JCommander closed the issue. -Joe On Sun, Dec 15, 2019 at 8:35 PM Joseph Koshakow <kosh...@gmail.com> wrote:
> The comments on that JCommander issue seem to indicate that the issue was > resolved but never closed. I looked at > https://github.com/cbeust/jcommander/blob/master/build.gradle.kts and it > seems like they now use https for sonatype which is where the issue > originated from. I left a comment on their issue to confirm with the > developers if it was resolved. > > I have a PR open that upgrades us to JCommander version 1.78 ( > https://github.com/apache/fluo/pull/1083/files) which is the most recent > in maven. Hopefully that resolves the issue for us. > > -Joe > > On Sat, Dec 14, 2019 at 12:23 PM Kenneth McFarland < > kennethmcfarl...@apache.org> wrote: > >> Here is a small example I found very fast out of curiosity. Jcommander is >> susceptible to MITM. >> >> https://github.com/cbeust/jcommander/issues/465 >> >> This is still open afaik. I'll be digging more for things like zipslip etc >> and transient vulns. I still would appreciate any advice. >> >> Auditing Fluo will probably mean working inspecting other projects more >> than Fluo itself. >> >> >> >> On Fri, Dec 13, 2019, 11:27 AM Kenneth McFarland < >> kennethmcfarl...@apache.org> wrote: >> >> > Hi guys, >> > >> > I have found I'm pretty interested in security. >> > >> > I'd like to get some experience with Fluo and it's dependencies auditing >> > them. I'm doing my own research but it's always best to leverage others >> > experience. >> > >> > If you have any good references, advice or tips for me please let me >> know. >> > I'll also be looking through the commit logs and checking accumulo. >> > >> > I wasn't sure where else to ask this since it's not really an issue >> until >> > something is found. Thanks! >> > >> > Kenny >> > >> >