[
https://issues.apache.org/jira/browse/TIKA-3838?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17581125#comment-17581125
]
Tilman Hausherr edited comment on TIKA-3838 at 8/18/22 3:56 AM:
----------------------------------------------------------------
update these versions to current (1.12.281 yesterday). Also replace the
ossindex part in the parent pom with this:
{code}
<!-- to run just this: mvn ossindex:audit -Dossindex.fail=(true|false)
Although, -Dossindex.fail doesn't seem to work for us -->
<plugin>
<groupId>org.sonatype.ossindex.maven</groupId>
<artifactId>ossindex-maven-plugin</artifactId>
<version>3.2.0</version>
<configuration>
<excludeCoordinates>
<!-- the link from ossindex "divide by zero" points to fixes that
were made in 2.18.0 -->
<exclude>
<groupId>com.drewnoakes</groupId>
<artifactId>metadata-extractor</artifactId>
<version>2.18.0</version>
</exclude>
<exclude>
<!-- sonatype https://github.com/google/guava/issues/4011 -->
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>31.1-jre</version>
</exclude>
<exclude>
<!-- CVE-2018-18928 does affect the java library not just the
c/c++ library,
upon further research -->
<groupId>com.ibm.icu</groupId>
<artifactId>icu4j</artifactId>
<version>${icu4j.version}</version>
</exclude>
<exclude>
<groupId>io.netty</groupId>
<artifactId>netty-handler</artifactId>
<version>${netty.version}</version>
</exclude>
<exclude>
<!-- the most recent cve in sonatype for this artifact is 2.11.0,
not at all the version we're using...smh-->
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
<version>${xerces.version}</version>
</exclude>
<!-- no fix available as of 20220715 -->
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-storage-blob</artifactId>
<version>12.18.0</version>
</dependency>
<!-- these are used by the nlp-module -->
<exclude>
<groupId>org.apache.lucene</groupId>
<artifactId>lucene-queryparser</artifactId>
<version>4.0.0</version>
</exclude>
<exclude>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</exclude>
<!-- this one is used in tika-example -->
<exclude>
<!-- sonatype:
https://github.com/apache/commons-dbcp/commit/a4c5af0da1de3a7f50c72fc7edaa1f653ca276dd
-->
<groupId>commons-dbcp</groupId>
<artifactId>commons-dbcp</artifactId>
<version>1.4</version>
</exclude>
</excludeCoordinates>
<fail>true</fail>
</configuration>
<executions>
<execution>
<id>audit-dependencies</id>
<phase>validate</phase>
<goals>
<goal>audit</goal>
</goals>
</execution>
</executions>
</plugin>
{code}
was (Author: tilman):
update these versions to current. Also replace the ossindex part in the parent
pom with this:
{code}
<!-- to run just this: mvn ossindex:audit -Dossindex.fail=(true|false)
Although, -Dossindex.fail doesn't seem to work for us -->
<plugin>
<groupId>org.sonatype.ossindex.maven</groupId>
<artifactId>ossindex-maven-plugin</artifactId>
<version>3.2.0</version>
<configuration>
<excludeCoordinates>
<!-- the link from ossindex "divide by zero" points to fixes that
were made in 2.18.0 -->
<exclude>
<groupId>com.drewnoakes</groupId>
<artifactId>metadata-extractor</artifactId>
<version>2.18.0</version>
</exclude>
<exclude>
<!-- sonatype https://github.com/google/guava/issues/4011 -->
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>31.1-jre</version>
</exclude>
<exclude>
<!-- CVE-2018-18928 does affect the java library not just the
c/c++ library,
upon further research -->
<groupId>com.ibm.icu</groupId>
<artifactId>icu4j</artifactId>
<version>${icu4j.version}</version>
</exclude>
<exclude>
<groupId>io.netty</groupId>
<artifactId>netty-handler</artifactId>
<version>${netty.version}</version>
</exclude>
<exclude>
<!-- the most recent cve in sonatype for this artifact is 2.11.0,
not at all the version we're using...smh-->
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
<version>${xerces.version}</version>
</exclude>
<!-- no fix available as of 20220715 -->
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-storage-blob</artifactId>
<version>12.18.0</version>
</dependency>
<!-- these are used by the nlp-module -->
<exclude>
<groupId>org.apache.lucene</groupId>
<artifactId>lucene-queryparser</artifactId>
<version>4.0.0</version>
</exclude>
<exclude>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</exclude>
<!-- this one is used in tika-example -->
<exclude>
<!-- sonatype:
https://github.com/apache/commons-dbcp/commit/a4c5af0da1de3a7f50c72fc7edaa1f653ca276dd
-->
<groupId>commons-dbcp</groupId>
<artifactId>commons-dbcp</artifactId>
<version>1.4</version>
</exclude>
</excludeCoordinates>
<fail>true</fail>
</configuration>
<executions>
<execution>
<id>audit-dependencies</id>
<phase>validate</phase>
<goals>
<goal>audit</goal>
</goals>
</execution>
</executions>
</plugin>
{code}
> Failure when building Tika 2.4.1 due to ossindex-maven-plugin warning
> ---------------------------------------------------------------------
>
> Key: TIKA-3838
> URL: https://issues.apache.org/jira/browse/TIKA-3838
> Project: Tika
> Issue Type: Bug
> Components: build
> Affects Versions: 2.4.1
> Reporter: Bill Sterns
> Priority: Major
>
> I'm getting a failure when building Tika 2.4.1 due to a vulnerability
> warning. The build fails when building tika-transcribe-aws.
>
> I downloaded tika-2.4.1-src.zip, extracted the contents, then ran "mvn clean
> install -Dmaven.wagon.http.ssl.insecure=true -DskipTests" to build Tika. The
> failure is below:
>
> [INFO] ----------------< org.apache.tika:tika-transcribe-aws
> >-----------------
> [INFO] Building Apache Tika transcribe aws 2.4.1
> [1/52]
> [INFO] -------------------------------[ bundle
> ]-------------------------------
> [INFO]
> [INFO] --- ossindex-maven-plugin:3.2.0:audit (audit-dependencies) @
> tika-transcribe-aws ---
> [INFO] Checking for vulnerabilities; 26 artifacts
> [INFO] Exclude coordinates: [com.ibm.icu:icu4j:62.2,
> com.google.guava:guava:31.1-jre, org.apache.lucene:lucene-queryparser:4.0.0,
> com.drewnoakes:metadata-extractor:2.18.0,
> io.netty:netty-handler:4.1.77.Final, log4j:log4j:1.2.17,
> xerces:xercesImpl:2.12.2, com.h2database:h2:2.1.212,
> commons-dbcp:commons-dbcp:1.4]
> [INFO] Exclude vulnerability identifiers: []
> [INFO] CVSS-score threshold: 0.0
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Reactor Summary for Apache Tika 2.4.1:
> [INFO] Apache Tika transcribe aws ......................... FAILURE [ 0.814
> s]
> ...
> [INFO]
> ------------------------------------------------------------------------
> [INFO] BUILD FAILURE
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Total time: 3.645 s
> [INFO] Finished at: 2022-08-17T16:52:44-05:00
> [INFO]
> ------------------------------------------------------------------------
> [ERROR] Failed to execute goal
> org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit
> (audit-dependencies) on project tika-transcribe-aws: Detected 1 vulnerable
> components:
> [ERROR] com.amazonaws:aws-java-sdk-s3:jar:1.12.237:compile;
> https://ossindex.sonatype.org/component/pkg:maven/com.amazonaws/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
> [ERROR] * [CVE-2022-31159] CWE-22: Improper Limitation of a Pathname to a
> Restricted Directory ('Path Traversal') (6.5);
> https://ossindex.sonatype.org/vulnerability/CVE-2022-31159?component-type=maven&component-name=com.amazonaws%2Faws-java-sdk-s3&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
> [ERROR]
> [ERROR] -> [Help 1]
> [ERROR]
> [ERROR] To see the full stack trace of the errors, re-run Maven with the -e
> switch.
> [ERROR] Re-run Maven using the -X switch to enable full debug logging.
> [ERROR]
> [ERROR] For more information about the errors and possible solutions, please
> read the following articles:
> [ERROR] [Help 1]
> http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
