Re: Velocity and Struts dependencies causing vulnerabilities
usha could you repost this issue to u...@struts.apache.org? if struts-taglib has a security vulnerability Lukasz and the Struts Team should be able to fix it Bon Chance martin- From: Hervé BOUTEMY Sent: Tuesday, February 18, 2020 4:45 PM To: Maven Users List Subject: Re: Velocity and Struts dependencies causing vulnerabilities Hi, We have a plan: instead of upgrading, we'll remove the dependencies, see https://issues.apache.org/jira/browse/DOXIASITETOOLS-215 Doxia Sitetools 1.9.2 release is planned in a few days, then we'll need to release every reporting plugin after. Notice that these components are vulnerable, but they are used in Maven plugins, not in a web application, then the vulnerability is not really accessible: there is no real issue other than unused dependencies pulled by reporting plugins. Regards, Hervé Le mardi 18 février 2020, 21:44:15 CET Kotamarti, Usha a écrit : > Hello, > > We have an issue with version of the Velocity and Struts taglib, tiles and > core jars that Maven maven-pmd-plugin and maven-checkstyle-plugin are > using. Velocity version 2.0 and Struts 1.3.8 have security vulnerabilities. > > These 2 plugins need to be upgraded to use velocity-tools version 3.0 and > Struts 2.3.x or 2.5.x. Do you have a plan to do that ? If not, would you > please let us know if there is a workaround to explicitly specify which > versions of Velocity and Struts we would like pmd-plugiun and > checkstyle-plugin to use? > > Thank you! > Usha Kotamarti > > > > -- > This message, and any attachments, is for the intended recipient(s) only, > may contain information that is privileged, confidential and/or proprietary > and subject to important terms and conditions available at > http://www.bankofamerica.com/emaildisclaimer. If you are not the intended > recipient, please delete this message. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Ant Tasks - Central 501 HTTPS Required
Le mardi 18 février 2020, 03:00:44 CET Tim N a écrit : > > maven-ant-tasks have been deprecated in favor of Maven Artifact Resolver > > Ant Tasks: https://maven.apache.org/resolver-ant-tasks/ > > Fantastic, I'll give that a go. Is it possible to add a link to that > project from https://maven.apache.org/ant-tasks/ ? Good idea, I'll work on it - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Velocity and Struts dependencies causing vulnerabilities
Hi, We have a plan: instead of upgrading, we'll remove the dependencies, see https://issues.apache.org/jira/browse/DOXIASITETOOLS-215 Doxia Sitetools 1.9.2 release is planned in a few days, then we'll need to release every reporting plugin after. Notice that these components are vulnerable, but they are used in Maven plugins, not in a web application, then the vulnerability is not really accessible: there is no real issue other than unused dependencies pulled by reporting plugins. Regards, Hervé Le mardi 18 février 2020, 21:44:15 CET Kotamarti, Usha a écrit : > Hello, > > We have an issue with version of the Velocity and Struts taglib, tiles and > core jars that Maven maven-pmd-plugin and maven-checkstyle-plugin are > using. Velocity version 2.0 and Struts 1.3.8 have security vulnerabilities. > > These 2 plugins need to be upgraded to use velocity-tools version 3.0 and > Struts 2.3.x or 2.5.x. Do you have a plan to do that ? If not, would you > please let us know if there is a workaround to explicitly specify which > versions of Velocity and Struts we would like pmd-plugiun and > checkstyle-plugin to use? > > Thank you! > Usha Kotamarti > > > > -- > This message, and any attachments, is for the intended recipient(s) only, > may contain information that is privileged, confidential and/or proprietary > and subject to important terms and conditions available at > http://www.bankofamerica.com/emaildisclaimer. If you are not the intended > recipient, please delete this message. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven Ant Tasks - Central 501 HTTPS Required
> maven-ant-tasks have been deprecated in favor of Maven Artifact Resolver Ant Tasks: https://maven.apache.org/resolver-ant-tasks/ Fantastic, I'll give that a go. Is it possible to add a link to that project from https://maven.apache.org/ant-tasks/ ?
Maven Artifact Resolver Ant Tasks - resolve dependency path
With Maven Ant Task (https://maven.apache.org/ant-tasks/), it was possible to refer to a dependency on the file-system in ant with, for example, ${org.jacoco:org.jacoco.ant:jar}. Is it possible to do the same with Maven Artifact Resolver Ant Tasks?
Velocity and Struts dependencies causing vulnerabilities
Hello, We have an issue with version of the Velocity and Struts taglib, tiles and core jars that Maven maven-pmd-plugin and maven-checkstyle-plugin are using. Velocity version 2.0 and Struts 1.3.8 have security vulnerabilities. These 2 plugins need to be upgraded to use velocity-tools version 3.0 and Struts 2.3.x or 2.5.x. Do you have a plan to do that ? If not, would you please let us know if there is a workaround to explicitly specify which versions of Velocity and Struts we would like pmd-plugiun and checkstyle-plugin to use? Thank you! Usha Kotamarti -- This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.