OpenDaylight JIRA https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 [ODLPARENT-111] Medium security issue in commons-beanutils on Nexus IQ server CLM Job https://jira.opendaylight.org/browse/ODLPARENT-111 odlparent <p>An Ho on <a href="https://lists.opendaylight.org/pipermail/release/2017-August/011985.html" class="external-link" target="_blank" rel="nofollow noopener">https://lists.opendaylight.org/pipermail/release/2017-August/011985.html</a> raises a number of issues on Nexus IQ server CLM Job seen e.g. here: <a href="https://clm.opendaylight.org/assets/index.html#/reports/daexim/d3d1cd100d6a4443a997ad713f474c35" class="external-link" target="_blank" rel="nofollow noopener">https://clm.opendaylight.org/assets/index.html#/reports/daexim/d3d1cd100d6a4443a997ad713f474c35</a>, among them something re. a Security-Medium issue in commons-beanutils 1.8.3.</p> <p>Let's see if we can bump all usages of commons-beanutils 1.8.3 to the latest 1.9.3 ...</p> <p>Operating System: All<br/> Platform: All</p> ODLPARENT-111 Medium security issue in commons-beanutils on Nexus IQ server CLM Job Bug Resolved Done Unassigned Michael Vorburger Tue, 15 Aug 2017 10:09:58 +0000 Thu, 7 Mar 2019 13:01:53 +0000 Thu, 7 Mar 2019 13:01:53 +0000 2.0.5 3.1.6 4.0.9 General 0 1 <p>According to a quick scan of autorelease, beanutils is used by aaa, vtn, tsdr, and odlparent itself.</p> <p>We do have a system/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar in odlparent's karaf empty, and some distributions.</p> <p>As far as I can see from a first quick grep in odlparent, this (commons-beanutils) does not appear in our &lt;dependencyManagement&gt;, where it should be if any projects uses this as a regular &lt;dependency&gt;. Raised <a href="https://git.opendaylight.org/gerrit/#/c/61752/" class="external-link" target="_blank" rel="nofollow noopener">https://git.opendaylight.org/gerrit/#/c/61752/</a> to add it, and <a href="https://git.opendaylight.org/gerrit/#/c/61753/" class="external-link" target="_blank" rel="nofollow noopener">https://git.opendaylight.org/gerrit/#/c/61753/</a> for aaa.</p> <p>It does however also appear in the karaf-paxweb.patch pax-web-features-4.3.0-features.xml ... have attempted to change that, but failed - maybe just a mistake in the patch, or something bigger... I'll let someone else pick that up? <img class="emoticon" src="https://jira.opendaylight.org/images/icons/emoticons/wink.png" height="16" width="16" align="absmiddle" alt="" border="0"/> Or that will just get sorted out with the next Karaf upgrade, if they keep bumping their dep to pax-web, if they keep bumping 3rd party deps to commons.</p> <p>vtn and tsdr I don't care about, and won't have the spare cycles to deal with. They should do sth similar like c/61753.</p> <p>&gt; also appear in the karaf-paxweb.patch pax-web-features-4.3.0-features.xml</p> <p>which <a href="https://git.opendaylight.org/gerrit/#/c/61760/" class="external-link" target="_blank" rel="nofollow noopener">https://git.opendaylight.org/gerrit/#/c/61760/</a> fixes - except that it completely irrelevant for us here - it only fixes up paxweb's pax-jsf-support feature, which we do not use.</p> <p>(In reply to Michael Vorburger from comment #1)<br/> &gt; According to a quick scan of autorelease, beanutils is used by aaa, vtn,<br/> &gt; tsdr, and odlparent itself.</p> <p>Very quick scan <img class="emoticon" src="https://jira.opendaylight.org/images/icons/emoticons/wink.png" height="16" width="16" align="absmiddle" alt="" border="0"/>. beanutils ends up being referred to in order to fix various issues with transitive dependencies, there are no code dependencies on it. Ideally I wouldn’t want projects relying on beanutils, so I don’t want to have it in dependency management.</p> <p>I humbly suggest <a href="https://git.opendaylight.org/gerrit/61844" class="external-link" target="_blank" rel="nofollow noopener">https://git.opendaylight.org/gerrit/61844</a> instead (on AAA only).</p> <p>&gt; I humbly suggest <a href="https://git.opendaylight.org/gerrit/61844" class="external-link" target="_blank" rel="nofollow noopener">https://git.opendaylight.org/gerrit/61844</a> instead (on AAA only).</p> <p>I don't want to stand in the way of doing it like this, so don't mind abandoning my proposed changes to odlparent and aaa re. this - BUT these only accept aaa, and not the other projects using commons-beanutils... which is fine for me and those who pay the roof over my head <img class="emoticon" src="https://jira.opendaylight.org/images/icons/emoticons/wink.png" height="16" width="16" align="absmiddle" alt="" border="0"/> but I wanted to spell it out here, so someone interested in other projects could follow-up with those, if needed.</p> <p>(In reply to Michael Vorburger from comment #5)<br/> &gt; &gt; I humbly suggest <a href="https://git.opendaylight.org/gerrit/61844" class="external-link" target="_blank" rel="nofollow noopener">https://git.opendaylight.org/gerrit/61844</a> instead (on AAA only).<br/> &gt; <br/> &gt; I don't want to stand in the way of doing it like this, so don't mind<br/> &gt; abandoning my proposed changes to odlparent and aaa re. this - BUT these<br/> &gt; only accept aaa, and not the other projects using commons-beanutils... which<br/> &gt; is fine for me and those who pay the roof over my head <img class="emoticon" src="https://jira.opendaylight.org/images/icons/emoticons/wink.png" height="16" width="16" align="absmiddle" alt="" border="0"/> but I wanted to<br/> &gt; spell it out here, so someone interested in other projects could follow-up<br/> &gt; with those, if needed.</p> <p>No other project directly uses beanutils.</p> <p>&gt; No other project directly uses beanutils.</p> <p>OK, perfect!</p> <p>&gt;&gt; According to a quick scan of autorelease, beanutils is used by aaa, vtn,<br/> &gt;&gt; tsdr, and odlparent itself.</p> <p>&gt; Very quick scan <img class="emoticon" src="https://jira.opendaylight.org/images/icons/emoticons/wink.png" height="16" width="16" align="absmiddle" alt="" border="0"/>. beanutils ends up being referred to in order to fix various issues with transitive dependencies, there are no code dependencies on it.</p> <p>Yup; indeed the hit I saw in vtn on grep is not a dependency, tsdr's features/odl-tsdr-hbase/src/main/feature/feature.xml used a mvn:org.apache.servicemix.bundles/org.apache.servicemix.bundles.commons-beanutils/1.8.3_1 - but tsdr is no longer in the release - so forget about it)</p> Development External issue ID 8993 External issue URL Rank 0|i023dj: