Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    velocity templates in SmartGWT

    Hi,

    We're still on SmartGWT 6.1 - and blackduck flagged velocity 1.7 for security vulnerability.
    Looks like 1.7 version is the tip and is also used in SmartGWT 12.1 - so I suppose question is, is there a plan to mitigate this?

    Thank you!


    #2
    Hi smartiro,

    The Velocity issue applies to end-user-editable Velocity templates, which SmartGWT does not use (we have only developer-editable templates), so there is no vulnerability here.

    Nevertheless, we have one customer where their security team was unable to understand the distinction between end-user-editable and developer-editable templates and was willing to use Feature Sponsorship to have Velocity upgraded. That’s coming in 13.0, but since there is no actual security issue, it will not be backported.

    Comment


      #3
      Thank you very much for quick response.

      If you have already decided on alternative solution to be delivered in 13.0 please share - always good to have extra upgrade justification line items :)

      Thank you!

      Comment


        #4
        It’s not an alternative solution, it’s just the next version of Velocity, which was not backwards compatible so code changes were required.

        Comment


          #5
          Hello, did someone already noticed that there are breaking changes which may impact developer code?
          For now I've found:
          • the #foreach predefined references $velocityCount and $velocityHasNext have been removed. Use $foreach.count (1-based), $foreach.index (0-based) and foreach.hasNext().
          from:
          https://velocity.apache.org/engine/2.0/upgrading.html
          Last edited by claudiobosticco; 21 Jan 2022, 04:25.

          Comment


            #6
            It is expected that Velocity usage may require to be reviewed for compatibility with the new version. Most of the changes were introduced in version 2.0, but it is recommended to review changes for each version since 1.7, especially VTL and behavior/API sections: https://velocity.apache.org/engine/2.3/upgrading.html and https://velocity.apache.org/tools/3.1/upgrading.html.

            Comment

            Working...
            X