(incubator-kie-kogito-runtimes) branch main updated: Explicitly declaring xstream to override a transitively imported version affected by CVE (#3785)

Wed, 20 Nov 2024 11:02:20 -0800 

This is an automated email from the ASF dual-hosted git repository.

porcelli pushed a commit to branch main
in repository 
https://gitbox.apache.org/repos/asf/incubator-kie-kogito-runtimes.git


The following commit(s) were added to refs/heads/main by this push:
     new 4d1a3d7b9d Explicitly declaring xstream to override a transitively 
imported version affected by CVE  (#3785)
4d1a3d7b9d is described below

commit 4d1a3d7b9d12ca0b2be38f1951e2b9892643d340
Author: Yeser Amer <[email protected]>
AuthorDate: Wed Nov 20 20:02:07 2024 +0100

    Explicitly declaring xstream to override a transitively imported version 
affected by CVE  (#3785)
    
    * exclude_xstream
    
    * Updated comment
    
    * change
    
    * change
    
    * change
    
    * change
---
 kogito-build/kogito-dependencies-bom/pom.xml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/kogito-build/kogito-dependencies-bom/pom.xml 
b/kogito-build/kogito-dependencies-bom/pom.xml
index 6e3de9522a..9d4c812444 100644
--- a/kogito-build/kogito-dependencies-bom/pom.xml
+++ b/kogito-build/kogito-dependencies-bom/pom.xml
@@ -155,6 +155,9 @@
     <version.com.google.collections>1.0</version.com.google.collections>
     <version.com.google.guava>33.0.0-jre</version.com.google.guava>
     
<version.apache.commons.commons-compress>1.26.1</version.apache.commons.commons-compress>
+    <!-- Temporary declaring xstream dependency, a version (1.4.20) is 
transitively imported by Quarkus 3.8 affected by CVE
+     When upgrading Quarkus (> 3.15.x) to a new version, please evaluate if 
this exclusion can be removed   -->
+    <version.com.thoughtworks.xstream>1.4.21</version.com.thoughtworks.xstream>
   </properties>
 
   <dependencyManagement>
@@ -451,6 +454,14 @@
         <version>${version.jakarta.persistence-api}</version>
       </dependency>
 
+      <!-- Temporary declaring xstream dependency, a version (1.4.20) is 
transitively imported by Quarkus 3.8 affected by CVE
+           When upgrading Quarkus (> 3.15.x) to a new version, please evaluate 
if this exclusion can be removed   -->
+      <dependency>
+        <groupId>com.thoughtworks.xstream</groupId>
+        <artifactId>xstream</artifactId>
+        <version>${version.com.thoughtworks.xstream}</version>
+      </dependency>
+
       <dependency>
         <groupId>org.junit.jupiter</groupId>
         <artifactId>junit-jupiter-api</artifactId>


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to