Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Study on OSS maven library vulnerabilities: httpclient library #111

Open
raux opened this issue Sep 29, 2016 · 0 comments
Open

Study on OSS maven library vulnerabilities: httpclient library #111

raux opened this issue Sep 29, 2016 · 0 comments

Comments

@raux
Copy link

raux commented Sep 29, 2016

Dear Github OSS Developer,

My name is Raula Kula, a research assistant prof at Osaka University, Japan. Currently I am studying the maintenance of Maven Libraries. I am currently focused on OSS vulnerabilities and the varying reasons for library migration.

As a part of my study I particularity focused on the commons-httpclient library. http://hc.apache.org/httpclient-3.x/ and the CVE-2012-5783 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5783, announced on 11/04/2012 and revisited 11/24/2015, which affects versions up to 3.x.

We noticed that your project on Github is still configured to depend on a vulnerable version of fileupload (3.1) at {https://github.com/skyscreamer/nevado/blob/master/nevado-jms/pom.xml}

We understand that there are many reasons for not migrating, thus we be appreciate if you could simply detail the following:

  1. Were you aware of the vulnerability? If so, then how long ago.
  2. What are some factors that influence you not to update.
  3. Does you project employ a update strategy, to check and update versions of currently used libraries?

Also feel free to detail any other information to help us understand your decision. Again, thank you for taking your time off your busy schedule and hope to hear from you soon.
Please note that we respect your confidentiality, so we will not disclose any personal details in the study.

Sincerely,
Raula Kula

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant