Hi,
Our plugin works on Jira Software, including versions 7.x, 8.x, and 9.x. We are trying to upgrade org.apache.commons:commons-compress:1.21 library due to security reasons. It is currently included as compile-scoped dependency in our pom.xml. This vulnerability is fixed in 1.26.x versions and as a solution, we are trying to use version 1.26.2 in pom.xml as provided-scoped. This solution works fine for the Jira Software versions 8.x and later.
But for the Jira Software 7 one of our plugins functionality that depends on this library is broken due to the following error: Caused by: java.lang.NoClassDefFoundError: org/apache/commons/compress/utils/InputStreamStatistics
We understand that Jira Software 7.x run time environment uses older commons-compress library versions. Regarding that we add the latest version 1.26.2 with compile scope to pom.xml, this time AMPS banned dependency validation fails for the following libraries commons-io:commons-io and org.apache.commons:commons-lang3. Even if we configure these dependencies as banningExcludes in the jira-maven-plugin configuration, mvn install step passes but the plugin is not installed successfully.
Is it possible to add org.apache.commons:commons-compress:1.26.2 dependency to the Jira Software 7.x Run Time dependencies, or do you have any other solution recommendation for the Jira Software 7.x versions?
Thanks,