Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
None
-
None
-
None
-
None
Description
We are using axis2 version 1.7.8 ( org.apache.axis2.osgi-1.7.8.jar ) in our project, we can see that in this project pom.xml under <Import-Package> section, dependency on "Commons HttpClient project". This dependency is there in the form of "org.apache.commons.httpclient.,".* The same thing we have seen in axis2 latest jar 1.7.9.
Now as we know this "Commons HttpClient project" is already ended of its life long back and its no longer being developed.
So, please change this package dependency to Apache HttpComponents project in its HttpClient [org.apache.httpcomponents:httpclient]. (httpclient-4.5.9.jar).
Note: Right now we are supplying the dependency "org.apache.commons.httpclient" to "org.apache.axis2.osgi-1.7.8.jar" by "com.springsource.org.apache.commons.httpclient-3.1.0.jar". Now in Nexus vulnerability report "com.springsource.org.apache.commons.httpclient-3.1.0.jar" is showing as vulnerable. So we want to remove this jar. But after removing this jar "org.apache.axis2.osgi-1.7.8.jar" osgi bundle is not up due to unsatisfied dependency of package "org.apache.commons.httpclient". We have tried to provide the dependency by using httpclient-4.5.9.jar but this has different package hierarchy as it required in the form "org.apache.commons.httpclient".
So please change this dependency according to latest apache jar httpclient-4.5.9.jar.
For Reference: Attaching pom.xml of Axis2 1.7.8 project.