Study on OSS maven library vulnerabilities: httpclient library

[raux]

Dear Github OSS Developer,

My name is Raula Kula, a research assistant prof at Osaka University, Japan. Currently I am studying the maintenance of Maven Libraries. I am currently focused on OSS vulnerabilities and the varying reasons for library migration.

As a part of my study I particularity focused on the commons-httpclient library. http://hc.apache.org/httpclient-3.x/ and the CVE-2012-5783 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5783, announced on 11/04/2012 and revisited 11/24/2015, which affects versions up to 3.x.

We noticed that your project on Github is still configured to depend on a vulnerable version of fileupload (3.1) at {https://github.com/denimgroup/threadfix/blob/master/pom.xml}

We understand that there are many reasons for not migrating, thus we be appreciate if you could simply detail the following:

1. Were you aware of the vulnerability? If so, then how long ago.
2. What are some factors that influence you not to update.
3. Does you project employ a update strategy, to check and update versions of currently used libraries?

Also feel free to detail any other information to help us understand your decision. Again, thank you for taking your time off your busy schedule and hope to hear from you soon. Please note that we respect your confidentiality, so we will not disclose any personal details in the study.

Sincerely, Raula Kula