Hello Robert and thank you for sending this note about the next axis2 release.
axis2 depends on tomcat version 6.0.53 via the clustering component. Now I know that the clustering component is optional, in that if one chooses not to use it then it can be omitted from jars and then one does not depend on it, but nonetheless, owasp and Black Duck dependency analysis shows the dependency. They show that there is a CVE, CVE-2020-8022 which is ranked by NIST has 8.4 high. Thus, projects that use axis2 get this vulnerability reported against them. The CVE reporting tools do not know if your project, configuration, and environment have taken the decision not to use that part of axis2. They go by the dependency. I hope someone can explain why there is this dependency please and what can be done to address the reporting of this CVE. According to https://nvd.nist.gov/vuln/detail/CVE-2020-8022: This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. If this dependency has to be there maybe a more recent version could be used please? On Mon, 8 Mar 2021 at 16:29, robertlazarski <[email protected]> wrote: > All, > > Please take this opportunity to indicate anything you would like to see in > the next Axis2 release. > > There are no known open CVE issues in any Axis project git repo. Prompt > attention to any issue raised by [email protected] is the project's > highest priority. > > For me personally, I'd like to remove the support for commons httpclient > 3.x and only support 4.x. > > I'm also curious if anyone is using Axis2 for JSON. That is primarily how > I use Axis2 at this point, via the GSON support. > > I spent this last quarter switching my day job to use Moshi internally > instead of GSON since the latter has largely stopped development and the > former uses less memory. > > I mention that because I expect to have more time for Axis2 these next few > months and could possibly contribute Moshi support. > > Also, spring boot is becoming quite popular and the Axis2 setup is harder > than it should be. Just like to know if anyone is using Axis2 in spring > boot. > > Regards, > Robert > -- Regards, Andrew Marlow http://www.andrewpetermarlow.co.uk
