fhanik
commented
4 years ago Thank you. Would happily accept a PR
Open RobertRogers24 opened 4 years ago
fhanik
commented
4 years ago Thank you. Would happily accept a PR
RobertRogers24
commented
4 years ago I would love to help, but my knowledge of the project is very limited. I also am not sure as to how esapi is currently used within the product so I am unsure as to what dependencies are required vs what we consider optional. Based on maven these are all required dependencies however clearly, it doesn't need them all as it previously didn't in 1.1.0.0.
This was just to highlight the fact 6-7 new libraries are being pulled in that creates problems for applications that might have lower versions of these dependencies.
RobertRogers24
commented
4 years ago Happy to assist if given guidance though, but might be out of my depth.
So while upgrading from 1.0.9.RELEASE -> 1.0.10.RELEASE I noticed a significant number of new libraries pop up. When comparing the two tags https://github.com/spring-projects/spring-security-saml/compare/1.0.9.RELEASE...1.0.10.RELEASE#diff-357e4854869b2e21c38b1b437f11095a
I noticed that no changes were made to the exclusions, using gradle we can see the differences for esapi: 1.0.9.RELEASE
1.0.10.RELEASE
Looking at the POM exclusions, its clear that the groupId's have changed for a number of these libraries: xom changed to com.io7m.xom, commons-beanutils-core changed to: commons-beanutils
Just to name a few, although it isn't the end of the world I am looking for some reason as to why we might need these new libraries. Or maybe it was an oversight on upgrade, but adding these new libraries adds just another lib that could have a future CVE resulting in the need for upgrade.
I haven't checked them all, but these were the ones that I picked up on.