ghost
commented
4 years ago Worth noting, the "good" news regarding AngularJS 1.7.9 is that an EF CQ already exists here, so we could piggyback with no further action. The bad news is the CQ has been opened since December 2019 and as experience suggests, will take an unknown, yet likely very long amount of time to be processed. Therefore, the usual compromise applies, i.e. complying with industry standard security guidelines (aka fast thread remediation) over complying with the Eclipse Foundation's IP guidelines (aka waiting an indefinite but long amount of time to get a response on any given CQ).
Following up on #2426, AngularJS has been upgraded to latest version in order to both resolve sonatype-2018-0005 and withdraw EF CQ 22120 on jQuery (the latter had been opened for weeks without interaction).
The change set has been merged to dev and awaits further testing.
Unfortunately, the framework upgrade triggered yet another CVE (sonatype-2016-0064, see bug report here) from our component scanning system.
There is no upgrade path at this time, since 1.7.9 is the latest (and probably last) version of AngularJS, although there may be patches applicable or workarounds, also including no action - if none required.
This task represents the requirement to analyte the actual threat posed by the CVE, and decide how to act upon (whether to waive with resolution, or even without if no resolution applicable, considering we want to move to a non-obsoleting UI framework on the medium run).