Hi, we are seeing that even with the latest maven-clean-plugin (currently 3.2.0) a plexus-utils-1.1.jar is being downloaded. We think that it is a real issue but we wanted to check in case we are overlooking something.
This is reproducible 100% with a simple setup shown below. [1] In theory using 3.2.0 should resolve it as mentioned here: https://stackoverflow.com/questions/71711729/java-maven-cve-2017-1000487-on-plexus-utils-2-0-4-jar-plexus-utils-3-0-10-jar Executing the dependency:tree on 3.2.0 brings 3.3.0 but with provided scope. [2] Executing the dependency:tree on 3.1.0 brings 2.0.4 with compile scope. [3] We couldn't determine from where 1.1 comes; Maven 3.8.6 comes with lib/plexus-utils-3.3.1.jar Even declaring the plugin inside the pom.xml and executing dependency:resolve-plugins doesn't show the 1.1 version. [4] Who provides this plexus-utils 1.1? Should I report it on Jira? Thanks in advance Martin ============================== [1]: settings.xml <?xml version="1.0" encoding="UTF-8" standalone="no"?> <settings xmlns="http://maven.apache.org/SETTINGS/1.2.0"; xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.2.0 https://maven.apache.org/xsd/settings-1.2.0.xsd";> </settings> pom.xml <?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd";> <modelVersion>4.0.0</modelVersion> <groupId>example-group</groupId> <artifactId>clean-bug-example</artifactId> <version>0.0.1-SNAPSHOT</version> <packaging>pom</packaging> </project> Maven 3.8.6: mvn -X -s settings.xml -Dmaven.repo.local=repository org.apache.maven.plugins:maven-clean-plugin:3.2.0:clean ============================== [2]: mvn -s settings.xml -Dmaven.repo.local=repository -f ./repository/org/apache/maven/plugins/maven-clean-plugin/3.2.0/maven-clean-plugin-3.2.0.pom dependency:tree -Dincludes="*:plexus-utils:*" [INFO] org.apache.maven.plugins:maven-clean-plugin:maven-plugin:3.2.0 [INFO] \- org.apache.maven:maven-compat:jar:3.2.5:test [INFO] \- org.codehaus.plexus:plexus-utils:jar:3.3.0:provided ============================== [3]: mvn -s settings.xml -Dmaven.repo.local=repository -f ./repository/org/apache/maven/plugins/maven-clean-plugin/3.1.0/maven-clean-plugin-3.1.0.pom dependency:tree -Dincludes="*:plexus-utils:*" [INFO] org.apache.maven.plugins:maven-clean-plugin:maven-plugin:3.1.0 [INFO] \- org.apache.maven:maven-compat:jar:3.0:test [INFO] \- org.codehaus.plexus:plexus-utils:jar:2.0.4:compile ============================== [4]: Add to pom.xml <build> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-clean-plugin</artifactId> <version>3.2.0</version> </plugin> </plugins> </build> mvn --settings settings.xml -Dmaven.repo.local=repository dependency:resolve-plugins (full output redacted to show only plexus-utils) [INFO] Plugin Resolved: maven-install-plugin-2.4.jar [INFO] Plugin Dependency Resolved: plexus-utils-3.0.5.jar [INFO] Plugin Resolved: maven-deploy-plugin-2.7.jar [INFO] Plugin Dependency Resolved: plexus-utils-1.5.6.jar [INFO] Plugin Resolved: maven-clean-plugin-3.2.0.jar [INFO] Plugin Dependency Resolved: maven-shared-utils-3.3.4.jar [INFO] Plugin Resolved: maven-site-plugin-3.3.jar [INFO] Plugin Dependency Resolved: plexus-utils-1.5.10.jar ==============================
