[ https://issues.apache.org/jira/browse/HBASE-21143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16605225#comment-16605225 ]
Guangxu Cheng commented on HBASE-21143: --------------------------------------- [~busbey] [~mdrob] mind taking a look at it ? thanks > Update findbugs-maven-plugin to 3.0.4 > ------------------------------------- > > Key: HBASE-21143 > URL: https://issues.apache.org/jira/browse/HBASE-21143 > Project: HBase > Issue Type: Bug > Components: pom > Affects Versions: 3.0.0, 2.1.0, 2.2.0, 2.0.2 > Reporter: Guangxu Cheng > Assignee: Guangxu Cheng > Priority: Major > Attachments: HBASE-21143.master.001.patch > > > {code} > Failed to execute goal org.codehaus.mojo:findbugs-maven-plugin:3.0.0:findbugs > (default) on project hbase: Execution default of goal > org.codehaus.mojo:findbugs-maven-plugin:3.0.0:findbugs failed: Plugin > org.codehaus.mojo:findbugs-maven-plugin:3.0.0 or one of its dependencies > could not be resolved: Failed to collect dependencies at > org.codehaus.mojo:findbugs-maven-plugin:jar:3.0.0 -> > org.codehaus.groovy:groovy-all:jar:1.7.4: Failed to read artifact descriptor > for org.codehaus.groovy:groovy-all:jar:1.7.4: Could not transfer artifact > org.codehaus.groovy:groovy-all:pom:1.7.4 from/to mirror > (http://xxx.xxxx.xxx/nexus/content/groups/public): Failed to transfer file: > http://xxx.xxxx.xxx/nexus/content/groups/public/org/codehaus/groovy/groovy-all/1.7.4/groovy-all-1.7.4.pom. > Return code is: 418 , ReasonPhrase:Artifact is in Tencent Blacklist! Please > update to the safe version, more information: > http://xxx.xxxx.xxx/?tab=blackList. > {code} > Recently, when I compile HBase with a new machine, I got the above error. > Since the machine could not connect to the external network, we visited our > internal Maven repository, but org.codehaus.groovy:groovy-all:jar:1.7.4 was > added to the blacklist and could not be downloaded. See details, > org.codehaus.groovy:groovy-all:jar:1.7.4 is marked as vulnerable by > [CVE-2015-3253|https://www.cvedetails.com/cve/CVE-2015-3253], so we should > upgrade the version. > {code:xml} > <groupId>org.codehaus.mojo</groupId> > <artifactId>findbugs-maven-plugin</artifactId> > <version>3.0.0</version> > <!--NOTE: Findbugs 3.0.0 requires jdk7--> > <configuration> > > <excludeFilterFile>${project.basedir}/../dev-support/findbugs-exclude.xml</excludeFilterFile> > {code} > Look at the history commit record, findbugs-maven-plugin has been upgraded to > 3.0.4 in HBASE-18264, but one place is missing which still using the version > of 3.0.0. -- This message was sent by Atlassian JIRA (v7.6.3#76005)