ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gintautas Grigelionis <>
Subject Tooling update
Date Fri, 08 Jun 2018 17:17:23 GMT
I took the liberty to sync QA tools among Ant, Ivy and IvyDE.
A couple of notes: Ant 1.10 having a Java 8 baseline permits migration
from FindBugs to SpotBugs; I decided to it now rather than wait for
dependency issues [1] to be resolved. Then I was surprised that
Dependency Check indicates that the latest XZ 1.8 has a vulnerability:
should we ask them to investigate?



P.S. Here's the complete Dependency Check report:

[owasp:dependency-check] bsh-core-2.0b4.jar (org.beanshell:bsh-core:2.0b4,
cpe:/a:beanshell_project:beanshell:2.0.b4) : CVE-2016-2510
[owasp:dependency-check] jruby-1.6.8.jar (cpe:/a:jruby:jruby:1.6.8,
org.jruby:jruby:1.6.8) : CVE-2012-5370
[owasp:dependency-check] jython-2.7.0.jar (org.python:jython:2.7.0,
cpe:/a:jython_project:jython:2.7.0) : CVE-2016-4000
[owasp:dependency-check] xz-1.8.jar (cpe:/a:tukaani:xz:1.8,
org.tukaani:xz:1.8) : CVE-2015-4035
(org.jruby.ext.posix:jnr-posix:1.1.9, cpe:/a:jruby:jruby:1.1.9) :
CVE-2010-1330, CVE-2011-4838, CVE-2012-5370

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message