Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-1945

GrouperClient using forked versions of 3rd party libraries

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Unresolved
    • Minor
    • None
    • 2.4.0
    • grouperClient
    • None

    Description

      grouperClient uses forked versions of certain libraries, This may have been to make it an executable jar? It's not clear what versions the code bases are from, and whether they have been modified from the original source. Without knowing the versions, it's not easy to know whether there are bugs or vulnerabilities in them.

      These libraries are in package edu.internet2.middleware.grouperClientExt:

       - com.thoughtworks.xstream

      • edu.internet2.middleware.morphString
      • org.apache.commons.codec
      • org.apache.commons.httpclient
      • org.apache.commons.jexl2
      • org.apache.commons.lang3
      • org.apache.commons.logging

      There are other options for how to package a runnable jar with external dependencies. It would be easier for maintenance and better for security to switch to one of these options for these libraries.

      Attachments

        Activity

          People

            chad.redman@at.internet2.edu Chad Redman (unc.edu)
            chad.redman@at.internet2.edu Chad Redman (unc.edu)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: