We know that we are not configuring an LDAP PIP in our
use of the XACML open source. The LDAP implementation
uses Apache Velocity, which uses a very old version
of commons-collections that has security issues. So
we can exclude commons-collections from the build.
Issue-ID: POLICY-507
Change-Id: I735eae4fe507ad016d9b0b49e67536415edb9820
Signed-off-by: Pamela Dragosh <pdragosh@research.att.com>
<groupId>com.att.research.xacml</groupId>
<artifactId>xacml-pdp</artifactId>
<version>1.0.1</version>
+ <exclusions>
+ <!-- The LDAP PIP uses velocity which pulls this insecure jar in. We
+ are not using that PIP and can safely exclude this jar to resolve CLM issue.
+ -->
+ <exclusion>
+ <groupId>commons-collections</groupId>
+ <artifactId>commons-collections</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
<groupId>junit</groupId>
<groupId>com.att.research.xacml</groupId>
<artifactId>xacml</artifactId>
<version>1.0.1</version>
+ <exclusions>
+ <!-- The LDAP PIP uses velocity which pulls this insecure jar in. We
+ are not using that PIP and can safely exclude this jar to resolve CLM issue.
+ -->
+ <exclusion>
+ <groupId>commons-collections</groupId>
+ <artifactId>commons-collections</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
</dependencies>
</project>
Code Review / policy / engine.git / commitdiff