Skip to content
This repository has been archived by the owner on Nov 29, 2022. It is now read-only.

Dependency exclusions need to be updated to reflect new library groupId's #472

Open
RobertRogers24 opened this issue Dec 16, 2019 · 3 comments
Open

Dependency exclusions need to be updated to reflect new library groupId's #472

RobertRogers24 opened this issue Dec 16, 2019 · 3 comments
Assignees
@fhanik

Comments

@RobertRogers24
Copy link

RobertRogers24 commented Dec 16, 2019
edited
Loading

So while upgrading from 1.0.9.RELEASE -> 1.0.10.RELEASE I noticed a significant number of new libraries pop up. When comparing the two tags 1.0.9.RELEASE...1.0.10.RELEASE#diff-357e4854869b2e21c38b1b437f11095a

I noticed that no changes were made to the exclusions, using gradle we can see the differences for esapi:
1.0.9.RELEASE

|    +--- org.owasp.esapi:esapi:2.1.0.1
|    |    \--- commons-collections:commons-collections:3.2.2

1.0.10.RELEASE

|    +--- org.owasp.esapi:esapi:2.2.0.0
|    |    +--- com.io7m.xom:xom:1.2.10
|    |    +--- commons-beanutils:commons-beanutils:1.9.3
|    |    |    +--- commons-logging:commons-logging:1.2
|    |    |    \--- commons-collections:commons-collections:3.2.2
|    |    +--- commons-lang:commons-lang:2.6
|    |    +--- org.apache.commons:commons-collections4:4.2
|    |    +--- org.apache-extras.beanshell:bsh:2.0b6
|    |    +--- org.slf4j:slf4j-api:1.7.26 -> 1.7.29
|    |    +--- commons-io:commons-io:2.6
|    |    \--- xerces:xercesImpl:2.12.0

Looking at the POM exclusions, its clear that the groupId's have changed for a number of these libraries:
xom changed to com.io7m.xom,
commons-beanutils-core changed to: commons-beanutils

Just to name a few, although it isn't the end of the world I am looking for some reason as to why we might need these new libraries. Or maybe it was an oversight on upgrade, but adding these new libraries adds just another lib that could have a future CVE resulting in the need for upgrade.

I haven't checked them all, but these were the ones that I picked up on.
@fhanik fhanik self-assigned this Dec 17, 2019
@fhanik
Copy link
Contributor

fhanik commented Dec 17, 2019

Thank you. Would happily accept a PR

@RobertRogers24
Copy link
Author

I would love to help, but my knowledge of the project is very limited. I also am not sure as to how esapi is currently used within the product so I am unsure as to what dependencies are required vs what we consider optional. Based on maven these are all required dependencies however clearly, it doesn't need them all as it previously didn't in 1.1.0.0.

This was just to highlight the fact 6-7 new libraries are being pulled in that creates problems for applications that might have lower versions of these dependencies.

@RobertRogers24
Copy link
Author

Happy to assist if given guidance though, but might be out of my depth.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@fhanik fhanik

Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fhanik @RobertRogers24