Modified: maven/website/content/repository/guide-central-repository-upload.html ============================================================================== --- maven/website/content/repository/guide-central-repository-upload.html (original) +++ maven/website/content/repository/guide-central-repository-upload.html Sun May 12 07:42:36 2024 @@ -2,18 +2,18 @@ <!-- - | Generated by Apache Maven Doxia Site Renderer 2.0.0-M18 from content/apt/repository/guide-central-repository-upload.apt at 2024-05-11 + | Generated by Apache Maven Doxia Site Renderer 2.0.0-M10 from content/apt/repository/guide-central-repository-upload.apt at 2024-05-12 | Rendered using Apache Maven Fluido Skin 2.0.0-M6 --> <html xmlns="http://www.w3.org/1999/xhtml"; lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> - <meta name="generator" content="Apache Maven Doxia Site Renderer 2.0.0-M18" /> + <meta name="generator" content="Apache Maven Doxia Site Renderer 2.0.0-M10" /> <meta name="author" content="Jason van Zyl" /> <meta name="author" content="Brian Fox" /> <meta name="date" content="2018-12-31" /> - <title>Maven</title> + <title>Maven â Guide to uploading artifacts to the Central Repository</title> <link rel="stylesheet" href="../css/apache-maven-fluido-2.0.0-M6.min.css" /> <link rel="stylesheet" href="../css/site.css" /> <link rel="stylesheet" href="../css/print.css" media="print" /> @@ -40,10 +40,8 @@ <div class="container-fluid"> <header> <div id="banner"> - <div class="pull-left"><a href="https://www.apache.org/"; id="bannerLeft"><h1>Apache Maven Site</h1> -</a></div> - <div class="pull-right"><a href=".././" id="bannerRight"><h1>$esc.xml( $banner.name )</h1> -</a></div> + <div class="pull-left"><a href="https://www.apache.org/"; id="bannerLeft"><img src="../images/apache-maven-project.png" alt="Apache Maven Site" style="" /></a></div> + <div class="pull-right"><a href=".././" id="bannerRight"><img src="../images/maven-logo-black-on-white.png" alt="" style="" /></a></div> <div class="clear"><hr/></div> </div> @@ -51,9 +49,8 @@ <ul class="breadcrumb"> <li><a href="https://www.apache.org/"; class="externalLink" title="Apache">Apache</a><span class="divider">/</span></li> <li><a href="../index.html" title="Maven">Maven</a><span class="divider">/</span></li> - - <li class="active ">Maven <a href="https://github.com/apache/maven-site/tree/master/content/apt/repository/guide-central-repository-upload.apt";><img src="../images/accessories-text-editor.png" title="Edit" /></a></li> - <li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2024-05-11</li> + <li class="active ">Guide to uploading artifacts to the Central Repository <a href="https://github.com/apache/maven-site/tree/master/content/apt/repository/guide-central-repository-upload.apt";><img src="../images/accessories-text-editor.png" title="Edit" /></a></li> + <li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2024-05-12</li> <li class="pull-right"><span class="divider">|</span> <a href="../scm.html" title="Get Sources">Get Sources</a></li> <li class="pull-right"><a href="../download.cgi" title="Download">Download</a></li> @@ -147,23 +144,23 @@ </div> </header> <main id="bodyColumn" class="span10" > -<section><a id="Guide_to_uploading_artifacts_to_the_Central_Repository"></a> +<section> <h1>Guide to uploading artifacts to the Central Repository</h1> -<p>In order for users of Maven to utilize artifacts produced by your project, you must deploy them to a remote repository. Many open source projects want to allow users of their projects who build with Maven to have transparent access to their project's artifacts. In order to allow for this, a project should deploy their artifacts to the <a href="/repository/">Central Repository</a>.</p></section><section><a id="Requirements"></a> +<p>In order for users of Maven to utilize artifacts produced by your project, you must deploy them to a remote repository. Many open source projects want to allow users of their projects who build with Maven to have transparent access to their project's artifacts. In order to allow for this, a project should deploy their artifacts to the <a href="/repository/">Central Repository</a>.</p></section><section> <h1>Requirements</h1> -<ol style="list-style-type: decimal;"> +<ol style="list-style-type: decimal"> <li><b>releases</b>: Only <i>releases</i> can be uploaded to the Central Repository, that means files that won't change and that only depend on other files already released and available in the repository,</li> <li><b>javadoc and sources</b> for IDE lookup,</li> <li><b>PGP signature</b>,</li> <li><b>minimum POM information</b>: There are some requirements for the minimal information in the POMs that are in the Central Repository, see <a class="externalLink" href="https://central.sonatype.org/pages/requirements.html#sufficient-metadata";>here</a>, </li> <li><b>coordinates</b>: Picking the appropriate coordinates for your project is important. See the guidelines <a class="externalLink" href="https://central.sonatype.org/pages/choosing-your-coordinates.html";>here</a>, particularly on <a class="externalLink" href="https://central.sonatype.org/pages/producers.html#individual-projects-open-source-software-repository-hosting-ossrh";>groupId and domain ownership</a>.</li></ol> -<p>The updated list of requirements can be found <b><a class="externalLink" href="https://central.sonatype.org/pages/requirements.html";>here</a></b>.</p><section><a id="Explanation"></a> +<p>The updated list of requirements can be found <b><a class="externalLink" href="https://central.sonatype.org/pages/requirements.html";>here</a></b>.</p><section> <h2>Explanation</h2> <p>Some folks have asked <i>"why do we require all this information in the POM for deployed artifacts?"</i>, so here's a small explanation.</p> <p>The POM being deployed with the artifact is part of the process to make transitive dependencies a reality in Maven. The logic for getting transitive dependencies working is really not that hard, the problem is getting the data. The other applications that are made possible by having all the POMs available for artifacts are vast, so by placing them into the Central Repository as part of the process we open up the doors to new ideas that involve unified access to project POMs.</p> -<p>We ask for the license because it is possible that your project's license may change in the course of its lifetime, and we are trying to create tools to help sort out licensing issues. For example, knowing all the licenses for a particular graph of artifacts, we could have some strategies that would identify potential licensing problems.</p></section><section><a id="A_basic_sample.3A"></a> +<p>We ask for the license because it is possible that your project's license may change in the course of its lifetime, and we are trying to create tools to help sort out licensing issues. For example, knowing all the licenses for a particular graph of artifacts, we could have some strategies that would identify potential licensing problems.</p></section><section> <h2>A basic sample:</h2> -<pre><code> +<div class="verbatim source"><pre class="prettyprint linenums"> <project> <modelVersion>4.0.0</modelVersion> <groupId>org.apache.maven</groupId> @@ -202,10 +199,10 @@ <pluginRepositories></pluginRepositories> --> </project> -</code></pre></section><section><a id="PGP_Signature"></a> +</pre></div></section><section> <h2>PGP Signature</h2> <p>When people download artifacts from the Central Repository, they might want to verify these artifacts' PGP signatures against a public key server. If there are no signatures, then users have no guarantee that they are downloading the original artifact.</p> -<p>To improve the quality of the Central Repository, we require you to provide PGP signatures for all your artifacts (all files except checksums), and distribute your public key to a key server like <a class="externalLink" href="http://pgp.mit.edu";>http://pgp.mit.edu</a>. Read <a class="externalLink" href="http://central.sonatype.org/pages/working-with-pgp-signatures.html";>Working with PGP Signatures</a> for more information.</p></section><section><a id="FAQ_and_common_mistakes"></a> +<p>To improve the quality of the Central Repository, we require you to provide PGP signatures for all your artifacts (all files except checksums), and distribute your public key to a key server like <a class="externalLink" href="http://pgp.mit.edu";>http://pgp.mit.edu</a>. Read <a class="externalLink" href="http://central.sonatype.org/pages/working-with-pgp-signatures.html";>Working with PGP Signatures</a> for more information.</p></section><section> <h2>FAQ and common mistakes</h2> <ul> <li>I have other <code>repositories</code> or <code>pluginRepositories</code> listed in my POM, is that a problem? @@ -215,17 +212,17 @@ <li>I have a patched version of the foo project developed at foo.com, what <code>groupId</code> should I use? <p>When you patch / modify a third party project, that patched version becomes your project and therefore should be distributed under a <code>groupId</code> you control as any project you would have developed, never under <code>com.foo</code>. See above considerations about <code>groupId</code>.</p></li> <li>My project is hosted at a project hosting service like SourceForge or Github, what should I use as groupId? -<p>If your project name is <code>foo</code> at SourceForge, you can use <code>net.sf.foo</code>. If your username is <code>bar</code> on Github, you can use <code>com.github.bar</code>. You can also use another reversed domain name you control. The group ID does not have to reflect the project host.</p></li></ul></section></section><section><a id="Publishing_your_artifacts_to_the_Central_Repository"></a> -<h1>Publishing your artifacts to the Central Repository</h1><section><a id="Approved_Repository_Hosting"></a> +<p>If your project name is <code>foo</code> at SourceForge, you can use <code>net.sf.foo</code>. If your username is <code>bar</code> on Github, you can use <code>com.github.bar</code>. You can also use another reversed domain name you control. The group ID does not have to reflect the project host.</p></li></ul></section></section><section> +<h1>Publishing your artifacts to the Central Repository</h1><section> <h2>Approved Repository Hosting</h2> <p>Instead of maintaining repository rsync feeds for each projects, we now encourage projects to use an approved repository hosting location.</p> <p>Currently approved repository hosting locations:</p> <ul> <li><a class="externalLink" href="https://repository.apache.org/";>Apache Software Foundation</a> (for all Apache projects)</li> <li>see <a class="externalLink" href="https://central.sonatype.org/publish/large-orgs/";>the full list</a></li></ul> -<p>Automatic publication will be provided for Forges that provide hosting services for OSS projects and other large project repositories that meet certain minimum criteria such as validation of PGP keys and pom contents as defined above. If you are interested in becoming an approved Forge, <a class="externalLink" href="https://central.sonatype.org/publish/large-orgs/";>contact us</a>.</p></section><section><a id="Other_Projects"></a> +<p>Automatic publication will be provided for Forges that provide hosting services for OSS projects and other large project repositories that meet certain minimum criteria such as validation of PGP keys and pom contents as defined above. If you are interested in becoming an approved Forge, <a class="externalLink" href="https://central.sonatype.org/publish/large-orgs/";>contact us</a>.</p></section><section> <h2>Other Projects</h2> -<p>The easiest way to upload another project is to use the <a class="externalLink" href="https://central.sonatype.org/pages/ossrh-guide.html";>Open Source Software Repository Hosting (OSSRH)</a>, which is an approved repository provided by Sonatype for <i>any</i> OSS Project that wants to get its artifacts into the Central Repository.</p></section><section><a id="Explanations"></a> +<p>The easiest way to upload another project is to use the <a class="externalLink" href="https://central.sonatype.org/pages/ossrh-guide.html";>Open Source Software Repository Hosting (OSSRH)</a>, which is an approved repository provided by Sonatype for <i>any</i> OSS Project that wants to get its artifacts into the Central Repository.</p></section><section> <h2>Explanations</h2> <p>Having each project maintain its own repository with rsync to the Central Repository was the preferred process until January 2010. However, we are no longer accepting rsync requests on a per project basis.</p> <p>Over time, we have learned that this process is not scalable. Many of the projects being synced release very infrequently, yet we have to hit hundreds of servers several times a day looking for artifacts that don't change. Additionally, there is no good mechanism currently for validating the incoming data via the rsync, and this leads to bad metadata that affects everyone. </p>
Modified: maven/website/content/repository/index.html ============================================================================== --- maven/website/content/repository/index.html (original) +++ maven/website/content/repository/index.html Sun May 12 07:42:36 2024 @@ -2,17 +2,17 @@ <!-- - | Generated by Apache Maven Doxia Site Renderer 2.0.0-M18 from content/xdoc/repository/index.xml at 2024-05-11 + | Generated by Apache Maven Doxia Site Renderer 2.0.0-M10 from content/xdoc/repository/index.xml at 2024-05-12 | Rendered using Apache Maven Fluido Skin 2.0.0-M6 --> <html xmlns="http://www.w3.org/1999/xhtml"; lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> - <meta name="generator" content="Apache Maven Doxia Site Renderer 2.0.0-M18" /> + <meta name="generator" content="Apache Maven Doxia Site Renderer 2.0.0-M10" /> <meta name="author" content="Brett Porter" /> <meta name="author" content="Hervé Boutemy" /> - <title>Maven</title> + <title>Maven â Maven Central Repository</title> <link rel="stylesheet" href="../css/apache-maven-fluido-2.0.0-M6.min.css" /> <link rel="stylesheet" href="../css/site.css" /> <link rel="stylesheet" href="../css/print.css" media="print" /> @@ -39,10 +39,8 @@ <div class="container-fluid"> <header> <div id="banner"> - <div class="pull-left"><a href="https://www.apache.org/"; id="bannerLeft"><h1>Apache Maven Site</h1> -</a></div> - <div class="pull-right"><a href=".././" id="bannerRight"><h1>$esc.xml( $banner.name )</h1> -</a></div> + <div class="pull-left"><a href="https://www.apache.org/"; id="bannerLeft"><img src="../images/apache-maven-project.png" alt="Apache Maven Site" style="" /></a></div> + <div class="pull-right"><a href=".././" id="bannerRight"><img src="../images/maven-logo-black-on-white.png" alt="" style="" /></a></div> <div class="clear"><hr/></div> </div> @@ -50,9 +48,8 @@ <ul class="breadcrumb"> <li><a href="https://www.apache.org/"; class="externalLink" title="Apache">Apache</a><span class="divider">/</span></li> <li><a href="../index.html" title="Maven">Maven</a><span class="divider">/</span></li> - - <li class="active ">Maven <a href="https://github.com/apache/maven-site/tree/master/content/xdoc/repository/index.xml";><img src="../images/accessories-text-editor.png" title="Edit" /></a></li> - <li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2024-05-11</li> + <li class="active ">Maven Central Repository <a href="https://github.com/apache/maven-site/tree/master/content/xdoc/repository/index.xml";><img src="../images/accessories-text-editor.png" title="Edit" /></a></li> + <li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2024-05-12</li> <li class="pull-right"><span class="divider">|</span> <a href="../scm.html" title="Get Sources">Get Sources</a></li> <li class="pull-right"><a href="../download.cgi" title="Download">Download</a></li> @@ -150,7 +147,7 @@ - <section><a id="Maven_Central_Repository"></a> + <section> <h1>Maven Central Repository</h1> Modified: maven/website/content/repository/layout.html ============================================================================== --- maven/website/content/repository/layout.html (original) +++ maven/website/content/repository/layout.html Sun May 12 07:42:36 2024 @@ -2,15 +2,15 @@ <!-- - | Generated by Apache Maven Doxia Site Renderer 2.0.0-M18 from content/markdown/repository/layout.md at 2024-05-11 + | Generated by Apache Maven Doxia Site Renderer 2.0.0-M10 from content/markdown/repository/layout.md at 2024-05-12 | Rendered using Apache Maven Fluido Skin 2.0.0-M6 --> <html xmlns="http://www.w3.org/1999/xhtml"; lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> - <meta name="generator" content="Apache Maven Doxia Site Renderer 2.0.0-M18" /> - <title>Maven</title> + <meta name="generator" content="Apache Maven Doxia Site Renderer 2.0.0-M10" /> + <title>Maven â Maven2 Repository Layout</title> <link rel="stylesheet" href="../css/apache-maven-fluido-2.0.0-M6.min.css" /> <link rel="stylesheet" href="../css/site.css" /> <link rel="stylesheet" href="../css/print.css" media="print" /> @@ -37,10 +37,8 @@ <div class="container-fluid"> <header> <div id="banner"> - <div class="pull-left"><a href="https://www.apache.org/"; id="bannerLeft"><h1>Apache Maven Site</h1> -</a></div> - <div class="pull-right"><a href=".././" id="bannerRight"><h1>$esc.xml( $banner.name )</h1> -</a></div> + <div class="pull-left"><a href="https://www.apache.org/"; id="bannerLeft"><img src="../images/apache-maven-project.png" alt="Apache Maven Site" style="" /></a></div> + <div class="pull-right"><a href=".././" id="bannerRight"><img src="../images/maven-logo-black-on-white.png" alt="" style="" /></a></div> <div class="clear"><hr/></div> </div> @@ -48,9 +46,8 @@ <ul class="breadcrumb"> <li><a href="https://www.apache.org/"; class="externalLink" title="Apache">Apache</a><span class="divider">/</span></li> <li><a href="../index.html" title="Maven">Maven</a><span class="divider">/</span></li> - - <li class="active ">Maven <a href="https://github.com/apache/maven-site/tree/master/content/markdown/repository/layout.md";><img src="../images/accessories-text-editor.png" title="Edit" /></a></li> - <li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2024-05-11</li> + <li class="active ">Maven2 Repository Layout <a href="https://github.com/apache/maven-site/tree/master/content/markdown/repository/layout.md";><img src="../images/accessories-text-editor.png" title="Edit" /></a></li> + <li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2024-05-12</li> <li class="pull-right"><span class="divider">|</span> <a href="../scm.html" title="Get Sources">Get Sources</a></li> <li class="pull-right"><a href="../download.cgi" title="Download">Download</a></li> @@ -144,7 +141,116 @@ </div> </header> <main id="bodyColumn" class="span10" > -<section> +<section><section> +<h2>Maven2 Repository Layout</h2><!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +--> + +<p>Maven2 repository layout format is the default layout used since Maven 2 (see <a href="https://cwiki.apache.org/confluence/display/MAVENOLD/Repository+Layout+-+Final"; class="externalLink">Repository Layout- Final</a> in <a href="https://cwiki.apache.org/confluence/display/MAVENOLD/Maven+2.0+Design+Documents"; class="externalLink">Maven 2.0 Design Documents</a>), superceding old Maven 1 layout:</p> + +<div class="verbatim"> +<pre><code>Repository root +|-- archetype-catalog.xml +`-- ${groupId as directory}/ + |-- maven-metadata.xml + |-- .${checksums} + `-- ${artifactId}/ + |-- maven-metadata.xml + |-- .${checksums} + `-- ${version}/ + |-- ${artifactId}-${version}.pom + |-- .asc + |-- .${checksums} + |-- ${artifactId}-${version}.${extension} + |-- .asc + |-- .${checksums} + |-- ${artifactId}-${version}-${classifier}.${extension} + |-- .asc + `-- .${checksums} +</code></pre></div> +<p>where:</p> +<ul> + +<li><code>${groupId as directory}</code> is the groupId with <code>.</code> replaced by <code>/</code>, for example <code>org/apache/maven</code>,</li> +<li><code>${artifactId}</code> is the artifactId,</li> +<li><code>${version}</code> is the version, with some additional possibilities on a SNAPSHOT, see SNAPSHOT paragraph,</li> +<li><code>${extension}</code> is the file extension, for example <code>zip</code> or <code>tar.gz</code>,</li> +<li><code>${classifier}</code> is the artifact classifier (when available),</li> +<li><code>${checksums}</code> is a list of checksums algorithms, <code>md5</code> and <code>sha1</code> by default.</li> +</ul> +<p><code>maven-metadata.xml</code> file format is defined in <a href="/ref/current/maven-repository-metadata/">Maven Repository Metadata Model</a>.</p> +<p><code>.asc</code> file is optional (may be required in some repositories, like Central Repository) and is a PGP detached signature file.</p> +<p>Obviously, <code>${groupId}</code>, <code>${artifactId}</code> and <code>${version}</code> are defined in <code>pom.xml</code>. But what about <code>${classifier}</code> and <code>${extension}</code>, how are they defined?</p> +<p>Classifier and extension definition is completely different at artifact <em>publication</em> and <em>usage</em> times:</p> +<ul> + +<li> +<p><strong>At artifact publication time</strong>: Extension and classifier are defined by plugins that create the artifacts and attach them for publication.<br /> +Some plugins provide configuration parameters to be able to override default values. +For example, <a href="/plugins/maven-jar-plugin/jar-mojo.html">Maven JAR Plugin's <code>jar:jar</code> goal</a> produces by default an artifact with <code>jar</code> extension and empty classifier. +The <code>classifier</code> goal parameter can be used to define a classifier (there is no parameter to override extension).</p></li> +<li> +<p><strong>At artifact usage time</strong>: Extension and classifier are defined by <a href="/ref/current/maven-model/maven.html#class_dependency"><code><dependency></code>'s <code><type></code> and <code><classifier></code></a> definition in <code>pom.xml</code>:</p> +<ul> + +<li><code><type></code> (<code>jar</code> by default) defines the extension and default classifier: <br /> +see <a href="/ref/current/maven-core/artifact-handlers.html">default artifact handlers</a> to see default types and corresponding extension and default classifier. <br /></li> +<li><code><classifier></code> is optional, to override default classifier defined by the dependency type.</li> +</ul></li> +</ul></section><section> +<h2>SNAPSHOT</h2> +<p>In case of a SNAPSHOT version, version directory uses base version, i.e. version ending in <code>-SNAPSHOT</code>, for example <code>3.8.4-SNAPSHOT</code>.</p> +<p>For artifact files, there are 2 options available:</p> +<ol style="list-style-type: decimal"> + +<li>unique SNAPSHOT artifacts, using the same base version,</li> +<li>multiple SNAPSHOT artifacts for one base version, each deployment will have an effective version where <code>SNAPSHOT</code> is replaced with <code>YYYYMMDD.HHMMSS-${counter}</code>.</li> +</ol></section><section> +<h2>Protocol</h2> +<p>Repository can be accessed through many file-oriented protocols, both for read and write: most classical are <code>file://</code>, <code>http://</code> and <code>https://</code> (<code>GET</code> and <code>PUT</code>). +Older (now generally unused) protocols are FTP(S), SCP, SSH, …</p> +<p>HTTP/HTTPS protocol have 2 specific characteristics:</p> +<ol style="list-style-type: decimal"> + +<li> +<p>there is no directory listing feature: Maven does not need to list files in a directory, a remote directory does have not provide any directory listing feature,</p></li> +<li> +<p><a href="https://www.w3.org/Protocols/rfc2616/rfc2616-sec6.html"; class="externalLink">HTTP/1.1 Reason-Phrase</a> is used to provide extended message when artifact access is rejected by remote repository. +This usage of Reason-Phrase is nowadays legacy and is removed in HTTP/2, <a href="https://issues.apache.org/jira/browse/MNG-6795"; class="externalLink">MNG-6795</a> is open to create a replacement.</p></li> +</ol></section><section> +<h2>Archetype Catalog</h2> +<p><code>archetype-catalog.xml</code> file at root directory is a <a href="/archetype/archetype-models/archetype-catalog/archetype-catalog.html">catalog of all Maven Archetypes</a> proposed in the repository.</p></section><section> +<h2>Additional Content</h2><section> +<h3>Index</h3> +<p><a href="https://repo.maven.apache.org/maven2/.index/"; class="externalLink"><code>.index</code></a> directory at root directory is an <a href="/maven-indexer/indexer-core/">index</a> of the content, done by <a href="/maven-indexer/">Maven Indexer</a>.</p> +<p>If contains index files in 2 flavours:</p> +<ul> + +<li>full index: <code>nexus-maven-repository-index.gz</code></li> +<li>incremental index: <code>nexus-maven-repository-index.<n>.gz</code> + <code>nexus-maven-repository-index.properties</code></li> +</ul></section><section> +<h3>Metadata</h3> +<p><a href="https://repo.maven.apache.org/maven2/.meta/"; class="externalLink"><code>.meta</code></a> directory at root directory contains a few metadata files:</p> +<ul> + +<li><code>prefixes.txt</code></li> +<li><code>repository-metadata.xml</code></li> +</ul></section></section></section> </main> </div> </div> Modified: maven/website/content/resource/branding/actioncards.html ============================================================================== --- maven/website/content/resource/branding/actioncards.html (original) +++ maven/website/content/resource/branding/actioncards.html Sun May 12 07:42:36 2024 @@ -2,15 +2,15 @@ <!-- - | Generated by Apache Maven Doxia Site Renderer 2.0.0-M18 from content/markdown/resource/branding/actioncards.md at 2024-05-11 + | Generated by Apache Maven Doxia Site Renderer 2.0.0-M10 from content/markdown/resource/branding/actioncards.md at 2024-05-12 | Rendered using Apache Maven Fluido Skin 2.0.0-M6 --> <html xmlns="http://www.w3.org/1999/xhtml"; lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> - <meta name="generator" content="Apache Maven Doxia Site Renderer 2.0.0-M18" /> - <title>Maven</title> + <meta name="generator" content="Apache Maven Doxia Site Renderer 2.0.0-M10" /> + <title>Maven â Action Cards</title> <link rel="stylesheet" href="../../css/apache-maven-fluido-2.0.0-M6.min.css" /> <link rel="stylesheet" href="../../css/site.css" /> <link rel="stylesheet" href="../../css/print.css" media="print" /> @@ -37,10 +37,8 @@ <div class="container-fluid"> <header> <div id="banner"> - <div class="pull-left"><a href="https://www.apache.org/"; id="bannerLeft"><h1>Apache Maven Site</h1> -</a></div> - <div class="pull-right"><a href="../.././" id="bannerRight"><h1>$esc.xml( $banner.name )</h1> -</a></div> + <div class="pull-left"><a href="https://www.apache.org/"; id="bannerLeft"><img src="../../images/apache-maven-project.png" alt="Apache Maven Site" style="" /></a></div> + <div class="pull-right"><a href="../.././" id="bannerRight"><img src="../../images/maven-logo-black-on-white.png" alt="" style="" /></a></div> <div class="clear"><hr/></div> </div> @@ -48,9 +46,8 @@ <ul class="breadcrumb"> <li><a href="https://www.apache.org/"; class="externalLink" title="Apache">Apache</a><span class="divider">/</span></li> <li><a href="../../index.html" title="Maven">Maven</a><span class="divider">/</span></li> - - <li class="active ">Maven <a href="https://github.com/apache/maven-site/tree/master/content/markdown/resource/branding/actioncards.md";><img src="../../images/accessories-text-editor.png" title="Edit" /></a></li> - <li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2024-05-11</li> + <li class="active ">Action Cards <a href="https://github.com/apache/maven-site/tree/master/content/markdown/resource/branding/actioncards.md";><img src="../../images/accessories-text-editor.png" title="Edit" /></a></li> + <li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2024-05-12</li> <li class="pull-right"><span class="divider">|</span> <a href="../../scm.html" title="Get Sources">Get Sources</a></li> <li class="pull-right"><a href="../../download.cgi" title="Download">Download</a></li> @@ -129,7 +126,7 @@ </div> </header> <main id="bodyColumn" class="span10" > -<section><a id="Action_Cards"></a> +<section> <h1>Action Cards</h1><!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file Modified: maven/website/content/run-maven/index.html ============================================================================== --- maven/website/content/run-maven/index.html (original) +++ maven/website/content/run-maven/index.html Sun May 12 07:42:36 2024 @@ -2,17 +2,17 @@ <!-- - | Generated by Apache Maven Doxia Site Renderer 2.0.0-M18 from content/apt/run-maven/index.apt at 2024-05-11 + | Generated by Apache Maven Doxia Site Renderer 2.0.0-M10 from content/apt/run-maven/index.apt at 2024-05-12 | Rendered using Apache Maven Fluido Skin 2.0.0-M6 --> <html xmlns="http://www.w3.org/1999/xhtml"; lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> - <meta name="generator" content="Apache Maven Doxia Site Renderer 2.0.0-M18" /> + <meta name="generator" content="Apache Maven Doxia Site Renderer 2.0.0-M10" /> <meta name="author" content="Brett Porter" /> <meta name="date" content="2006-11-03" /> - <title>Maven</title> + <title>Maven â Running Maven</title> <link rel="stylesheet" href="../css/apache-maven-fluido-2.0.0-M6.min.css" /> <link rel="stylesheet" href="../css/site.css" /> <link rel="stylesheet" href="../css/print.css" media="print" /> @@ -39,10 +39,8 @@ <div class="container-fluid"> <header> <div id="banner"> - <div class="pull-left"><a href="https://www.apache.org/"; id="bannerLeft"><h1>Apache Maven Site</h1> -</a></div> - <div class="pull-right"><a href=".././" id="bannerRight"><h1>$esc.xml( $banner.name )</h1> -</a></div> + <div class="pull-left"><a href="https://www.apache.org/"; id="bannerLeft"><img src="../images/apache-maven-project.png" alt="Apache Maven Site" style="" /></a></div> + <div class="pull-right"><a href=".././" id="bannerRight"><img src="../images/maven-logo-black-on-white.png" alt="" style="" /></a></div> <div class="clear"><hr/></div> </div> @@ -50,9 +48,8 @@ <ul class="breadcrumb"> <li><a href="https://www.apache.org/"; class="externalLink" title="Apache">Apache</a><span class="divider">/</span></li> <li><a href="../index.html" title="Maven">Maven</a><span class="divider">/</span></li> - - <li class="active ">Maven <a href="https://github.com/apache/maven-site/tree/master/content/apt/run-maven/index.apt";><img src="../images/accessories-text-editor.png" title="Edit" /></a></li> - <li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2024-05-11</li> + <li class="active ">Running Maven <a href="https://github.com/apache/maven-site/tree/master/content/apt/run-maven/index.apt";><img src="../images/accessories-text-editor.png" title="Edit" /></a></li> + <li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2024-05-12</li> <li class="pull-right"><span class="divider">|</span> <a href="../scm.html" title="Get Sources">Get Sources</a></li> <li class="pull-right"><a href="../download.cgi" title="Download">Download</a></li> @@ -146,20 +143,22 @@ </div> </header> <main id="bodyColumn" class="span10" > -<section><a id="Building_a_Project_with_Maven"></a> +<section> <h1>Building a Project with Maven</h1> <p>The vast majority of Maven-built projects can be built with the following command:</p> -<pre>mvn verify</pre> +<div class="verbatim"> +<pre>mvn verify</pre></div> <p>This command tells Maven to build all the modules, and to check if all integration tests succeeded (when any was defined)</p> <p>That's it! If you look in the <code>target</code> subdirectory, you should find the build output and the final library or application that was being built.</p> <p><b>Note:</b> Some projects have multiple modules, so the library or application you are looking for may be in a module subdirectory.</p> -<p>While this will build most projects and Maven encourages this standard convention, builds can be customisable. If this does not suffice, please consult the project's documentation.</p><section><a id="More_than_just_the_Build"></a> +<p>While this will build most projects and Maven encourages this standard convention, builds can be customisable. If this does not suffice, please consult the project's documentation.</p><section> <h2>More than just the Build</h2> -<p>Maven can do more than just build software - it can assist with testing, run web applications and produce reports on projects, as well as any number of other tasks provided by plug-ins.</p></section><section><a id="When_Things_go_Wrong"></a> +<p>Maven can do more than just build software - it can assist with testing, run web applications and produce reports on projects, as well as any number of other tasks provided by plug-ins.</p></section><section> <h2>When Things go Wrong</h2> -<p>The following are some common problems when building with Maven, and how to resolve them.</p><section><a id="Missing_Dependencies"></a> +<p>The following are some common problems when building with Maven, and how to resolve them.</p><section> <h3>Missing Dependencies</h3> <p>A missing dependency presents with an error like the following:</p> +<div class="verbatim"> <pre>[INFO] Failed to resolve artifact. Missing: @@ -183,10 +182,10 @@ for artifact: org.apache.maven:maven:pom:2.1-SNAPSHOT from the specified remote repositories: - central (https://repo.maven.apache.org/maven2)</pre> + central (https://repo.maven.apache.org/maven2)</pre></div> <p>To resolve this issue, it depends on what the dependency is and why it is missing. The most common cause is because it can not be redistributed from the repository and must be manually installed using the instructions given in the message. This is most common with some older JARs from Sun (usually <code>javax.*</code> group IDs), and is further documented in the <a href="../guides/mini/guide-coping-with-sun-jars.html"> Guide to Coping with Sun JARs</a>.</p> <p>You can check the list of repositories at the end of the error to ensure that the expected ones are listed - it may be that the project requires an alternative repository that has not been declared properly or is not accessible with your Maven configuration.</p> -<p>In other cases, it may be an incorrectly declared dependency (like the typo in the example above) which the project would need to fix, like a compilation error.</p></section><section><a id="Inconsistent_output"></a> +<p>In other cases, it may be an incorrectly declared dependency (like the typo in the example above) which the project would need to fix, like a compilation error.</p></section><section> <h3>Inconsistent output</h3> <p>Most plugins are optimized to know if they have to execute their task. In some cases, the output can be polluted from a previous build and the end result is not what you expected. In such rare situations, you can call the <code>clean</code> phase which means: remove the output directory. You can also call it as <code>mvn clean verify</code> which means: first clean up the output directory, next build the project and verify the outcome.</p></section></section></section> </main> Modified: maven/website/content/run.html ============================================================================== --- maven/website/content/run.html (original) +++ maven/website/content/run.html Sun May 12 07:42:36 2024 @@ -2,15 +2,15 @@ <!-- - | Generated by Apache Maven Doxia Site Renderer 2.0.0-M18 from content/markdown/run.md at 2024-05-11 + | Generated by Apache Maven Doxia Site Renderer 2.0.0-M10 from content/markdown/run.md at 2024-05-12 | Rendered using Apache Maven Fluido Skin 2.0.0-M6 --> <html xmlns="http://www.w3.org/1999/xhtml"; lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> - <meta name="generator" content="Apache Maven Doxia Site Renderer 2.0.0-M18" /> - <title>Maven</title> + <meta name="generator" content="Apache Maven Doxia Site Renderer 2.0.0-M10" /> + <title>Maven â Running Apache Maven</title> <link rel="stylesheet" href="./css/apache-maven-fluido-2.0.0-M6.min.css" /> <link rel="stylesheet" href="./css/site.css" /> <link rel="stylesheet" href="./css/print.css" media="print" /> @@ -37,10 +37,8 @@ <div class="container-fluid"> <header> <div id="banner"> - <div class="pull-left"><a href="https://www.apache.org/"; id="bannerLeft"><h1>Apache Maven Site</h1> -</a></div> - <div class="pull-right"><a href="./" id="bannerRight"><h1>$esc.xml( $banner.name )</h1> -</a></div> + <div class="pull-left"><a href="https://www.apache.org/"; id="bannerLeft"><img src="images/apache-maven-project.png" alt="Apache Maven Site" style="" /></a></div> + <div class="pull-right"><a href="./" id="bannerRight"><img src="images/maven-logo-black-on-white.png" alt="" style="" /></a></div> <div class="clear"><hr/></div> </div> @@ -48,9 +46,8 @@ <ul class="breadcrumb"> <li><a href="https://www.apache.org/"; class="externalLink" title="Apache">Apache</a><span class="divider">/</span></li> <li><a href="index.html" title="Maven">Maven</a><span class="divider">/</span></li> - - <li class="active ">Maven <a href="https://github.com/apache/maven-site/tree/master/content/markdown/run.md";><img src="./images/accessories-text-editor.png" title="Edit" /></a></li> - <li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2024-05-11</li> + <li class="active ">Running Apache Maven <a href="https://github.com/apache/maven-site/tree/master/content/markdown/run.md";><img src="./images/accessories-text-editor.png" title="Edit" /></a></li> + <li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2024-05-12</li> <li class="pull-right"><span class="divider">|</span> <a href="scm.html" title="Get Sources">Get Sources</a></li> <li class="pull-right"><a href="download.cgi" title="Download">Download</a></li> @@ -136,7 +133,7 @@ </div> </header> <main id="bodyColumn" class="span10" > -<section><a id="Running_Apache_Maven"></a> +<section> <h1>Running Apache Maven</h1><!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file @@ -158,16 +155,19 @@ under the License. <p>The syntax for running Maven is as follows:</p> +<div class="verbatim"> <pre><code>mvn [options] [<goal(s)>] [<phase(s)>] -</code></pre> +</code></pre></div> <p>All available options are documented in the built-in help that you can access with</p> +<div class="verbatim"> <pre><code>mvn -h -</code></pre> +</code></pre></div> <p>The typical invocation for building a Maven project uses a Maven lifecycle phase. E.g.</p> +<div class="verbatim"> <pre><code>mvn verify -</code></pre> +</code></pre></div> <p>The built-in lifecycles and their most used phases, in order, are:</p> <ul> @@ -181,27 +181,32 @@ under the License. <p>A fresh build of a project generating all packaged outputs and the documentation site and deploying it to a repository manager could be done with</p> +<div class="verbatim"> <pre><code>mvn clean deploy site-deploy -</code></pre> +</code></pre></div> <p>Just creating the package and installing it in the local repository for re-use from other projects can be done with</p> +<div class="verbatim"> <pre><code>mvn install -</code></pre> +</code></pre></div> <p>And if you don't expect to re-use from other projects, use</p> +<div class="verbatim"> <pre><code>mvn verify -</code></pre> +</code></pre></div> <p>This is the most common build invocation for a Maven project.</p> <p>When not working with a project, and in some other use cases, you might want to invoke a specific task implemented by a part of Maven - this is called a <strong>goal</strong> of a plugin. E.g.:</p> +<div class="verbatim"> <pre><code>mvn archetype:generate -</code></pre> +</code></pre></div> <p>or</p> +<div class="verbatim"> <pre><code>mvn checkstyle:check -</code></pre> +</code></pre></div> <p>There are many different <a href="/plugins/">plugins available</a> and they all implement different goals.</p> <p>Further resources:</p> <ul> Modified: maven/website/content/scm.html ============================================================================== --- maven/website/content/scm.html (original) +++ maven/website/content/scm.html Sun May 12 07:42:36 2024 @@ -2,16 +2,16 @@ <!-- - | Generated by Apache Maven Doxia Site Renderer 2.0.0-M18 from content/xdoc/scm.xml at 2024-05-11 + | Generated by Apache Maven Doxia Site Renderer 2.0.0-M10 from content/xdoc/scm.xml at 2024-05-12 | Rendered using Apache Maven Fluido Skin 2.0.0-M6 --> <html xmlns="http://www.w3.org/1999/xhtml"; lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> - <meta name="generator" content="Apache Maven Doxia Site Renderer 2.0.0-M18" /> + <meta name="generator" content="Apache Maven Doxia Site Renderer 2.0.0-M10" /> <meta name="author" content="Benjamin Bentmann" /> - <title>Maven</title> + <title>Maven â Source Repository</title> <link rel="stylesheet" href="./css/apache-maven-fluido-2.0.0-M6.min.css" /> <link rel="stylesheet" href="./css/site.css" /> <link rel="stylesheet" href="./css/print.css" media="print" /> @@ -38,10 +38,8 @@ <div class="container-fluid"> <header> <div id="banner"> - <div class="pull-left"><a href="https://www.apache.org/"; id="bannerLeft"><h1>Apache Maven Site</h1> -</a></div> - <div class="pull-right"><a href="./" id="bannerRight"><h1>$esc.xml( $banner.name )</h1> -</a></div> + <div class="pull-left"><a href="https://www.apache.org/"; id="bannerLeft"><img src="images/apache-maven-project.png" alt="Apache Maven Site" style="" /></a></div> + <div class="pull-right"><a href="./" id="bannerRight"><img src="images/maven-logo-black-on-white.png" alt="" style="" /></a></div> <div class="clear"><hr/></div> </div> @@ -49,9 +47,8 @@ <ul class="breadcrumb"> <li><a href="https://www.apache.org/"; class="externalLink" title="Apache">Apache</a><span class="divider">/</span></li> <li><a href="index.html" title="Maven">Maven</a><span class="divider">/</span></li> - - <li class="active ">Maven <a href="https://github.com/apache/maven-site/tree/master/content/xdoc/scm.xml";><img src="./images/accessories-text-editor.png" title="Edit" /></a></li> - <li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2024-05-11</li> + <li class="active ">Source Repository <a href="https://github.com/apache/maven-site/tree/master/content/xdoc/scm.xml";><img src="./images/accessories-text-editor.png" title="Edit" /></a></li> + <li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2024-05-12</li> <li class="pull-right"><span class="divider">|</span> <a href="scm.html" title="Get Sources">Get Sources</a></li> <li class="pull-right"><a href="download.cgi" title="Download">Download</a></li> @@ -132,7 +129,7 @@ <main id="bodyColumn" class="span10" > - <section><a id="Source_Repository"></a> + <section> <h1>Source Repository</h1> <p> @@ -146,7 +143,7 @@ Instructions for using the Apache Software Foundation Git repositories are at <a href="https://git-wip-us.apache.org/"; class="externalLink">https://git-wip-us.apache.org</a>. </p> - <section><a id="Full_Maven_Sources"></a> + <section> <h2>Full Maven Sources</h2> <p> @@ -171,23 +168,24 @@ </table> -<ol style="list-style-type: decimal;"> +<ol style="list-style-type: decimal"> <li>Install a git client if needed and the <a href="https://android.googlesource.com/tools/repo"; class="externalLink">Google Repo</a> tool (see <a href="https://source.android.com/setup/build/downloading#installing-repo"; class="externalLink">manual install instructions</a>).</li> <li>Check out a new repo workspace and prepare master branch: +<div class="verbatim"> <pre>repo init -u https://gitbox.apache.org/repos/asf/maven-sources.git repo sync -repo start master --all</pre> +repo start master --all</pre></div> </li> <li>In your IDE, import the projects you're interested in from the repo workspace. Or directly build with command line the component you want.</li> </ol> </section> - <section><a id="Maven_Sources_Overview"></a> + <section> <h2>Maven Sources Overview</h2> <p> @@ -225,7 +223,7 @@ repo start master --all</pre> </p> </section> - <section><a id="Maven_Site"></a> + <section> <h2>Maven Site</h2> <p> @@ -247,7 +245,7 @@ repo start master --all</pre> </section> - <section><a id="Maven_Core"></a> + <section> <h2>Maven Core</h2> <p> @@ -281,7 +279,7 @@ repo start master --all</pre> </section> - <section><a id="Other_Components"></a> + <section> <h2>Other Components</h2> <p> @@ -293,7 +291,7 @@ repo start master --all</pre> There are also many shared components and subsystems with their own source repositories, mainly in Git, some in Subversion. </p> - <section><a id="Components_in_Git"></a><section><a id="Components_in_Git"></a> + <section><section> <h4>Components in Git</h4> <p> @@ -1280,7 +1278,7 @@ repo start master --all</pre> </table> - + </section><section> <h4>Components in Subversion</h4> <p> Modified: maven/website/content/security-plexus-archiver.html ============================================================================== --- maven/website/content/security-plexus-archiver.html (original) +++ maven/website/content/security-plexus-archiver.html Sun May 12 07:42:36 2024 @@ -2,15 +2,15 @@ <!-- - | Generated by Apache Maven Doxia Site Renderer 2.0.0-M18 from content/markdown/security-plexus-archiver.md at 2024-05-11 + | Generated by Apache Maven Doxia Site Renderer 2.0.0-M10 from content/markdown/security-plexus-archiver.md at 2024-05-12 | Rendered using Apache Maven Fluido Skin 2.0.0-M6 --> <html xmlns="http://www.w3.org/1999/xhtml"; lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> - <meta name="generator" content="Apache Maven Doxia Site Renderer 2.0.0-M18" /> - <title>Maven</title> + <meta name="generator" content="Apache Maven Doxia Site Renderer 2.0.0-M10" /> + <title>Maven â Zip Slip Vulnerability</title> <link rel="stylesheet" href="./css/apache-maven-fluido-2.0.0-M6.min.css" /> <link rel="stylesheet" href="./css/site.css" /> <link rel="stylesheet" href="./css/print.css" media="print" /> @@ -37,10 +37,8 @@ <div class="container-fluid"> <header> <div id="banner"> - <div class="pull-left"><a href="https://www.apache.org/"; id="bannerLeft"><h1>Apache Maven Site</h1> -</a></div> - <div class="pull-right"><a href="./" id="bannerRight"><h1>$esc.xml( $banner.name )</h1> -</a></div> + <div class="pull-left"><a href="https://www.apache.org/"; id="bannerLeft"><img src="images/apache-maven-project.png" alt="Apache Maven Site" style="" /></a></div> + <div class="pull-right"><a href="./" id="bannerRight"><img src="images/maven-logo-black-on-white.png" alt="" style="" /></a></div> <div class="clear"><hr/></div> </div> @@ -48,9 +46,8 @@ <ul class="breadcrumb"> <li><a href="https://www.apache.org/"; class="externalLink" title="Apache">Apache</a><span class="divider">/</span></li> <li><a href="index.html" title="Maven">Maven</a><span class="divider">/</span></li> - - <li class="active ">Maven <a href="https://github.com/apache/maven-site/tree/master/content/markdown/security-plexus-archiver.md";><img src="./images/accessories-text-editor.png" title="Edit" /></a></li> - <li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2024-05-11</li> + <li class="active ">Zip Slip Vulnerability <a href="https://github.com/apache/maven-site/tree/master/content/markdown/security-plexus-archiver.md";><img src="./images/accessories-text-editor.png" title="Edit" /></a></li> + <li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2024-05-12</li> <li class="pull-right"><span class="divider">|</span> <a href="scm.html" title="Get Sources">Get Sources</a></li> <li class="pull-right"><a href="download.cgi" title="Download">Download</a></li> @@ -129,7 +126,7 @@ </div> </header> <main id="bodyColumn" class="span10" > -<section><a id="Zip_Slip_Vulnerability"></a> +<section> <h1>Zip Slip Vulnerability</h1><!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file @@ -161,7 +158,7 @@ did not make sufficient checks and it is packaging plugins. Affected versions of plexus-archiver are [,3.4]+[3.5], fixed versions are 3.4.1 & 3.6.0, with issue management <a href="https://github.com/codehaus-plexus/plexus-archiver/pull/87"; class="externalLink">plexus-archiver #87</a> and -Snyk vulnerability report <a href="https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31680"; class="externalLink">SNYK-JAVA-ORGCODEHAUSPLEXUS-31680</a></p><section><a id="What_parts_of_Maven_are_vulnerable.3F"></a> +Snyk vulnerability report <a href="https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31680"; class="externalLink">SNYK-JAVA-ORGCODEHAUSPLEXUS-31680</a></p><section> <h2>What parts of Maven are vulnerable?</h2> <p>Apache Maven itself is not vulnerable, since Maven doesn't unpack by itself: unpacking actions are done by plugins.</p> @@ -314,7 +311,7 @@ which versions contain the fixed and the <li>maven-repository-plugin</li> <li>maven-site-plugin</li> <li>maven-source-plugin</li> -</ul></section><section><a id="When_are_you_affected_by_this_vulnerability.3F"></a> +</ul></section><section> <h2>When are you affected by this vulnerability?</h2> <p>The vulnerability is like a Trojan Horse, the malicious archive must first enter the system, normally achieved with a downloaded of a dependency. Once downloaded there's no direct danger, the user must take some specific Modified: maven/website/content/security.html ============================================================================== --- maven/website/content/security.html (original) +++ maven/website/content/security.html Sun May 12 07:42:36 2024 @@ -2,15 +2,15 @@ <!-- - | Generated by Apache Maven Doxia Site Renderer 2.0.0-M18 from content/markdown/security.md at 2024-05-11 + | Generated by Apache Maven Doxia Site Renderer 2.0.0-M10 from content/markdown/security.md at 2024-05-12 | Rendered using Apache Maven Fluido Skin 2.0.0-M6 --> <html xmlns="http://www.w3.org/1999/xhtml"; lang="en"> <head> <meta charset="UTF-8" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> - <meta name="generator" content="Apache Maven Doxia Site Renderer 2.0.0-M18" /> - <title>Maven</title> + <meta name="generator" content="Apache Maven Doxia Site Renderer 2.0.0-M10" /> + <title>Maven â Maven Security</title> <link rel="stylesheet" href="./css/apache-maven-fluido-2.0.0-M6.min.css" /> <link rel="stylesheet" href="./css/site.css" /> <link rel="stylesheet" href="./css/print.css" media="print" /> @@ -37,10 +37,8 @@ <div class="container-fluid"> <header> <div id="banner"> - <div class="pull-left"><a href="https://www.apache.org/"; id="bannerLeft"><h1>Apache Maven Site</h1> -</a></div> - <div class="pull-right"><a href="./" id="bannerRight"><h1>$esc.xml( $banner.name )</h1> -</a></div> + <div class="pull-left"><a href="https://www.apache.org/"; id="bannerLeft"><img src="images/apache-maven-project.png" alt="Apache Maven Site" style="" /></a></div> + <div class="pull-right"><a href="./" id="bannerRight"><img src="images/maven-logo-black-on-white.png" alt="" style="" /></a></div> <div class="clear"><hr/></div> </div> @@ -48,9 +46,8 @@ <ul class="breadcrumb"> <li><a href="https://www.apache.org/"; class="externalLink" title="Apache">Apache</a><span class="divider">/</span></li> <li><a href="index.html" title="Maven">Maven</a><span class="divider">/</span></li> - - <li class="active ">Maven <a href="https://github.com/apache/maven-site/tree/master/content/markdown/security.md";><img src="./images/accessories-text-editor.png" title="Edit" /></a></li> - <li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2024-05-11</li> + <li class="active ">Maven Security <a href="https://github.com/apache/maven-site/tree/master/content/markdown/security.md";><img src="./images/accessories-text-editor.png" title="Edit" /></a></li> + <li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2024-05-12</li> <li class="pull-right"><span class="divider">|</span> <a href="scm.html" title="Get Sources">Get Sources</a></li> <li class="pull-right"><a href="download.cgi" title="Download">Download</a></li> @@ -129,7 +126,116 @@ </div> </header> <main id="bodyColumn" class="span10" > +<section><section> +<h2>Maven Security</h2><!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +--> <section> +<h3>Security Model</h3> +<p>The purpose of Maven is to perform the actions defined in the supplied +<code>pom.xml</code>, which commonly includes compiling and running the associated +code and using plugins and dependencies downloaded from the configured +repositories.</p> +<p>As such, the Maven security model assumes you trust the <code>pom.xml</code> and +the code, dependencies and repositories that are used in your build. +If you want to use Maven to build untrusted code, it is up to you to +provide the required isolation.</p></section><section> +<h3>Security Vulnerabilities</h3> +<p>Please note that binary patches are not produced for individual +vulnerabilities. To obtain the binary fix for a particular vulnerability +you should upgrade to an Apache Maven version where that vulnerability +has been fixed.</p> +<p>For more information about reporting vulnerabilities, see the <a href="https://www.apache.org/security/"; class="externalLink">Apache +Security Team</a> page.</p><section> +<h4>CVE-2021-26291 Apache Maven 3.8.1</h4> +<p>Severity: Medium</p> +<p>Vendor: The Apache Software Foundation</p> +<p>Versions Affected:</p> +<ul> + +<li>Apache Maven 3.6.3 and earlier</li> +</ul> +<p>Description: More and more repositories use HTTPS nowadays, but this hasn't always been the case. This means that Maven Central contains POMs with custom repositories that refer to a URL over HTTP. +This makes downloads via such repository a target for a MITM attack. +At the same time, developers are probably not aware that for some downloads an insecure URL is being used. +Because uploaded POMs to Maven Central are immutable, a change for Maven was required. +To solve this, we extended the mirror configuration with <code><blocked></code> parameter, +and we added a new <code>external:http:*</code> mirror selector (like existing <code>external:*</code>), meaning “any external URL using HTTP”.<br /> +The decision was made to block such external HTTP repositories by default: this is done by providing a mirror in the <code>conf/settings.xml</code> blocking insecure HTTP external URLs. +Note: this is a vulnerability in case you're connectioning directly to remote repositories instead of using an artifact repository manager.</p></section><section> +<h4>Maven Dependency, EAR, Javadoc, WAR and Plugin Plugins</h4> +<p>Severity: Low</p> +<p>Vendor: The Apache Software Foundation</p> +<p>Versions Affected:</p> +<ul> + +<li>Maven Dependency Plugin 3.1.0 and earlier</li> +<li>Maven EAR Plugin 3.0.0 and earlier</li> +<li>Maven Javadoc Plugin 2.5 to 3.0.0</li> +<li>Maven WAR Plugin 2.1-alpha-1 to 3.2.0</li> +<li>Maven Plugin Plugin 3.0 to 3.5.1</li> +</ul> +<p>Description: As part of a broader research, the Snyk Security Research Team discovered +an arbitrary file write generic vulnerability, that can be achieved using a +specially crafted zip (or bzip2, gzip, tar, xz, war) archive, that holds +path traversal filenames. So when the filename gets concatenated to the +target extraction directory, if the extraction tool used does not make +sufficient checks, the final path ends up outside of the target directory. +The affected plugins use plexus-archiver to unpack dependencies to disk +and have been identified as potential triggers for exposing the vulnerability +if dependencies are compromised.</p> +<p>See <a href="./security-plexus-archiver.html">full description</a> for more details.</p> +<p>Credit: This issue was identified by the Snyk Security Research Team</p></section><section> +<h4>CVE-2013-0253 Apache Maven 3.0.4</h4> +<p>Severity: Medium</p> +<p>Vendor: The Apache Software Foundation</p> +<p>Versions Affected:</p> +<ul> + +<li>Apache Maven 3.0.4</li> +<li>Apache Maven Wagon 2.1, 2.2, 2.3</li> +</ul> +<p>Description: Apache Maven 3.0.4 (with Apache Maven Wagon 2.1) has +introduced a non-secure SSL mode by default. This mode disables all SSL +certificate checking, including: host name verification , date validity, +and certificate chain. Not validating the certificate introduces the +possibility of a man-in-the-middle attack.</p> +<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0253"; class="externalLink">CVE-2013-0253</a></p> +<p>All users are recommended to upgrade to <a href="./download.cgi">Apache Maven +3.0.5</a> and Apache Maven Wagon 2.4.</p> +<p>Credit: This issue was identified by Graham Leggett</p></section><section> +<h4>CVE-2012-6153 Apache Maven Wagon :: WebDAV Provider</h4> +<p>Severity: Medium</p> +<p>Vendor: The Apache Software Foundation</p> +<p>Versions Affected:</p> +<ul> + +<li>Apache Maven Wagon WebDAV Provider 2.12 and earlier</li> +</ul> +<p>Description: http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient +before 4.2.3 does not properly verify that the server hostname matches a +domain name in the subject's Common Name (CN) or subjectAltName field of the +X.509 certificate, which allows man-in-the-middle attackers to spoof SSL +servers via a certificate with a subject that specifies a common name in a +field that is not the CN field.</p> +<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6153"; class="externalLink">CVE-2012-6153</a></p> +<p>Users of this provider are recommended to upgrade to <a href="./download.cgi">Apache Maven Wagon :: +WebDAV Provider 3.0.0</a></p></section></section></section></section> </main> </div> </div>
