[
https://issues.apache.org/jira/browse/MDEP-765?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Swan updated MDEP-765:
-----------------------------
Description:
h1. Problem
Executing certain goals of the {{dependency}} plugin (for example
{{copy-dependencies}} and {{unpack-dependencies}}) causes various Struts 1.3.8
POMs to be downloaded to the user's local Maven repository. This version of
Struts has known security vulnerabilities.
h1. Reproduction
Here's a minimal POM that demonstrates the problem:
{code:xml}
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
http://maven.apache.org/xsd/maven-4.0.0.xsd";>
<modelVersion>4.0.0</modelVersion>
<groupId>org.example</groupId>
<artifactId>dependency-plugin-demo</artifactId>
<version>1.0-SNAPSHOT</version>
<build>
<pluginManagement>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<version>3.2.0</version>
</plugin>
</plugins>
</pluginManagement>
</build>
</project>{code}
Running {{mvn dependency:copy-dependencies}} results in the following output:
{code:java}
[INFO] Scanning for projects...
[INFO]
[INFO] -----------------< org.example:dependency-plugin-demo >-----------------
[INFO] Building dependency-plugin-demo 1.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:3.2.0:copy-dependencies (default-cli) @
dependency-plugin-demo ---
Downloading from maven-atlassian-com:
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.pom
Downloaded from maven-atlassian-com:
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.pom
(4.3 kB at 2.8 kB/s)
Downloading from maven-atlassian-com:
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-parent/1.3.8/struts-parent-1.3.8.pom
Downloaded from maven-atlassian-com:
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-parent/1.3.8/struts-parent-1.3.8.pom
(9.8 kB at 21 kB/s)
Downloading from maven-atlassian-com:
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-master/4/struts-master-4.pom
Downloaded from maven-atlassian-com:
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-master/4/struts-master-4.pom
(11 kB at 25 kB/s)
Downloading from maven-atlassian-com:
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-taglib/1.3.8/struts-taglib-1.3.8.pom
Downloaded from maven-atlassian-com:
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-taglib/1.3.8/struts-taglib-1.3.8.pom
(3.1 kB at 6.4 kB/s)
Downloading from maven-atlassian-com:
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-tiles/1.3.8/struts-tiles-1.3.8.pom
Downloaded from maven-atlassian-com:
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-tiles/1.3.8/struts-tiles-1.3.8.pom
(2.9 kB at 5.2 kB/s)
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 4.297 s
[INFO] Finished at: 2021-09-09T14:18:10+10:00
[INFO]
------------------------------------------------------------------------{code}
h1. Workaround
One workaround is to downgrade to version 2.8 of the plugin, however this may
also require the user to modify their plugin configuration, because the
semantics of configuration options like {{includeScope}} have changed even
between minor versions 3.1.2 and 3.2.0.
was:
h1. Problem
Executing certain goals of the {{dependency}} plugin (for example
{{copy-dependencies}} and {{unpack-dependencies}}) causes various Struts 1.3.8
artifacts to be downloaded to the user's local Maven repository. This version
of Struts has known security vulnerabilities.
h1. Reproduction
Here's a minimal POM that demonstrates the problem:
{code:xml}<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
http://maven.apache.org/xsd/maven-4.0.0.xsd";>
<modelVersion>4.0.0</modelVersion>
<groupId>org.example</groupId>
<artifactId>dependency-plugin-demo</artifactId>
<version>1.0-SNAPSHOT</version>
<build>
<pluginManagement>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<version>3.2.0</version>
</plugin>
</plugins>
</pluginManagement>
</build>
</project>{code}
Running {{mvn dependency:copy-dependencies}} results in the following output:
{code}[INFO] Scanning for projects...
[INFO]
[INFO] -----------------< org.example:dependency-plugin-demo >-----------------
[INFO] Building dependency-plugin-demo 1.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:3.2.0:copy-dependencies (default-cli) @
dependency-plugin-demo ---
Downloading from maven-atlassian-com:
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.pom
Downloaded from maven-atlassian-com:
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.pom
(4.3 kB at 2.8 kB/s)
Downloading from maven-atlassian-com:
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-parent/1.3.8/struts-parent-1.3.8.pom
Downloaded from maven-atlassian-com:
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-parent/1.3.8/struts-parent-1.3.8.pom
(9.8 kB at 21 kB/s)
Downloading from maven-atlassian-com:
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-master/4/struts-master-4.pom
Downloaded from maven-atlassian-com:
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-master/4/struts-master-4.pom
(11 kB at 25 kB/s)
Downloading from maven-atlassian-com:
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-taglib/1.3.8/struts-taglib-1.3.8.pom
Downloaded from maven-atlassian-com:
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-taglib/1.3.8/struts-taglib-1.3.8.pom
(3.1 kB at 6.4 kB/s)
Downloading from maven-atlassian-com:
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-tiles/1.3.8/struts-tiles-1.3.8.pom
Downloaded from maven-atlassian-com:
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-tiles/1.3.8/struts-tiles-1.3.8.pom
(2.9 kB at 5.2 kB/s)
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 4.297 s
[INFO] Finished at: 2021-09-09T14:18:10+10:00
[INFO]
------------------------------------------------------------------------{code}
h1. Workaround
One workaround is to downgrade to version 2.8 of the plugin, however this may
also require the user to modify their plugin configuration, because the
semantics of configuration options like {{includeScope}} have changed even
between minor versions 3.1.2 and 3.2.0.
> Some goals result in download of Struts 1.3.8 POMs
> --------------------------------------------------
>
> Key: MDEP-765
> URL: https://issues.apache.org/jira/browse/MDEP-765
> Project: Maven Dependency Plugin
> Issue Type: Bug
> Components: copy-dependencies, unpack-dependencies
> Affects Versions: 3.2.0
> Reporter: Andrew Swan
> Priority: Minor
> Labels: security, struts
>
> h1. Problem
> Executing certain goals of the {{dependency}} plugin (for example
> {{copy-dependencies}} and {{unpack-dependencies}}) causes various Struts
> 1.3.8 POMs to be downloaded to the user's local Maven repository. This
> version of Struts has known security vulnerabilities.
> h1. Reproduction
> Here's a minimal POM that demonstrates the problem:
> {code:xml}
> <?xml version="1.0" encoding="UTF-8"?>
> <project xmlns="http://maven.apache.org/POM/4.0.0";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
> http://maven.apache.org/xsd/maven-4.0.0.xsd";>
> <modelVersion>4.0.0</modelVersion>
> <groupId>org.example</groupId>
> <artifactId>dependency-plugin-demo</artifactId>
> <version>1.0-SNAPSHOT</version>
> <build>
> <pluginManagement>
> <plugins>
> <plugin>
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-dependency-plugin</artifactId>
> <version>3.2.0</version>
> </plugin>
> </plugins>
> </pluginManagement>
> </build>
> </project>{code}
> Running {{mvn dependency:copy-dependencies}} results in the following output:
> {code:java}
> [INFO] Scanning for projects...
> [INFO]
> [INFO] -----------------< org.example:dependency-plugin-demo
> >-----------------
> [INFO] Building dependency-plugin-demo 1.0-SNAPSHOT
> [INFO] --------------------------------[ jar
> ]---------------------------------
> [INFO]
> [INFO] --- maven-dependency-plugin:3.2.0:copy-dependencies (default-cli) @
> dependency-plugin-demo ---
> Downloading from maven-atlassian-com:
> https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.pom
> Downloaded from maven-atlassian-com:
> https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.pom
> (4.3 kB at 2.8 kB/s)
> Downloading from maven-atlassian-com:
> https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-parent/1.3.8/struts-parent-1.3.8.pom
> Downloaded from maven-atlassian-com:
> https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-parent/1.3.8/struts-parent-1.3.8.pom
> (9.8 kB at 21 kB/s)
> Downloading from maven-atlassian-com:
> https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-master/4/struts-master-4.pom
> Downloaded from maven-atlassian-com:
> https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-master/4/struts-master-4.pom
> (11 kB at 25 kB/s)
> Downloading from maven-atlassian-com:
> https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-taglib/1.3.8/struts-taglib-1.3.8.pom
> Downloaded from maven-atlassian-com:
> https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-taglib/1.3.8/struts-taglib-1.3.8.pom
> (3.1 kB at 6.4 kB/s)
> Downloading from maven-atlassian-com:
> https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-tiles/1.3.8/struts-tiles-1.3.8.pom
> Downloaded from maven-atlassian-com:
> https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-tiles/1.3.8/struts-tiles-1.3.8.pom
> (2.9 kB at 5.2 kB/s)
> [INFO]
> ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Total time: 4.297 s
> [INFO] Finished at: 2021-09-09T14:18:10+10:00
> [INFO]
> ------------------------------------------------------------------------{code}
> h1. Workaround
> One workaround is to downgrade to version 2.8 of the plugin, however this may
> also require the user to modify their plugin configuration, because the
> semantics of configuration options like {{includeScope}} have changed even
> between minor versions 3.1.2 and 3.2.0.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
