Thanks Andrew, I accepted the OWASP report at face value. The sad reality today is that it is easier to do a needless version bump than to get users to understand and accept that a static code analysis tool gives false positives.
Anyway, keeping dependencies up-to-date even without CVEs is generally a good thing. Opened https://issues.apache.org/jira/browse/PHOENIX-6818 to track this. Istvan On Thu, Oct 20, 2022 at 5:42 PM Andrew Purtell <andrew.purt...@gmail.com> wrote: > The CVE is for the c++ icu library not icu4j but <shrug>? > > We did A where I work and it did what you’d expect and shut up the vuln > scanner. > > +1 for B. The code is compatibly licensed and not that much. Other options > carry functionality loss risks or dev work. Dropping it in place is low > risk and low effort. Longer term you may decide to go in a different > direction, which is fine, it would be in tree and modifyable. > > > On Oct 20, 2022, at 1:05 AM, Istvan Toth <st...@apache.org> wrote: > > > > Hi! > > > > Our icu4j version has CVEs. > > It is pulled in via com.salesforce.i18n:i18n-util > > > > > > > > > > > > *[INFO] +- com.salesforce.i18n:i18n-util:jar:1.0.4:compile[INFO] | +- > > commons-lang:commons-lang:jar:2.6:compile[INFO] | +- > > com.ibm.icu:icu4j:jar:60.2:compile[INFO] | +- > > com.ibm.icu:icu4j-localespi:jar:60.2:compile[INFO] | \- > > com.ibm.icu:icu4j-charset:jar:60.2:compile* > > > > > > https://github.com/salesforce/i18n-util is marked as archived, and the > > committer names are not familiar to me. > > > > Do you think that it is possible to have a new release with a recent > icu4j > > version ? > > > > If not, should we > > > > A.) Dependencymanage icu4j (haven't tested if it works yet) > > B.) Copy the necessary i18n-util code directly to the Phoenix codebase, > and > > drop the dependency (it's small) > > ? > > > > regards > > Istvan > -- *István Tóth* | Sr. Staff Software Engineer *Email*: st...@cloudera.com cloudera.com <https://www.cloudera.com> [image: Cloudera] <https://www.cloudera.com/> [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: Cloudera on LinkedIn] <https://www.linkedin.com/company/cloudera> ------------------------------ ------------------------------