ENTESB-15974 - CVE-2020-13936 velocity - upgrade to velocity 2.3+

[apupier]

unable to compile locally due to wrong productized versions so cannot test upgrade of velocity

[apupier]

there is no jobs for Pull request fo rthis project?

Someone was able to compile and launch test? Which steps needs to be done for that?

[tdiesler]

I had to revert this unfortunately. There is no org.apache.velocity:velocity-2.3 https://mvnrepository.com/artifact/org.apache.velocity/velocity

[tdiesler]

I thought this project was dead. Is it really necessary to upgrade to a potentially incompatible version of velocity?

[apupier]

as far as I know the project is not dead.

To discuss if it is necessary or not, I think it needs to be discussed on the issue https://issues.redhat.com/browse/ENTESB-15974 I think teh decision is up to the Product Management.

[luigidemasi]

@tdiesler this is the correct GAV

<dependency>
        <groupId>org.apache.velocity</groupId>
        <artifactId>velocity-engine-core</artifactId>
        <version>2.3</version>
</dependency>

https://mvnrepository.com/artifact/org.apache.velocity/velocity-engine-core

[tdiesler]

This should be fixed here https://github.com/jboss-fuse/wsdl2rest/commit/8cadca81187a0b7ce6acc7a6c9e89be5e0a8ed5a