Security framework of XStream not initialized, XStream is probably vulnerable.

[vladak]

From time to time I see the Security framework of XStream not initialized, XStream is probably vulnerable. warning in the Tomcat log. Not sure whether it needs to be addressed. For sure there is the xstream-1.4.12.jar file under the opengrok-web module.

[vladak]

https://stackoverflow.com/questions/44698296/security-framework-of-xstream-not-initialized-xstream-is-probably-vulnerable suggests this is something that should be taken care of in the direct consumer.

It seems that either jaxb-impl or chronicle-map use Xstream. The latter is more plausible given that the error messages tend to appear in the log in between suggester rebuild messages.

[oacnhpkqxjhufwumkkqnshvlmheokqv]

I'm seeing this in my logs too after deploying 1.5.10 in a staging environment.