Details
-
Bug
-
Status: Reopened
-
Critical
-
Resolution: Unresolved
-
None
-
None
-
None
-
None
Description
I ran a dependabot analysis on github.
Major issues with old dependencies include:
- Shiro https://mvnrepository.com/artifact/org.apache.shiro/shiro-core
- log4j https://logging.apache.org/log4j/2.x/security.html
- httpclient https://github.com/pjfanning/airavata/security/dependabot/192
- commons-io https://github.com/advisories/GHSA-gwrp-pvrq-jmwv
- jackson - https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind
- snakeyaml - https://github.com/advisories/GHSA-rvwf-54qp-4r6v
Many many more.
There are also issues with UI dependencies.
Attachments
Issue Links
- is cloned by
-
AIRAVATA-3704 CLONE - airavata trunk has dependencies on multiple insecure jar dependencies
- Resolved
- is related to
-
AIRAVATA-3592 replace jackson v1 with jackson v2
- Open
- relates to
-
AIRAVATA-3591 upgrade jackson due to CVE-2020-36518
- Open
- links to
(3 links to)