Jörg Hohwiller created MNG-7359:
-----------------------------------
Summary: Dependency-Management insufficient to cope with todays
security threads
Key: MNG-7359
URL: https://issues.apache.org/jira/browse/MNG-7359
Project: Maven
Issue Type: Improvement
Reporter: Jörg Hohwiller
Maven is a great and flexible tool. However, today critical CVEs come up every
day (see log4j desaster). The idea of maven is that via some parent POM build
logic can be reused to manage and maintain bigger projects.
To fix such CVE I tried to update the version of log4j in parent pom and
imported the BOM of log4j. However, this does not help and projects derived
from that pom still load vulnerable versions of log4j as they get it from
transitive dependencies.
What is required in maven is some configuration in dependencyManagement to tell
maven "Hey, whenever you choose X as depndency you have to use AT LEAST version
Y". However, maven is lacking this feature and hence fixing CVEs is error prone
and leads to unexpected results.
Maybe the new maven major version gives the opportunity to address this issue.
In case it was already addressed and I missed this somehow, simply cloase as
invalid and sorry for the spam.
Side note: Also a maven repo should somehow have the ability to mark releases
with critical CVEs so the download is either aborted (maybe unintendet) or at
least a FAT WARNING is logged whenever that dependency is pulled.
Maybe in todays world of cyberwar it would even be suitable to have a tool like
owasp-dependency-check built into maven natively by default...
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
