[jira] [Assigned] (MDEP-765) Some goals result in download of Struts 1.3.8 POMs

Sat, 19 Mar 2022 16:28:05 -0700 


     [ 
https://issues.apache.org/jira/browse/MDEP-765?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sylwester Lachiewicz reassigned MDEP-765:
-----------------------------------------

    Assignee:     (was: Sylwester Lachiewicz)

> Some goals result in download of Struts 1.3.8 POMs
> --------------------------------------------------
>
>                 Key: MDEP-765
>                 URL: https://issues.apache.org/jira/browse/MDEP-765
>             Project: Maven Dependency Plugin
>          Issue Type: Bug
>          Components: copy-dependencies, unpack-dependencies
>    Affects Versions: 3.2.0
>            Reporter: Andrew Swan
>            Priority: Minor
>              Labels: security, struts
>
> h1. Problem
> Executing certain goals of the {{dependency}} plugin (for example 
> {{copy-dependencies}} and {{unpack-dependencies}}) causes various Struts 
> 1.3.8 POMs to be downloaded to the user's local Maven repository. This 
> version of Struts has known security vulnerabilities.
> h1. Reproduction
> Here's a minimal POM that demonstrates the problem:
> {code:xml}
> <?xml version="1.0" encoding="UTF-8"?>
> <project xmlns="http://maven.apache.org/POM/4.0.0"; 
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
> xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 
> http://maven.apache.org/xsd/maven-4.0.0.xsd";>
>     <modelVersion>4.0.0</modelVersion>
>     <groupId>org.example</groupId>
>     <artifactId>dependency-plugin-demo</artifactId>
>     <version>1.0-SNAPSHOT</version>
>     <build>
>         <pluginManagement>
>             <plugins>
>                 <plugin>
>                     <groupId>org.apache.maven.plugins</groupId>
>                     <artifactId>maven-dependency-plugin</artifactId>
>                     <version>3.2.0</version>
>                 </plugin>
>             </plugins>
>         </pluginManagement>
>     </build>
> </project>{code}
> Running {{mvn dependency:copy-dependencies}} results in the following output:
> {code:java}
> [INFO] Scanning for projects...
> [INFO] 
> [INFO] -----------------< org.example:dependency-plugin-demo 
> >-----------------
> [INFO] Building dependency-plugin-demo 1.0-SNAPSHOT
> [INFO] --------------------------------[ jar 
> ]---------------------------------
> [INFO] 
> [INFO] --- maven-dependency-plugin:3.2.0:copy-dependencies (default-cli) @ 
> dependency-plugin-demo ---
> Downloading from maven-atlassian-com: 
> https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.pom
> Downloaded from maven-atlassian-com: 
> https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.pom
>  (4.3 kB at 2.8 kB/s)
> Downloading from maven-atlassian-com: 
> https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-parent/1.3.8/struts-parent-1.3.8.pom
> Downloaded from maven-atlassian-com: 
> https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-parent/1.3.8/struts-parent-1.3.8.pom
>  (9.8 kB at 21 kB/s)
> Downloading from maven-atlassian-com: 
> https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-master/4/struts-master-4.pom
> Downloaded from maven-atlassian-com: 
> https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-master/4/struts-master-4.pom
>  (11 kB at 25 kB/s)
> Downloading from maven-atlassian-com: 
> https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-taglib/1.3.8/struts-taglib-1.3.8.pom
> Downloaded from maven-atlassian-com: 
> https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-taglib/1.3.8/struts-taglib-1.3.8.pom
>  (3.1 kB at 6.4 kB/s)
> Downloading from maven-atlassian-com: 
> https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-tiles/1.3.8/struts-tiles-1.3.8.pom
> Downloaded from maven-atlassian-com: 
> https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-tiles/1.3.8/struts-tiles-1.3.8.pom
>  (2.9 kB at 5.2 kB/s)
> [INFO] 
> ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] 
> ------------------------------------------------------------------------
> [INFO] Total time:  4.297 s
> [INFO] Finished at: 2021-09-09T14:18:10+10:00
> [INFO] 
> ------------------------------------------------------------------------{code}
> h1. Workaround
> One workaround is to downgrade to version 2.8 of the plugin, however this may 
> also require the user to modify their plugin configuration, because the 
> semantics of configuration options like {{includeScope}} have changed even 
> between minor versions 3.1.2 and 3.2.0.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to