Hi,
disable ossindex-maven-plugin in the parent pom, the company behind this
has changed its business model to cause FUD so that people subscribe.
Alternatively, replace it with this (you may have to adjust the versions):
<plugin>
<groupId>org.sonatype.ossindex.maven</groupId>
<artifactId>ossindex-maven-plugin</artifactId>
<version>3.2.0</version>
<configuration>
<excludeCoordinates>
<!-- the link from ossindex "divide by zero" points to
fixes that were made in 2.18.0 -->
<exclude>
<groupId>com.drewnoakes</groupId>
<artifactId>metadata-extractor</artifactId>
<version>2.18.0</version>
</exclude>
<exclude>
<!-- sonatype https://github.com/google/guava/issues/4011 -->
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>31.1-jre</version>
</exclude>
<!-- sonatype points to a sve in 1.4.199 for this ?!
https://www.exploit-db.com/exploits/49384
https://codewhitesec.blogspot.com/2019/08/exploit-h2-database-native-libraries-jni.html
-->
<exclude>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<version>${h2.version}</version>
</exclude>
<exclude>
<!-- CVE-2018-18928 does affect the java library not just
the c/c++ library,
upon further research -->
<groupId>com.ibm.icu</groupId>
<artifactId>icu4j</artifactId>
<version>${icu4j.version}</version>
</exclude>
<exclude>
<groupId>io.netty</groupId>
<artifactId>netty-handler</artifactId>
<version>${netty.version}</version>
</exclude>
<exclude>
<!-- the most recent cve in sonatype for this artifact is
2.11.0,
not at all the version we're using...smh-->
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
<version>${xerces.version}</version>
</exclude>
<!-- no fix available as of 20220715 -->
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-storage-blob</artifactId>
<version>12.18.0</version>
</dependency>
<!-- these are used by the nlp-module -->
<exclude>
<groupId>org.apache.lucene</groupId>
<artifactId>lucene-queryparser</artifactId>
<version>4.0.0</version>
</exclude>
<exclude>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</exclude>
<!-- this one is used in tika-example -->
<exclude>
<!-- sonatype:
https://github.com/apache/commons-dbcp/commit/a4c5af0da1de3a7f50c72fc7edaa1f653ca276dd
-->
<groupId>commons-dbcp</groupId>
<artifactId>commons-dbcp</artifactId>
<version>1.4</version>
</exclude>
<exclude>
<!-- CVE-2022-2191 applies to jetty 10.0.0 thru 10.0.9,
and 11.0.0 thru 11.0.9 -->
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-io</artifactId>
<version>9.4.48.v20220622</version>
</exclude>
</excludeCoordinates>
<fail>true</fail>
</configuration>
<executions>
<execution>
<id>audit-dependencies</id>
<phase>validate</phase>
<goals>
<goal>audit</goal>
</goals>
</execution>
</executions>
</plugin>
Tilman
Am 19.07.2022 um 00:58 schrieb Bansal, Anshuman:
Hi Team,
I'm trying to install Tika 2.4.1 on a RHEL machine but getting below error.
Is there any easy way to skip the dependency auditing at compile time? Or a way
to update that library to resolve the security issues? Though I tried below
command but did not help.
mvn clean install -Dossindex.fail=false
---------------------------------------------------------Stacktrace----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[ERROR] Failed to execute goal
org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit
(audit-dependencies) on project tika-fetcher-az-blob: Detected 1 vulnerable
components:
[ERROR] com.azure:azure-storage-blob:jar:12.17.1:compile;
https://ossindex.sonatype.org/component/pkg:maven/com.azure/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] * [CVE-2022-30187] CWE-200: Information Exposure (4.7);
https://ossindex.sonatype.org/vulnerability/CVE-2022-30187?component-type=maven&component-name=com.azure%2Fazure-storage-blob&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR]
[ERROR] Excluded coordinates:
[ERROR] - io.netty:netty-handler:4.1.77.Final
[ERROR]
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e
switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please
read the following articles:
[ERROR] [Help 1]
http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
[ERROR]
[ERROR] After correcting the problems, you can resume the build with the command
[ERROR] mvn <args> -rf :tika-fetcher-az-blob
Thanks,
Anshuman
________________________________
The information contained in this message is intended only for the recipient, and may be a
confidential attorney-client communication or may otherwise be privileged and confidential and
protected from disclosure. If the reader of this message is not the intended recipient, or an
employee or agent responsible for delivering this message to the intended recipient, please be
aware that any dissemination or copying of this communication is strictly prohibited. If you
have received this communication in error, please immediately notify us by replying to the
message and deleting it from your computer. S&P Global Inc. reserves the right, subject to
applicable local law, to monitor, review and process the content of any electronic message or
information sent to or from S&P Global Inc. e-mail addresses without informing the sender
or recipient of the message. By sending electronic message or information to S&P Global
Inc. e-mail addresses you, as the sender, are consenting to S&P Global Inc. processing any
of your personal data therein.
