[
https://issues.apache.org/jira/browse/MNG-7359?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17459080#comment-17459080
]
Tamás Cservenák commented on MNG-7359:
--------------------------------------
[~hohwille] Howdy! I don't quite get the issue you have: if you define depMgt
in your project top level ,that should win, irrelevant of "transitive deps"
(unless there are some GA coordinate change in play?)
"... tried to update the version of log4j in parent pom .. projects derived
from that pom still load vulnerable versions of log4j as they get it from
transitive dependencies." – this sounds wrong. If you added a
{{dependencyManagement}} with "correct" (fixed, non-vulnerable) version of
log4j in parent, the downstream projects WILL pick it up, UNLESS they have
overriding {{dependencyManagement}} section as well. Otherwise it is a bug (but
you do not specify how did you "tried to update the version of log4j in parent
pom").
It is usually very good practice to have depMgt section to "key" dependencies
(true, many times you don't know ahead of time what dependency is "key", see
log4j 2.x issue, but then you just add new entry for it and life goes on).
So am still unsure what you did in parent POM that allowed that child
transitive "win".
> Dependency-Management insufficient to cope with todays security threads
> -----------------------------------------------------------------------
>
> Key: MNG-7359
> URL: https://issues.apache.org/jira/browse/MNG-7359
> Project: Maven
> Issue Type: Improvement
> Reporter: Jörg Hohwiller
> Priority: Major
>
> Maven is a great and flexible tool. However, today critical CVEs come up
> every day (see log4j desaster). The idea of maven is that via some parent POM
> build logic can be reused to manage and maintain bigger projects.
> To fix such CVE I tried to update the version of log4j in parent pom and
> imported the BOM of log4j. However, this does not help and projects derived
> from that pom still load vulnerable versions of log4j as they get it from
> transitive dependencies.
> What is required in maven is some configuration in dependencyManagement to
> tell maven "Hey, whenever you choose X as depndency you have to use AT LEAST
> version Y". However, maven is lacking this feature and hence fixing CVEs is
> error prone and leads to unexpected results.
> Maybe the new maven major version gives the opportunity to address this
> issue. In case it was already addressed and I missed this somehow, simply
> cloase as invalid and sorry for the spam.
> Side note: Also a maven repo should somehow have the ability to mark releases
> with critical CVEs so the download is either aborted (maybe unintendet) or at
> least a FAT WARNING is logged whenever that dependency is pulled.
> Maybe in todays world of cyberwar it would even be suitable to have a tool
> like owasp-dependency-check built into maven natively by default...
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
