diff options
author | Matthias Sohn <matthias.sohn@sap.com> | 2022-04-11 10:27:37 +0200 |
---|---|---|
committer | Matthias Sohn <matthias.sohn@sap.com> | 2022-04-11 13:28:00 +0200 |
commit | d5f4ca7711879ff7d87cbb06759dc410a3aaba99 (patch) | |
tree | e9c560d1be4913db3c85dd83fad533b17d86ddf1 | |
parent | a523b96484c1698b2a3b5e83fc78d55564c20aec (diff) |
Use original servlet-api 3.1.0 artefact instead of tomcat's copy
Gerrit uses tomcat's copy org.apache.tomcat:tomcat-servlet-api:8.5.23
of javax.servlet:javax.servlet-api:3.1.0. Earlier we used Jetty's copy
of the servlet-api which was replaced by Tomcat's copy in
change Ica04d0c19306da9afcadf3919581632f7df93483
This hurts us since Whitesource scans raise Tomcat 8.5.23
vulnerabilities for this dependency since it's not smart enough to
recognize that we only use the Tomcat servlet-api artefact which has
no vulnerability.
Use the original servlet-api instead of Tomcat's copy to get rid of
this issue.
Change-Id: I800d8429f08894f29eb66a0627f50ed2e55e0d54
Release-Notes: Use original javax.servlet-api instead of tomcat's copy
-rw-r--r-- | WORKSPACE | 4 | ||||
-rw-r--r-- | java/com/google/gerrit/launcher/GerritLauncher.java | 2 |
2 files changed, 3 insertions, 3 deletions
@@ -168,8 +168,8 @@ maven_jar( maven_jar( name = "servlet-api", - artifact = "org.apache.tomcat:tomcat-servlet-api:8.5.23", - sha1 = "021a212688ec94fe77aff74ab34cc74f6f940e60", + artifact = "javax.servlet:javax.servlet-api:3.1.0", + sha1 = "3cd63d075497751784b2fa84be59432f4905bf7c", ) # JGit's transitive dependencies diff --git a/java/com/google/gerrit/launcher/GerritLauncher.java b/java/com/google/gerrit/launcher/GerritLauncher.java index f6c395e7b6..1999270bae 100644 --- a/java/com/google/gerrit/launcher/GerritLauncher.java +++ b/java/com/google/gerrit/launcher/GerritLauncher.java @@ -301,7 +301,7 @@ public final class GerritLauncher { move(jars, "javax.inject-1.jar", extapi); move(jars, "aopalliance-1.0.jar", extapi); move(jars, "guice-servlet-", extapi); - move(jars, "tomcat-servlet-api-", extapi); + move(jars, "servlet-api-", extapi); ClassLoader parent = ClassLoader.getSystemClassLoader(); if (!extapi.isEmpty()) { |