Yes, but the dependency is a direct dependency with incorrect scope, not transitive.
We sent our emails at the same moment. :-) Kind regards, Ben. On 13/08/16 12:54, Torben Barsballe wrote: > Doing a mvn:dependency:tree, I found this: > > [INFO] > ------------------------------------------------------------------------ > [INFO] Building Application Schema DataAccess 15-SNAPSHOT > [INFO] > ------------------------------------------------------------------------ > [INFO] > [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ gt-app-schema > --- > [INFO] org.geotools:gt-app-schema:jar:15-SNAPSHOT > [INFO] +- org.geotools:gt-complex:jar:15-SNAPSHOT:compile > [INFO] \- org.geotools:gt-complex:jar:tests:15-SNAPSHOT:compile > > It looks like gt-app-schema depends upon the gt-complex test jar > (transitivley by way of gt-complex?). gt-app-schema is not depended upon by > anything in this way, so its test jar is not included. > > > Torben > > On Fri, Aug 12, 2016 at 5:43 PM, Ben Caradoc-Davies <b...@transient.nz> > wrote: > >> Torben, >> >> neither are blockers, just observations, and I agree that addressing them >> should be deferred for future work. Including tests jars causes no harm. >> commons-beanutils is only a vulnerability in specific types of >> applications. There is also a hardcoded commons-beanutils 1.7.0 in >> gt-app-schema. >> >> Kind regards, >> Ben. >> >> >> On 13/08/16 12:33, Torben Barsballe wrote: >> >>> Ben: >>> (1) Doing a mvn dependency:tree shows that the commons-beanutils jar is >>> coming from gt-imagemosaic. This is probably something we should fix. >>> Talking to Kevin, upgrading this will include a version update of the jar, >>> so will need some testing. Also note that the gt-imagemosaic jar is a >>> dependancy for several other geotools modules. >>> >>> (2) I just took a look at the GeoTools 15.1 bin, and it also contains >>> gt-complex-15.1-tests.jar. I am equally curious as to why this is >>> included, >>> although perhaps not curious enough for it to hold up this milestone >>> release. >>> >>> I am going to move forward with the milestone release, but we should >>> definately keep both these issues in mind moving forward (and also take a >>> look at GeoTools 15, as it is affected by both these issues). >>> >>> Torben >>> >>> >>> On Fri, Aug 12, 2016 at 5:17 PM, Ben Caradoc-Davies <b...@transient.nz> >>> wrote: >>> >>> Looking through the bin.zip, I noticed: >>>> >>>> (1) commons-beanutils-1.7.0.jar is present. This JAR was removed from >>>> GeoServer and replaced with the customised commons-beanutils-1.9.2-noclas >>>> sprop.jar >>>> because it enabled a remote code execution vulnerability. See Kevin and >>>> Andrea for details. Should GeoTools ship 1.7.0 or switch to >>>> 1.9.2-noclassprop to protect GeoTools users? >>>> >>>> (2) gt-complex-16-M0-tests.jar is present. This is the only *-tests.jar >>>> included in the bin-zip. I wonder why? >>>> >>>> All the other contents look sane to me. >>>> >>>> Kind regards, >>>> Ben. >>>> >>>> >>>> On 13/08/16 11:50, Torben Barsballe wrote: >>>> >>>> The GeoTools 16-M0 release artifacts available for testing from: >>>>> http://ares.boundlessgeo.com/geotools/release/16-M0/ >>>>> >>>>> Torben >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------ >>>>> ------------------ >>>>> What NetFlow Analyzer can do for you? Monitors network bandwidth and >>>>> traffic >>>>> patterns at an interface-level. Reveals which users, apps, and protocols >>>>> are >>>>> consuming the most bandwidth. Provides multi-vendor support for NetFlow, >>>>> J-Flow, sFlow and other flows. Make informed decisions using capacity >>>>> planning reports. http://sdm.link/zohodev2dev >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> GeoTools-Devel mailing list >>>>> GeoTools-Devel@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/geotools-devel >>>>> >>>>> >>>>> -- >>>> Ben Caradoc-Davies <b...@transient.nz> >>>> Director >>>> Transient Software Limited <http://transient.nz/> >>>> New Zealand >>>> >>>> >>> >> -- >> Ben Caradoc-Davies <b...@transient.nz> >> Director >> Transient Software Limited <http://transient.nz/> >> New Zealand >> > -- Ben Caradoc-Davies <b...@transient.nz> Director Transient Software Limited <http://transient.nz/> New Zealand ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev _______________________________________________ GeoTools-Devel mailing list GeoTools-Devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geotools-devel
