#244 Operational risk in opencsv

[Soujanya]

As part of the industry-standard security scan, an operational risk was found in the org.apache.commons:commons-collections4:4.4 library. This library is utilized as a transitive dependency by com.opencsv:opencsv:5.8. I would like to inquire if there are any intentions to release an updated version of com.opencsv:opencsv that resolves this identified operational risk.

[Andrew Rucker Jones]

What would you suggest we update to? 4.4 is still the newest version. I'm also familiar with security problems with 4.3, but not 4.4.

[Scott Conway]

K - so I looked up the issues in the 4.4 version of commons-collections4 - https://mvnrepository.com/artifact/org.apache.commons/commons-collections4/4.4

The issue is from an older version of juni4 (4.12) which is a test scope dependency so it is not compiled into the system.

PLUS the website noted that the issue was fixed in 4.13.1. Because of our use of the junit5-vintage-engine we are pulling in a newer version of junit4.

mvn dependency:tree | grep junit
[INFO] +- org.junit.jupiter:junit-jupiter-api:jar:5.10.1:test
[INFO] | +- org.junit.platform:junit-platform-commons:jar:1.10.1:test
[INFO] +- org.junit.vintage:junit-vintage-engine:jar:5.10.1:test
[INFO] | +- org.junit.platform:junit-platform-engine:jar:1.10.1:test
[INFO] | - junit:junit:jar:4.13.2:test
[INFO] +- org.junit.jupiter:junit-jupiter-params:jar:5.10.1:test
[INFO] - org.junit.jupiter:junit-jupiter-engine:jar:5.10.1:test

So this is a non-issue for us.