The comments on that JCommander issue seem to indicate that the issue was resolved but never closed. I looked at https://github.com/cbeust/jcommander/blob/master/build.gradle.kts and it seems like they now use https for sonatype which is where the issue originated from. I left a comment on their issue to confirm with the developers if it was resolved.
I have a PR open that upgrades us to JCommander version 1.78 ( https://github.com/apache/fluo/pull/1083/files) which is the most recent in maven. Hopefully that resolves the issue for us. -Joe On Sat, Dec 14, 2019 at 12:23 PM Kenneth McFarland < kennethmcfarl...@apache.org> wrote: > Here is a small example I found very fast out of curiosity. Jcommander is > susceptible to MITM. > > https://github.com/cbeust/jcommander/issues/465 > > This is still open afaik. I'll be digging more for things like zipslip etc > and transient vulns. I still would appreciate any advice. > > Auditing Fluo will probably mean working inspecting other projects more > than Fluo itself. > > > > On Fri, Dec 13, 2019, 11:27 AM Kenneth McFarland < > kennethmcfarl...@apache.org> wrote: > > > Hi guys, > > > > I have found I'm pretty interested in security. > > > > I'd like to get some experience with Fluo and it's dependencies auditing > > them. I'm doing my own research but it's always best to leverage others > > experience. > > > > If you have any good references, advice or tips for me please let me > know. > > I'll also be looking through the commit logs and checking accumulo. > > > > I wasn't sure where else to ask this since it's not really an issue until > > something is found. Thanks! > > > > Kenny > > >