[AIRAVATA-3590] airavata trunk has dependencies on multiple insecure jar dependencies - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Reopened
Priority: Critical
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:
None

Description

I ran a dependabot analysis on github.

Major issues with old dependencies include:

Shiro https://mvnrepository.com/artifact/org.apache.shiro/shiro-core
log4j https://logging.apache.org/log4j/2.x/security.html
httpclient https://github.com/pjfanning/airavata/security/dependabot/192
commons-io https://github.com/advisories/GHSA-gwrp-pvrq-jmwv
jackson - https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind
snakeyaml - https://github.com/advisories/GHSA-rvwf-54qp-4r6v

Many many more.

There are also issues with UI dependencies.

Attachments

Issue Links

is cloned by

AIRAVATA-3704 CLONE - airavata trunk has dependencies on multiple insecure jar dependencies

Resolved

is related to

AIRAVATA-3592 replace jackson v1 with jackson v2

Open

relates to

AIRAVATA-3591 upgrade jackson due to CVE-2020-36518

Open

links to

GitHub Pull Request #281

GitHub Pull Request #282

GitHub Pull Request #287

GitHub Pull Request #289

GitHub Pull Request #290

(3 links to)

Activity

People

Assignee:: Unassigned

Reporter:: PJ Fanning

potential-mentor:: Suresh Marru

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 17/Mar/22 12:35

Updated:: 21/Sep/23 04:35