-
Task
-
Resolution: Done
-
High
-
None
-
None
-
Policy Beijing RC1
BRMSGateway uses a dependency that is 7 years old and is no longer being maintained:
https://groups.google.com/a/glists.sonatype.com/forum/#!topic/nexus-users/cGbTrUJGEmQ
<!--
CLM security fix - force use of commons-collections 3.2.2.
Remove this if a new version of nexus-rest-client-java is upgraded
to not use velocity (and then subsequently commons-collections v3.1
-->
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>3.2.2</version>
</dependency>
<dependency>
<groupId>org.sonatype.nexus</groupId>
<artifactId>nexus-rest-client-java</artifactId>
<version>2.3.1-01</version>
<exclusions>
<exclusion>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
</exclusion>
</exclusions>
</dependency>
This dependency uses several old apache commons libraries that have security issues in them. Commons-collections was able to override but the httpclient could not be overridden.