summaryrefslogtreecommitdiffstats
path: root/controlloop/packages
diff options
context:
space:
mode:
authorPamela Dragosh <pdragosh@research.att.com>2018-03-01 17:11:20 -0500
committerPamela Dragosh <pdragosh@research.att.com>2018-03-01 17:11:27 -0500
commitc11d90593b95f03f4b555af0c10ddf3bb2b262c1 (patch)
treef145c8e67408417751caff7c33d9f06253a9cf91 /controlloop/packages
parentcfe2c6e071f5e43ad01f470a3c87230dd1e1fe13 (diff)
Remove CLM issues with commons-collections
We know that we are not configuring an LDAP PIP in our use of the XACML open source. The LDAP implementation uses Apache Velocity, which uses a very old version of commons-collections that has security issues. So we can exclude commons-collections from the build. Issue-ID: POLICY-504 Change-Id: I6d90731e601f58c8edaca6fe02df30ee2a090c2f Signed-off-by: Pamela Dragosh <pdragosh@research.att.com>
Diffstat (limited to 'controlloop/packages')
-rw-r--r--controlloop/packages/artifacts/pom.xml9
1 files changed, 9 insertions, 0 deletions
diff --git a/controlloop/packages/artifacts/pom.xml b/controlloop/packages/artifacts/pom.xml
index 0965fa034..3b49a75ce 100644
--- a/controlloop/packages/artifacts/pom.xml
+++ b/controlloop/packages/artifacts/pom.xml
@@ -190,6 +190,15 @@
<artifactId>xacml-pdp</artifactId>
<version>1.0.1</version>
<type>jar</type>
+ <exclusions>
+ <!-- The LDAP PIP uses velocity which pulls this insecure jar in. We
+ are not using that PIP and can safely exclude this jar to resolve CLM issue.
+ -->
+ <exclusion>
+ <groupId>commons-collections</groupId>
+ <artifactId>commons-collections</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
</dependencies>
</project>