[ https://issues.apache.org/jira/browse/BEANUTILS-520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16910022#comment-16910022 ]
Melloware commented on BEANUTILS-520: ------------------------------------- Those are good questions! 1. Looks like Commons Collections would not be insignificant changes to remove. At least from what I can see? 2. I don't see any @deprecated in the code to remove. 3. As for changing interfaces that I don't think I am qualified to answer. to me this library has been around for 15+ years and is rock solid. a 2.0 release would get it up to Java 8 and in line with the rest of Apache releases. > BeanUtils2 mitigate CVE-2014-0114 > --------------------------------- > > Key: BEANUTILS-520 > URL: https://issues.apache.org/jira/browse/BEANUTILS-520 > Project: Commons BeanUtils > Issue Type: Improvement > Components: Bean / Property Utils > Affects Versions: 1.9.3 > Reporter: Melloware > Assignee: Rob Tompkins > Priority: Major > Labels: security > Fix For: 1.9.4, 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > https://nvd.nist.gov/vuln/detail/CVE-2014-0114 > Due to the above CVE in 1.9.2 they added a Suppression but it is still being > marked as a security risk through most major checks from OWASP and Sonatype > IQ. > "commons-beanutils added a SuppressPropertiesBeanIntrospector which includes > a specialized instance of itself as the SUPPRESS_CLASS constant beginning in > version 1.9.2 that specifically suppresses the class property. +However, this > fix is not enabled by default.+" > For BeanUtils2 why not make this the default and have people "enable" it if > it they want to get the feature. > Thanks for your consideration. > -- This message was sent by Atlassian JIRA (v7.6.14#76016)