Hello all, We currently depend on Maven Ant Tasks (MAT) during build, for declaring dependencies and generating POM files from within build.xml. MAT has long been retired (no commits since maintenance in 2015), has registered CVEs in its dependencies (CVE-2017-1000487), and encourages migration to its successor, Maven Artifact Resolver Ant Tasks (MARAT). More detail in the Jira: https://issues.apache.org/jira/browse/CASSANDRA-17750
I have a PR up to remove our dependency on MAT, with discussion from David Capwell and Mick Semb Wever: https://github.com/apache/cassandra/pull/1725 There are two main items for wider discussion: 1. Is it worth addressing this CVE and retired dependency with changes to our build system, or should we suppress it? 2. Are there more alternatives to Maven Ant Tasks that should be considered, like Ivy? My stance, summarized from the PR comments, is that a retired dependency that does not receive security updates (current CVE or not) should be replaced by a maintained project, and that the general approach in the PR (give or take minor changes to POM packaging) is the one most compatible with our current approach, and does not preclude any build system changes in the near or distant future. Curious to hear from others. — Abe
