Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-30879

upgrade to use official xstream version 1.4.19 from Sonatype forked 1.4.6 release

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.14.21, 2.15.0
    • Fix Version/s: 2.15.0
    • Component/s: Build
    • Story Points:
      2
    • Release Note:
      Yes
    • Sprint:
      NXRM Immortals Sprint 29
    • Notability:
      3
    • InvestmentLayer:
      support-escalated
    • Aha Concept:
      non-concept

      Description

      Eclipse Jetty upgrade (NEXUS-21370) has initiated an xstream dependency change from

      <groupId>org.sonatype.nexus.xstream</groupId>
      <artifactId>xstream</artifactId>
      <version>1.4.6-SONATYPE-03</version>
      

      to

      <groupId>com.thoughtworks.xstream</groupId>
      <artifactId>xstream</artifactId>
      <version>1.4.16</version>
      

      The custom Sonatype dependency in previous releases was to work around a known security vulnerability as described in these articles:

      Now official xstream has switched to a whitelist approach by default. ( see https://x-stream.github.io/changes.html )

      Expected

      1. Determine the optimal version of xstream to upgrade into and explain why.
      2. Make any documentation changes in KB articles describing the impacts if any in using the new release of repo 2 with the xstream dependency upgrade.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Michael Oliverio Michael Oliverio
              Team:
              NXRM - Optimus
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title