The CVE is for the c++ icu library not icu4j but <shrug>? We did A where I work and it did what you’d expect and shut up the vuln scanner.
+1 for B. The code is compatibly licensed and not that much. Other options carry functionality loss risks or dev work. Dropping it in place is low risk and low effort. Longer term you may decide to go in a different direction, which is fine, it would be in tree and modifyable. > On Oct 20, 2022, at 1:05 AM, Istvan Toth <st...@apache.org> wrote: > > Hi! > > Our icu4j version has CVEs. > It is pulled in via com.salesforce.i18n:i18n-util > > > > > > *[INFO] +- com.salesforce.i18n:i18n-util:jar:1.0.4:compile[INFO] | +- > commons-lang:commons-lang:jar:2.6:compile[INFO] | +- > com.ibm.icu:icu4j:jar:60.2:compile[INFO] | +- > com.ibm.icu:icu4j-localespi:jar:60.2:compile[INFO] | \- > com.ibm.icu:icu4j-charset:jar:60.2:compile* > > > https://github.com/salesforce/i18n-util is marked as archived, and the > committer names are not familiar to me. > > Do you think that it is possible to have a new release with a recent icu4j > version ? > > If not, should we > > A.) Dependencymanage icu4j (haven't tested if it works yet) > B.) Copy the necessary i18n-util code directly to the Phoenix codebase, and > drop the dependency (it's small) > ? > > regards > Istvan