Gitiles
Code Review Sign In
gerrit.nordix.org / onap / policy / engine / caead0115fa286d6796ad749464e8df09f383338^! / . / ONAP-XACML
commitcaead0115fa286d6796ad749464e8df09f383338[log] [tgz]
authorPamela Dragosh <pdragosh@research.att.com>Thu Mar 01 18:00:06 2018 -0500
committerPamela Dragosh <pdragosh@research.att.com>Thu Mar 01 18:00:16 2018 -0500
tree70ad5bb9eed2948a46f0a8e041187aa9fdbd3407
parent96787c49cd192096916e482e5b55e91652de3817 [diff]
Remove CLM issues with commons-collections

We know that we are not configuring an LDAP PIP in our
use of the XACML open source. The LDAP implementation
uses Apache Velocity, which uses a very old version
of commons-collections that has security issues. So
we can exclude commons-collections from the build.

Issue-ID: POLICY-507
Change-Id: I735eae4fe507ad016d9b0b49e67536415edb9820
Signed-off-by: Pamela Dragosh <pdragosh@research.att.com>

diff --git a/ONAP-XACML/pom.xml b/ONAP-XACML/pom.xml
index c399e3f..b6f12c0 100644
--- a/ONAP-XACML/pom.xml
+++ b/ONAP-XACML/pom.xml

@@ -83,6 +83,15 @@
 			<groupId>com.att.research.xacml</groupId>
 			<artifactId>xacml</artifactId>
 			<version>1.0.1</version>
+            <exclusions>
+            <!-- The LDAP PIP uses velocity which pulls this insecure jar in. We
+            are not using that PIP and can safely exclude this jar to resolve CLM issue.
+             -->
+              <exclusion>
+                <groupId>commons-collections</groupId>
+                <artifactId>commons-collections</artifactId>
+              </exclusion>
+            </exclusions>
 		</dependency>
 	</dependencies>
 </project>