On 27-05-2021 18:05, Mark Thomas wrote:
On 27/05/2021 16:29, Matt Sicker wrote:
As the user, you have ultimate control over transitive dependency
versions that end up in your application. Using Maven, for example,
you can override the commons-fileupload dependency on commons-io to
the latest release. I don't think anyone here wants to go through an
entire release for a component just to update a dependency.
I'll add that a vulnerability in a dependency does not always
translate into a vulnerability in the code using the dependency. The
last time the ASF looked at this across a large number of our Java
projects, only about 10% of vulnerabilities translated into potential
vulnerabilities in the code using the dependency.
Hi Mark, Matt,
Very true, but there is a risk as well. The user should make the
assessment on whether he/she is vulnerable due to the transitive
dependency. As security issues are sometimes quite obscure, and can
deceive many programmers, it is not always easy to make the correct
judgement.
It is true that the user has ultimate control over transitive
dependencies, but my gut feeling is that most of the users do not even
bother to look at them. They just fly with the defaults, and don't think
twice. Even more so: most users do not actually scan their dependencies,
so they don't know about the published CVE in the first place.
I totally understand that the effort to do a release is large - too
large for just a dependency update. And I see the argument that the user
is responsible for managing his/her dependencies. But I also think that
community projects have a responsibility as well in this.
In the end this would all be 'fixed' when a release would be less work.
At the risk of igniting a fierce discussion: why are Apache releases so
much work? Is there anything that can be improved in this?
With kind regards,
Jurrie
On Thu, 27 May 2021 at 10:00, Singh, Randeep
<rand.si...@sap.com.invalid> wrote:
HI All,
This is regarding one of security issue that is reported in our
component which is coming from commons-io (2.2) lib transitive
dependency via commons-fileupload .
It seems this is fixed in commons-io (2.7) or above, Hence would it
beĀ possible to bump version of commons-io to 2.8 or 2.9 and release
a patch .
I can see that it has been already done with this commit
https://github.com/apache/commons-fileupload/commit/8370f1e0a15a0469d04579e2abd5500ebf90b8c8/
may I know by when we can expect a release of 2.0 ? in case patch is
not possible .
Best Regards
Randeep
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org
