-
Notifications
You must be signed in to change notification settings - Fork 275
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade commons-beanutils 1.9.4 #827
Conversation
Signed-off-by: olivier lamy <[email protected]>
Codecov Report
@@ Coverage Diff @@
## master #827 +/- ##
=========================================
Coverage 80.10% 80.10%
Complexity 1560 1560
=========================================
Files 243 243
Lines 5666 5666
Branches 422 422
=========================================
Hits 4539 4539
Misses 970 970
Partials 157 157 Continue to review full report at Codecov.
|
the failure doesn't look to be related to this change |
Thanks! |
@uhafner looking at release 8.10.1 this upgrade has not been included. Do you need a PR on a special branch? Thanks |
Ah, seems that I removed that dependency since the warnings plugin is now based on a different Jenkins core version. During the migration I removed all unnecessary dependencies (and this dependency actually is only a transitive one). Since the next release of the warnings plugin will not contain digester anymore, I think I need to move that dependency to somewhere else (analysis-model or plugin-util). Is commons-beanutils part of core already? Or are other plugins using this dependency as well? |
commons-beanutils is part of core for sure.
Even if it's not used some security scanner will see this version which have CVE attached and will flag the |
Then it rather makes sense to exclude that dependency instead of declaring it as an explicit dependency? |
yup if you don't use/need it. Just add exclusions. |
@uhafner do you want me to provide a PR targeting master branch for this? |
No, that is not required. I need to merge #842 first. Then the exclusion needs to be made in the analysis-model module and not in the warnings plugin. |
Use last version of commons-beanutils as current one is subject to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
Signed-off-by: olivier lamy [email protected]