Hello Andreas, Yes, it's true that the clustering component is optional. However, my concern is not about whether one is actually exposed to the CVE, my concern is that the analysis tools think that the software is exposed. When a project that uses axis is analysed by Black Duck it reports the vulnerability. The question is, what to do? The question that sprung to my mind when I first saw this Black Duck report was "but *why* does axis2 depend on tomcat?".
On Sun, 7 Mar 2021 at 12:25, Andreas Veithen-Knowles < [email protected]> wrote: > Note that the clustering component is optional. You can remove it if you > don't need it. > > Andreas > > On Sun, Feb 28, 2021 at 10:22 AM Andrew Marlow <[email protected]> > wrote: > >> Hello everyone, >> >> I've discovered that a dependency in the axi2 clustering component makes >> axis2 vulnerable to CVE-2020-0822, filed against tomcat, which has a NIST >> score of 8.4 high. >> >> A maven dependency analysis shows this: >> >> INFO [m] +- org.apache.axis2:axis2-clustering:jar:1.8.0-SNAPSHOT:compile >> INFO [m] | +- org.apache.tomcat:tribes:jar:6.0.53:compile >> INFO [m] | \- org.apache.tomcat:juli:jar:6.0.53:compile >> >> I don't understand why axis2 depends on tomcat. Can someone explain >> please? >> >> -- >> Regards, >> >> Andrew Marlow >> http://www.andrewpetermarlow.co.uk >> >> -- Regards, Andrew Marlow http://www.andrewpetermarlow.co.uk
