[jira] [Commented] (MDEP-626) Upgrade struts and xerces due to CVEs

Sat, 16 Feb 2019 13:24:31 -0800 


    [ 
https://issues.apache.org/jira/browse/MDEP-626?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16770234#comment-16770234
 ] 

Karl Heinz Marbaise commented on MDEP-626:
------------------------------------------

So I have taken a look into the dependency tree:
{code}
[INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ 
maven-dependency-plugin ---
[INFO] 
org.apache.maven.plugins:maven-dependency-plugin:maven-plugin:3.1.2-SNAPSHOT
[INFO] +- org.apache.maven:maven-compat:jar:3.0:test
[INFO] |  +- org.apache.maven:maven-model-builder:jar:3.0:compile
[INFO] |  +- org.apache.maven:maven-settings:jar:3.0:compile
[INFO] |  +- org.sonatype.sisu:sisu-inject-plexus:jar:1.4.2:compile
[INFO] |  |  \- org.sonatype.sisu:sisu-inject-bean:jar:1.4.2:compile
[INFO] |  |     \- org.sonatype.sisu:sisu-guice:jar:noaop:2.1.7:compile
[INFO] |  +- org.codehaus.plexus:plexus-component-annotations:jar:1.7.1:compile
[INFO] |  \- org.apache.maven.wagon:wagon-provider-api:jar:1.0-beta-6:compile
[INFO] +- org.apache.maven:maven-artifact:jar:3.0:compile
[INFO] +- org.apache.maven:maven-plugin-api:jar:3.0:compile
[INFO] +- org.apache.maven:maven-model:jar:3.0:compile
[INFO] +- org.apache.maven:maven-core:jar:3.0:compile
[INFO] |  +- org.apache.maven:maven-settings-builder:jar:3.0:compile
[INFO] |  +- org.apache.maven:maven-aether-provider:jar:3.0:runtime
[INFO] |  +- org.sonatype.aether:aether-impl:jar:1.7:compile
[INFO] |  +- org.sonatype.aether:aether-api:jar:1.7:compile
[INFO] |  +- org.sonatype.aether:aether-util:jar:1.7:compile
[INFO] |  +- org.codehaus.plexus:plexus-classworlds:jar:2.2.3:compile
[INFO] |  \- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.3:compile
[INFO] |     \- org.sonatype.plexus:plexus-cipher:jar:1.4:compile
[INFO] +- org.apache.maven:maven-repository-metadata:jar:3.0:compile
[INFO] +- org.apache.maven.reporting:maven-reporting-api:jar:3.0:compile
[INFO] +- org.apache.maven.reporting:maven-reporting-impl:jar:2.3:compile
[INFO] |  +- org.apache.maven.doxia:doxia-core:jar:1.2:compile
[INFO] |  |  +- xerces:xercesImpl:jar:2.9.1:compile
[INFO] |  |  |  \- xml-apis:xml-apis:jar:1.3.04:compile
[INFO] |  |  \- org.apache.httpcomponents:httpclient:jar:4.0.2:compile
[INFO] |  |     \- org.apache.httpcomponents:httpcore:jar:4.0.1:compile
[INFO] |  \- commons-validator:commons-validator:jar:1.3.1:compile
[INFO] |     +- commons-beanutils:commons-beanutils:jar:1.7.0:compile
[INFO] |     +- commons-digester:commons-digester:jar:1.6:compile
[INFO] |     \- commons-logging:commons-logging:jar:1.0.4:compile
[INFO] +- commons-io:commons-io:jar:2.5:compile
[INFO] +- org.apache.maven.doxia:doxia-sink-api:jar:1.4:compile
[INFO] |  \- org.apache.maven.doxia:doxia-logging-api:jar:1.4:compile
[INFO] +- org.apache.maven.doxia:doxia-site-renderer:jar:1.4:compile
[INFO] |  +- org.apache.maven.doxia:doxia-decoration-model:jar:1.4:compile
[INFO] |  +- org.apache.maven.doxia:doxia-module-xhtml:jar:1.4:compile
[INFO] |  +- org.apache.maven.doxia:doxia-module-fml:jar:1.4:compile
[INFO] |  +- org.codehaus.plexus:plexus-i18n:jar:1.0-beta-7:compile
[INFO] |  +- 
org.codehaus.plexus:plexus-container-default:jar:1.0-alpha-30:compile
[INFO] |  +- org.codehaus.plexus:plexus-velocity:jar:1.1.7:compile
[INFO] |  +- org.apache.velocity:velocity:jar:1.5:compile
[INFO] |  |  \- oro:oro:jar:2.0.8:compile
[INFO] |  \- org.apache.velocity:velocity-tools:jar:2.0:compile
[INFO] |     +- commons-chain:commons-chain:jar:1.1:compile
[INFO] |     +- dom4j:dom4j:jar:1.1:compile
[INFO] |     +- sslext:sslext:jar:1.2-0:compile
[INFO] |     +- org.apache.struts:struts-core:jar:1.3.8:compile
[INFO] |     |  \- antlr:antlr:jar:2.7.2:compile
[INFO] |     +- org.apache.struts:struts-taglib:jar:1.3.8:compile
[INFO] |     \- org.apache.struts:struts-tiles:jar:1.3.8:compile
[INFO] +- org.codehaus.plexus:plexus-archiver:jar:3.7.0:compile
[INFO] |  +- org.apache.commons:commons-compress:jar:1.18:compile
[INFO] |  +- org.iq80.snappy:snappy:jar:0.4:compile
[INFO] |  \- org.tukaani:xz:jar:1.8:runtime
[INFO] +- org.codehaus.plexus:plexus-utils:jar:3.1.0:compile
[INFO] +- org.apache.maven.shared:file-management:jar:3.0.0:compile
[INFO] |  \- org.apache.maven.shared:maven-shared-io:jar:3.0.0:compile
[INFO] +- org.codehaus.plexus:plexus-io:jar:3.1.0:compile
[INFO] +- org.apache.maven.shared:maven-dependency-analyzer:jar:1.11.1:compile
[INFO] |  \- org.ow2.asm:asm:jar:7.0:compile
[INFO] +- org.apache.maven.shared:maven-dependency-tree:jar:3.0.1:compile
[INFO] |  \- org.eclipse.aether:aether-util:jar:0.9.0.M2:compile
[INFO] +- 
org.apache.maven.shared:maven-common-artifact-filters:jar:3.0.1:compile
[INFO] +- org.apache.maven.shared:maven-artifact-transfer:jar:0.9.1:compile
[INFO] |  +- commons-codec:commons-codec:jar:1.6:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.5:compile
[INFO] +- org.apache.maven.shared:maven-shared-utils:jar:3.2.1:compile
[INFO] +- commons-lang:commons-lang:jar:2.6:compile
[INFO] +- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] +- classworlds:classworlds:jar:1.1:compile
[INFO] +- 
org.apache.maven.plugin-tools:maven-plugin-annotations:jar:3.5.2:provided
[INFO] +- junit:junit:jar:4.11:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- 
org.apache.maven.plugin-testing:maven-plugin-testing-tools:jar:2.1:test
[INFO] |  \- org.apache.maven.shared:maven-invoker:jar:2.0.11:test
[INFO] +- 
org.apache.maven.plugin-testing:maven-plugin-testing-harness:jar:2.1:test
[INFO] +- org.codehaus.plexus:plexus-interpolation:jar:1.24:test
[INFO] +- org.sonatype.aether:aether-connector-wagon:jar:1.7:provided
[INFO] |  \- org.sonatype.aether:aether-spi:jar:1.7:compile
[INFO] \- org.apache.maven.wagon:wagon-http-lightweight:jar:1.0-beta-6:provided
[INFO]    \- org.apache.maven.wagon:wagon-http-shared:jar:1.0-beta-6:provided
[INFO]       +- nekohtml:xercesMinimal:jar:1.9.6.2:provided
[INFO]       \- nekohtml:nekohtml:jar:1.9.6.2:provided
[INFO] ------------------------------------------------------------------------
{code}
So I have drilled down the dependency tree to the interesting parts:
{code}
[INFO] 
org.apache.maven.plugins:maven-dependency-plugin:maven-plugin:3.1.2-SNAPSHOT
[INFO] +- org.apache.maven.reporting:maven-reporting-impl:jar:2.3:compile
[INFO] |  +- org.apache.maven.doxia:doxia-core:jar:1.2:compile
[INFO] |  |  +- xerces:xercesImpl:jar:2.9.1:compile
[INFO] |  |  |  \- xml-apis:xml-apis:jar:1.3.04:compile
[INFO] |  |  \- org.apache.httpcomponents:httpclient:jar:4.0.2:compile
[INFO] |  |     \- org.apache.httpcomponents:httpcore:jar:4.0.1:compile
[INFO] |  \- commons-validator:commons-validator:jar:1.3.1:compile
[INFO] |     +- commons-beanutils:commons-beanutils:jar:1.7.0:compile
[INFO] |     +- commons-digester:commons-digester:jar:1.6:compile
[INFO] |     \- commons-logging:commons-logging:jar:1.0.4:compile
[INFO] +- org.apache.maven.doxia:doxia-site-renderer:jar:1.4:compile
[INFO] |  +- org.apache.maven.doxia:doxia-decoration-model:jar:1.4:compile
[INFO] |  +- org.apache.maven.doxia:doxia-module-xhtml:jar:1.4:compile
[INFO] |  +- org.apache.maven.doxia:doxia-module-fml:jar:1.4:compile
[INFO] |  +- org.codehaus.plexus:plexus-i18n:jar:1.0-beta-7:compile
[INFO] |  +- 
org.codehaus.plexus:plexus-container-default:jar:1.0-alpha-30:compile
[INFO] |  +- org.codehaus.plexus:plexus-velocity:jar:1.1.7:compile
[INFO] |  +- org.apache.velocity:velocity:jar:1.5:compile
[INFO] |  |  \- oro:oro:jar:2.0.8:compile
[INFO] |  \- org.apache.velocity:velocity-tools:jar:2.0:compile
[INFO] |     +- commons-chain:commons-chain:jar:1.1:compile
[INFO] |     +- dom4j:dom4j:jar:1.1:compile
[INFO] |     +- sslext:sslext:jar:1.2-0:compile
[INFO] |     +- org.apache.struts:struts-core:jar:1.3.8:compile
[INFO] |     |  \- antlr:antlr:jar:2.7.2:compile
[INFO] |     +- org.apache.struts:struts-taglib:jar:1.3.8:compile
[INFO] |     \- org.apache.struts:struts-tiles:jar:1.3.8:compile
[INFO] \- org.apache.maven.wagon:wagon-http-lightweight:jar:1.0-beta-6:provided
[INFO]    \- org.apache.maven.wagon:wagon-http-shared:jar:1.0-beta-6:provided
[INFO]       +- nekohtml:xercesMinimal:jar:1.9.6.2:provided
[INFO]       \- nekohtml:nekohtml:jar:1.9.6.2:provided
{code}
I have upgraded the doxia dependency and the reporting-impl dependency let's 
see what CI says, but this is only the first step

> Upgrade struts and xerces due to CVEs
> -------------------------------------
>
>                 Key: MDEP-626
>                 URL: https://issues.apache.org/jira/browse/MDEP-626
>             Project: Maven Dependency Plugin
>          Issue Type: Dependency upgrade
>          Components: get
>    Affects Versions: 3.1.1
>            Reporter: Richard Cross
>            Priority: Major
>
> If running behind a proxy (e.g. Nexus, with a security vulnerability scanner 
> (e.g. Nexus IQ), the get command (and possibly others) fails due to a 
> dependency on libraries deemed "vulnerable".
>  
> {code:java}
> [ERROR] Failed to execute goal 
> org.apache.maven.plugins:maven-dependency-plugin:3.1.1:get (default-cli) on 
> project project1-sample: Execution default-cli of goal 
> org.apache.maven.plugins:maven-dependency-plugin:3.1.1:get failed: Plugin 
> org.apache.maven.plugins:maven-dependency-plugin:LATEST or one of its 
> dependencies could not be resolved: The following artifacts could not be 
> resolved: xerces:xercesImpl:jar:2.9.1, 
> org.apache.struts:struts-core:jar:1.3.8: Could not transfer artifact 
> xerces:xercesImpl:jar:2.9.1 from/to efx.nexus 
> (https://mynexusserver/nexus/repository/maven-public/): Access denied to: 
> https://mynexusserver/nexus/repository/maven-public/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar
>  , ReasonPhrase:Requested item is quarantined. -> [Help 1]
> {code}
> struts2-core 1.3.8 has 4 CVEs against it - "safe" versions are 2.3.35 or 
> 2.5.17
> xercesImpl 2.9.1 has 2 CVEs and a Sonatype security warning - 2.12.0 is 
> better, although still problematic.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to