Hello, I am a member of the NetApp team and currently developing a storage plugin for ONTAP storage. As part of this effort, we recently submitted a pull request for community review.
During our development and testing, we identified a security vulnerability in the CloudStack development setup related to the presence of the struts-core-1.3.8.jar dependency. Upon further triage, we determined that this dependency is introduced transitively through the following Maven plugins currently in use: - maven-checkstyle-plugin version 3.1.0 - maven-dependency-plugin version 3.1.1 - maven-site-plugin version 3.8.2 These plugin versions are significantly outdated and indirectly pull in the vulnerable Struts dependency. To evaluate the impact of upgrading, we updated these plugins to more recent releases aligned with 2024 versions: - maven-checkstyle-plugin version 3.6.0 - maven-dependency-plugin version 3.8.1 - maven-site-plugin version 3.10 Following these upgrades, we performed a full compilation of the CloudStack codebase, which completed successfully without any issues. Given the security implications and the successful build results, I would like to propose upgrading these Maven plugin versions to the newer releases. Please let us know if you foresee any compatibility concerns or potential issues with adopting these changes, or if there are additional validation steps you would recommend. Thank you for your time and consideration. Best regards, *Rajiv Jain* Senior Engineer, NetApp
