...because earlier versions reference xmpcore 5.1.2 which is affected by http://www.cvedetails.com/cve/CVE-2016-4216/
Use a recent Tika version
indirect test dependencies through tika-parser to vulnerable version of xmpcore
Upgrade XMPCore to 5.1.3
Great. Thank you. Let me know if we do need to change anything in master.
Seeing as this ticket is marked resolved it's probably already fixed in master. But the latest tika release 1.16 references metadata-extractor 2.9.1 which has xmpcore 5.1.2 as a dependency
> Failure to find com.adobe.granite:parent:pom:60"
There are unfortunately two artefacts for com.adobe.xmp:xmpcore:jar:5.1.2, one for Adobe internal use, one public. The former has that reference. Clearing the M2 cache for com/adobe should fix this.
AJ Savino, thank you for raising this. I'm not sure how 5.1.2 is getting pulled in. I don't see it at all when I run dependency:tree on master; I'm only seeing 5.1.3. Am I missing something?
Maven build is failing:
"Failed to read artifact descriptor for com.adobe.xmp:xmpcore:jar:5.1.2: Failure to find com.adobe.granite:parent:pom:60"
Adding com.adobe.xmp v5.1.3 dependency to my local pom fixed the issue. metadata-extractor 2.10.1 uses v5.1.3
FAILURE: Integrated in Jenkins build Tika-trunk #1389 (See https://builds.apache.org/job/Tika-trunk/1389/)
TIKA-2486 upgrade metadata-extractor to avoid CVE in xmp-core to 2.10.1 (tallison: https://github.com/apache/tika/commit/1b48d73e41f6041c31ff396194ee37b5afceebae)