[
https://issues.apache.org/jira/browse/MNG-7359?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458687#comment-17458687
]
Michael Osipov commented on MNG-7359:
-------------------------------------
This is somewhat related to MNG-6772 and friends.
> Dependency-Management insufficient to cope with todays security threads
> -----------------------------------------------------------------------
>
> Key: MNG-7359
> URL: https://issues.apache.org/jira/browse/MNG-7359
> Project: Maven
> Issue Type: Improvement
> Reporter: Jörg Hohwiller
> Priority: Major
>
> Maven is a great and flexible tool. However, today critical CVEs come up
> every day (see log4j desaster). The idea of maven is that via some parent POM
> build logic can be reused to manage and maintain bigger projects.
> To fix such CVE I tried to update the version of log4j in parent pom and
> imported the BOM of log4j. However, this does not help and projects derived
> from that pom still load vulnerable versions of log4j as they get it from
> transitive dependencies.
> What is required in maven is some configuration in dependencyManagement to
> tell maven "Hey, whenever you choose X as depndency you have to use AT LEAST
> version Y". However, maven is lacking this feature and hence fixing CVEs is
> error prone and leads to unexpected results.
> Maybe the new maven major version gives the opportunity to address this
> issue. In case it was already addressed and I missed this somehow, simply
> cloase as invalid and sorry for the spam.
> Side note: Also a maven repo should somehow have the ability to mark releases
> with critical CVEs so the download is either aborted (maybe unintendet) or at
> least a FAT WARNING is logged whenever that dependency is pulled.
> Maybe in todays world of cyberwar it would even be suitable to have a tool
> like owasp-dependency-check built into maven natively by default...
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
