THRIFT-5375 Move java dependency tomcat-embed to the crossTest configuration...

[iadcode]

…to remove outdated unnecessary compile time dependency.

When using java package libthrift 0.14.0, I've noticed a new compile time dependency for the package to tomcat-embedded-core. Upon reviewing, this package is quite old and is a security risk. When I looked at where and how this package is being used, I noticed that it's only refered to by crossTest and to provide access to the javax.servlet classes.

Since tomcat-embedded is only used in crossTests, I have moved it to crossTest configuration so the libthrift java package does not require this unnecessary dependency for compilation. Instead, the java-servlet dependency has been reintroduced in compile time. I've also taken this opportunity to update both dependenciesto a later version.

[Jens-G]

It has been merged, not rejected.

[ecolinet]

Hi,

Can we expect a release for that fix ?

It's important for us since the imported tomcat-embed 8.5.46 contains a lot of CVEs (cf https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-887/version_id-200037/Apache-Tomcat-8.5.4.html).

Thanks,
Eric

[tomsfernandez]

Hi! Any update a release for this fix?

[Jens-G]

There are plans to release 0.15.0 in late summer.

[tomsfernandez]

Hi @Jens-G. Just noticed there is a 0.14.2 release 6 days ago. Is this PR included in it?

[Jens-G]

I know, I prepared that release myself. It only contains two additional fixes on top of 0.14.1.
https://github.com/apache/thrift/blob/0.14.2/CHANGES.md