No announcement yet.
  • Filter
  • Time
Clear All
new posts

  • sjoshid86
    The problem is our sec scans raises red flags.
    But I'll take your word and add an exception.


    Leave a comment:

  • Isomorphic
    There is no actual security vulnerability in Velocity 1.7 given the way SmartClient uses it - the only vulnerability is if you allow untrusted end users to directly edit Velocity templates, and SmartClient never does that.

    So there is no action that needs to be taken.

    However, if you end up struggling with someone who doesn't understand security and insists that Velocity be upgraded, then yes, you need to upgrade to SmartClient 13+

    Leave a comment:

  • sjoshid86
    started a topic Smartclient 12 with Velocity 2.3

    Smartclient 12 with Velocity 2.3

    We have Smartclient 12.1p_2022-10-22 which comes with Velocity 1.7. But for security issues in that specific version of Velocity, we excluded it in pom and added a newer version, Velocity 2.3.

    But now we are getting

    2023-07-05 20:39:22,727 ERROR (http-nio-8280-exec-5) [CustomIDACall] com.tnsi.serviceutils.web.servlet.CustomIDACall top-level exception
    java.lang.NoSuchMethodError: org.apache.velocity.context.Context.getKeys()[Ljava/lang/Object;
    at com.isomorphic.velocity.ISCReferenceInsertionEventHandler.<init>( ~[isomorphic-core-rpc-12.1-p20221022.jar:?]
    Replacing compiled version is not ideal and I understand it. But is there something we can do (other than upgrading to v 13 which I believe has Velocity 2.3) to circumvent the problem?