CVE-2018-8013

[jlosornogil]

Hello!
Do you have an ETA for the new release 3.1.15?

I've seen that you have bumped batik version to 1.14 in the master branch and that would solve the critical security vulnerability CVE-2018-8013.

BTW, I've tried to compile the project in my local environment with Java 11 using the command mvn clean install and it failed with the next error message:

[INFO] Scanning for projects...
[WARNING] The POM for de.rototor.jeuclid:build-tools:jar:1.0.5 is missing, no dependency information available
[ERROR] [ERROR] Some problems were encountered while processing the POMs:
[ERROR] Unresolveable build extension: Plugin de.rototor.jeuclid:build-tools:1.0.5 or one of its dependencies could not be resolved

I've searched for that dependency in maven central with no luck.

Does it sound familiar to you?

Thanks in advance!

[rototor]

build-tools is in the support directory. You have to first do a mvn install in there ...

No idea when to do a 3.1.15 release, I'm not using this project any more... And in all my projects I override the batik version anyway...

[jlosornogil]

Thanks @rototor, that's very helpful.

I'll try to build the project locally building the build-tools module first as you suggested.

Regarding the override of the batik version I'm afraid that is not working for me :( If I add your dependency v3.1.14 and override batik to 1.14 I receive ClassNotFoundException like this one:

java.lang.NoClassDefFoundError: org/apache/batik/w3c/dom/ElementTraversal

	at java.base/java.lang.ClassLoader.defineClass1(Native Method)
	at java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1017)
	at java.base/java.security.SecureClassLoader.defineClass(SecureClassLoader.java:174)
	at org.apache.catalina.loader.WebappClassLoaderBase.findClassInternal(WebappClassLoaderBase.java:2484)
	at org.apache.catalina.loader.WebappClassLoaderBase.findClass(WebappClassLoaderBase.java:870)
	at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1371)
	at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1215)
	at net.sourceforge.jeuclid.DOMBuilder.applyTransform(DOMBuilder.java:214)
	at net.sourceforge.jeuclid.DOMBuilder.createJeuclidDom(DOMBuilder.java:196)
	at net.sourceforge.jeuclid.layout.JEuclidView.<init>(JEuclidView.java:86)
	at net.sourceforge.jeuclid.converter.Converter.render(Converter.java:326)
	at net.sourceforge.jeuclid.converter.ImageIOConverter.convert(ImageIOConverter.java:67)
	at net.sourceforge.jeuclid.converter.Converter.convert(Converter.java:246)

[rototor]

What IDE are you using? Are you sure, that the IDE correctly reimported the changed pom.xml? IDEA has sometimes troubles here and as far as I remember Eclipse was even worse... - IDEA has a "Reimport Maven" Action to fix such stuff.

This looks like a broken classpath problem to me.

[jlosornogil]

I'm using IntelliJ, but I'm facing the problem executing my integration tests from maven directly in the console and when I execute the project in Docker, so I'm pretty sure that is something not related to the IDE. Anyway, I'll try to build from the master branch to check if that version of the jeuclid lib do the trick.
Thanks for all your help @rototor !