Currently, the artifact uk.gov.nationalarchives:droid-container:6.7.0 has a dependency on commons-httpclient:commons-httpclient:3.1. IntelliJ IDEA flags this as having the following problems:
Closer inspection tells me that it's the class uk.gov.nationalarchives.droid.container.httpservice.ContainerSignatureHttpService that is dependent on commons-httpclient. And as far as I can tell, no other classes in the droid artifacts (droid-api, droid-container, droid-core, droid-core-interfaces, droid-parent) have any dependency on that class.
I use the artifact droid-api (and thus droid-container) as a library in software that we develop and I'm pretty sure that the class ContainerSignatureHttpService is never used, so nor is the dependency commons-httpclient. All in all the problem seems relatively small.
Still, it might be nice to refactor the mentioned class to use a newer version of HttpClient (say, 4.x or even 5.x).
Thanks for pointing it out, Droid uses the dependency-check-maven plugin and the build fails if the vulnerability is severe. Looks like one of them is missing out on score.
Currently, the artifact
uk.gov.nationalarchives:droid-container:6.7.0
has a dependency oncommons-httpclient:commons-httpclient:3.1
. IntelliJ IDEA flags this as having the following problems:Closer inspection tells me that it's the class
uk.gov.nationalarchives.droid.container.httpservice.ContainerSignatureHttpService
that is dependent oncommons-httpclient
. And as far as I can tell, no other classes in the droid artifacts (droid-api
,droid-container
,droid-core
,droid-core-interfaces
,droid-parent
) have any dependency on that class.I use the artifact
droid-api
(and thusdroid-container
) as a library in software that we develop and I'm pretty sure that the classContainerSignatureHttpService
is never used, so nor is the dependencycommons-httpclient
. All in all the problem seems relatively small.Still, it might be nice to refactor the mentioned class to use a newer version of HttpClient (say, 4.x or even 5.x).