FINERACT-2089 Upgrade java dependencies/libraries #3906
Conversation
IOhacker
changed the title
| @@ -68,7 +68,7 @@ dependencyManagement { | |||
| exclude 'org.codehaus.groovy:groovy' | |||
| } | |||
| dependency 'org.apache.commons:commons-csv:1.10.0' | |||
| dependency 'org.quartz-scheduler:quartz:2.3.2' | |||
| dependency 'org.quartz-scheduler:quartz:2.5.0-rc1' | |||
There was a problem hiding this comment.
i dont think we should use RC version. I am not convinced the CVE is effecting us. I am still digesting it.
There was a problem hiding this comment.
About Quartz library I can see that they have not released any security fix and project seems to be abandoned
Anyway the last version is 2.5.0-rc1, so then the question is;
Should we use a Release Candidate version? If not should we keep using a library version released in 2019 ?
There was a problem hiding this comment.
We dont have quartz-job artifact, neither the class thats the CVE is talking about.
I dont think the reported CVE applies to us...
You might wanna discuss internally what steps we should do.
@vidakovic Any thoughts?
There was a problem hiding this comment.
Comments about the issue quartz-scheduler/quartz#943 for now I have rollbacked to the original version.
There was a problem hiding this comment.
@jdailey @vidakovic @adamsaghy I think this should be a false positive. Anyway the Quartz library maintenance/very low activity is a red flag, becaue the library now seems abandoned.
|
Can we remove quartz dependency? For now, let's keep the quartz dependency "as is" and make a note that this CVE doesn't apply. But didn't we already deprecate the quartz when we implemented Spring Batch and the COB concepts? |
No, quartz is used for scheduling the jobs. if we wanna remove, we need to have something to take care of scheduling. |
Description
FINERACT-2089 Upgrade java dependencies/libraries
Checklist
Please make sure these boxes are checked before submitting your pull request - thanks!
Write the commit message as per https://github.com/apache/fineract/#pull-requests
Acknowledge that we will not review PRs that are not passing the build ("green") - it is your responsibility to get a proposed PR to pass the build, not primarily the project's maintainers.
Create/update unit or integration tests for verifying the changes made.
Follow coding conventions at https://cwiki.apache.org/confluence/display/FINERACT/Coding+Conventions.
Add required Swagger annotation and update API documentation at fineract-provider/src/main/resources/static/legacy-docs/apiLive.htm with details of any API changes
Submission is not a "code dump". (Large changes can be made "in repository" via a branch. Ask on the developer mailing list for guidance, if required.)
FYI our guidelines for code reviews are at https://cwiki.apache.org/confluence/display/FINERACT/Code+Review+Guide.