[GRP-1945] GrouperClient using forked versions of 3rd party libraries - Internet2 Todos

XML

Word

Printable

Details

Type: Improvement
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: 2.4.0
Fix Version/s: None
Component/s: grouperClient
Labels:
None

Description

grouperClient uses forked versions of certain libraries, This may have been to make it an executable jar? It's not clear what versions the code bases are from, and whether they have been modified from the original source. Without knowing the versions, it's not easy to know whether there are bugs or vulnerabilities in them.

These libraries are in package edu.internet2.middleware.grouperClientExt:

- com.thoughtworks.xstream

edu.internet2.middleware.morphString
org.apache.commons.codec
org.apache.commons.httpclient
org.apache.commons.jexl2
org.apache.commons.lang3
org.apache.commons.logging

There are other options for how to package a runnable jar with external dependencies. It would be easier for maintenance and better for security to switch to one of these options for these libraries.

Attachments

Activity

People

Assignee:: Chad Redman (unc.edu)

Reporter:: Chad Redman (unc.edu)

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 04/Nov/18 5:14 PM

Updated:: 07/Aug/19 12:27 AM