From mmlal at yahoo.com Sat Dec 22 02:08:26 2018 From: mmlal at yahoo.com (Rajan Gupta) Date: Sat, 22 Dec 2018 02:08:26 +0000 (UTC) Subject: [GPC] Risk of packaging Pom.xml References: <2130556760.8068576.1545444506689.ref@mail.yahoo.com> Message-ID: <2130556760.8068576.1545444506689@mail.yahoo.com> Hello Security Professionals,?As many of you might know maven packages Pom.xml into the jar file which is deployed in production. Pom.xml contains all the open source libraries that an application uses .?Is this a risk since now a hacker can pull Pom.xml from websites and now has information of the list of open source software which a website uses. Hacker can now wait patiently for an exploit of one of the open source libraries used by the website to be announced and hack the website through a known exploit .There is no good reason for Pom.xml to be in the jar file and just by easily removing Pom.xml ?one can find easily what is inside instead of unbundling the jar to look inside?What is your view in leaving Pom.xml as unnecessary information in production website which provides information about the website ? Thanks?Lal? Sent from Yahoo Mail for iPhone -------------- next part -------------- An HTML attachment was scrubbed... URL: