Use original servlet-api 3.1.0 artefact instead of tomcat's copy

Gerrit uses tomcat's copy org.apache.tomcat:tomcat-servlet-api:8.5.23 of javax.servlet:javax.servlet-api:3.1.0. Earlier we used Jetty's copy of the servlet-api which was replaced by Tomcat's copy in change Ica04d0c19306da9afcadf3919581632f7df93483 This hurts us since Whitesource scans raise Tomcat 8.5.23 vulnerabilities for this dependency since it's not smart enough to recognize that we only use the Tomcat servlet-api artefact which has no vulnerability. Use the original servlet-api instead of Tomcat's copy to get rid of this issue. Change-Id: I800d8429f08894f29eb66a0627f50ed2e55e0d54 Release-Notes: Use original javax.servlet-api instead of tomcat's copy
GerritCodeReview · Apr 11, 2022 · d5f4ca7 · d5f4ca7
1 parent a523b96
commit d5f4ca7
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/WORKSPACE b/WORKSPACE
@@ -168,8 +168,8 @@ maven_jar(
 
 maven_jar(
     name = "servlet-api",
-    artifact = "org.apache.tomcat:tomcat-servlet-api:8.5.23",
-    sha1 = "021a212688ec94fe77aff74ab34cc74f6f940e60",
+    artifact = "javax.servlet:javax.servlet-api:3.1.0",
+    sha1 = "3cd63d075497751784b2fa84be59432f4905bf7c",
 )
 
 # JGit's transitive dependencies

diff --git a/java/com/google/gerrit/launcher/GerritLauncher.java b/java/com/google/gerrit/launcher/GerritLauncher.java
@@ -301,7 +301,7 @@ private static ClassLoader libClassLoader(boolean prologCompiler) throws IOExcep
     move(jars, "javax.inject-1.jar", extapi);
     move(jars, "aopalliance-1.0.jar", extapi);
     move(jars, "guice-servlet-", extapi);
-    move(jars, "tomcat-servlet-api-", extapi);
+    move(jars, "servlet-api-", extapi);
 
     ClassLoader parent = ClassLoader.getSystemClassLoader();
     if (!extapi.isEmpty()) {