[
https://issues.apache.org/jira/browse/TINKERPOP-2677?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17469624#comment-17469624
]
Stephen Mallette commented on TINKERPOP-2677:
---------------------------------------------
Linked to TINKERPOP-2373 - all of this is sorta bound together with the
performance problems that come to play with TINKERPOP-2526.
> Upgrade to Groovy 3.x to fix XStream security vulnerability
> -----------------------------------------------------------
>
> Key: TINKERPOP-2677
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2677
> Project: TinkerPop
> Issue Type: Bug
> Components: groovy
> Affects Versions: 3.6.0, 3.5.2
> Reporter: Divij Vaidya
> Priority: Major
>
> XStream has a number of documented vulnerabilities as specified in
> [https://x-stream.github.io/security.html] which are fixed in 1.4.18. Note
> that 1.4.18 is not backport compatible since it uses a new whitelisting
> approach for serialization.
> TinkerPop has a dependency on XStream via: [1]
> TinkerPop -> Groovy 2.5.x -> XStream 1.4.10
> However, Groovy 2.5.x series does not consume the version of XStream (1.4.18)
> which contains the fixes for the vulnerabilities [2] but Groovy 3.x uses
> XStream (1.4.18) which has the fixes for vulnerabilities.
> Hence, either we convince the Groovy project to backport the vulnerability
> fixes to 2.5.x series or we upgrade Groovy to 3.x for TinkerPop.
> IMO, upgrading TP to use Groovy 3.x might be much easier.
> [1] https://github.com/apache/tinkerpop/blob/master/pom.xml#L162
> [2]https://github.com/apache/groovy/blob/GROOVY_2_5_X/build.gradle#L165
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
