, we are not allowed to use a dependency with a CVSS score of > 5.0 or greater. I'm not sure what to do. > > > Here is the dependency tree: > > +--- *org.geotools:gt-solr:22.0* > | +--- org.geotools:gt-main:22.0 > | | +--- org.geotools:gt-referencing:22.0 > ... cut ... > | | | +--- jgridshift:jgridshift:1.1 > | | | | +--- javax:javaee-api:7.0 > | | | | | \--- com.sun.mail:javax.mail:1.5.0 > | | | | | \--- javax.activation:activation:1.1 > | | | | \--- * org.apache.axis:axis:1.4* > _______________________________________________ > GeoTools-GT2-Users mailing list > GeoTools-GT2-Users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geotools-gt2-users > -- Regards, Andrea Aime == GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it ------------------------------------------------------- *Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.*
_______________________________________________ GeoTools-GT2-Users mailing list GeoTools-GT2-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geotools-gt2-users