[jira] [Commented] (AXIS2-5959) Axis2 has dependency on "Commons HttpClient project", which is now end of life, and is no longer being developed.

Wed, 07 Apr 2021 09:02:06 -0700 


    [ 
https://issues.apache.org/jira/browse/AXIS2-5959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17316447#comment-17316447
 ] 

Murali commented on AXIS2-5959:
-------------------------------

[~amanmishra] , did we get any solution for above issue. Even i want remove 
commons-httpclient from my axis2 package as it is mentioned as vulnerable.

> Axis2 has dependency on "Commons HttpClient project", which is now end of 
> life, and is no longer being developed. 
> ------------------------------------------------------------------------------------------------------------------
>
>                 Key: AXIS2-5959
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5959
>             Project: Axis2
>          Issue Type: Bug
>            Reporter: Aman Mishra
>            Assignee: Robert Lazarski
>            Priority: Critical
>         Attachments: pom.xml
>
>
> We are using axis2 version 1.7.8 ( *org.apache.axis2.osgi-1.7.8.jar* ) in our 
> project, we can see that in this project pom.xml under <Import-Package> 
> section, dependency on "Commons HttpClient project". This dependency is there 
> in the form of *"org.apache.commons.httpclient.*,".* The same thing we have 
> seen in axis2 latest jar 1.7.9. 
> Now as we know this "Commons HttpClient project" is already ended of its life 
> long back and its no longer being developed. 
> So, please change this package dependency to Apache HttpComponents project in 
> its HttpClient [org.apache.httpcomponents:httpclient]. 
> (httpclient-4.5.9.jar). 
> +*Note:*+ Right now we are supplying the dependency 
> "*org.apache.commons.httpclient"* to "*org.apache.axis2.osgi-1.7.8.jar"* by 
> "com.springsource.org.apache.commons.httpclient-3.1.0.jar". Now in Nexus 
> vulnerability report 
> "com.springsource.org.apache.commons.httpclient-3.1.0.jar" is showing as 
> vulnerable. So we want to remove this jar. But after removing this jar 
> "*org.apache.axis2.osgi-1.7.8.jar"* osgi bundle is not up due to unsatisfied 
> dependency of package "*org.apache.commons.httpclient".* We have tried to 
> provide the dependency by using httpclient-4.5.9.jar but this has different 
> package hierarchy as it required in the form 
> "*org.apache.commons.httpclient".* 
> So please change this dependency according to latest apache jar 
> httpclient-4.5.9.jar.
> For Reference: Attaching pom.xml of Axis2 1.7.8 project.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

Reply via email to