Divij Vaidya created TINKERPOP-2677:
---------------------------------------
Summary: Upgrade to Groovy 3.x to fix XStream security
vulnerability
Key: TINKERPOP-2677
URL: https://issues.apache.org/jira/browse/TINKERPOP-2677
Project: TinkerPop
Issue Type: Bug
Components: groovy
Affects Versions: 3.6.0, 3.5.2
Reporter: Divij Vaidya
XStream has a number of documented vulnerabilities as specified in
[https://x-stream.github.io/security.html] which are fixed in 1.4.18. Note that
1.4.18 is not backport compatible since it uses a new whitelisting approach for
serialization.
TinkerPop has a dependency on XStream via: [1]
TinkerPop -> Groovy 2.5.x -> XStream 1.4.10
However, Groovy 2.5.x series does not consume the version of XStream (1.4.18)
which contains the fixes for the vulnerabilities [2] but Groovy 3.x uses
XStream (1.4.18) which has the fixes for vulnerabilities.
Hence, either we convince the Groovy project to backport the vulnerability
fixes to 2.5.x series or we upgrade Groovy to 3.x for TinkerPop.
IMO, upgrading TP to use Groovy 3.x might be much easier.
[1] https://github.com/apache/tinkerpop/blob/master/pom.xml#L162
[2]https://github.com/apache/groovy/blob/GROOVY_2_5_X/build.gradle#L165
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
