[
https://issues.apache.org/jira/browse/AIRAVATA-3590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17956000#comment-17956000
]
ASF subversion and git services commented on AIRAVATA-3590:
-----------------------------------------------------------
Commit a9c71a235a694850331858b59c0d460ad0ed33a2 in airavata's branch
refs/heads/cybershuttle-dev from PJ Fanning
[ https://gitbox.apache.org/repos/asf?p=airavata.git;h=a9c71a235a ]
AIRAVATA-3590 upgrade snakeyaml due to XXE issue
> airavata trunk has dependencies on multiple insecure jar dependencies
> ---------------------------------------------------------------------
>
> Key: AIRAVATA-3590
> URL: https://issues.apache.org/jira/browse/AIRAVATA-3590
> Project: Airavata
> Issue Type: Bug
> Reporter: PJ Fanning
> Priority: Critical
>
> I ran a dependabot analysis on github.
> Major issues with old dependencies include:
> * Shiro https://mvnrepository.com/artifact/org.apache.shiro/shiro-core
> * log4j https://logging.apache.org/log4j/2.x/security.html
> * httpclient https://github.com/pjfanning/airavata/security/dependabot/192
> * commons-io https://github.com/advisories/GHSA-gwrp-pvrq-jmwv
> * jackson -
> https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind
> * snakeyaml - https://github.com/advisories/GHSA-rvwf-54qp-4r6v
> Many many more.
> There are also issues with UI dependencies.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
