Howdy, @Tomo it is happening, see this (using 3.8.6): https://gist.github.com/cstamas/3cecd1f521a92910a1f8555fc4aa9b17#file-gistfile1-txt-L38
Clean plugin 3.2.0 is okay, this is Maven doing it. In Maven 3.8.x line there is a legacy component doing it: https://github.com/apache/maven/blob/maven-3.8.x/maven-core/src/main/java/org/apache/maven/plugin/internal/PlexusUtilsInjector.java As Javadoc explains, this was another "legacy' bit that auto-injects p-u to plugins that does not declare it as dep (as Maven2 did that too). This is fixed in upcoming 3.9.x of Maven, see https://issues.apache.org/jira/browse/MNG-6965 HTH T On Thu, Sep 22, 2022 at 12:00 PM Tomo Suzuki <suzt...@google.com.invalid> wrote: > Hi Martin, > > Would you share the output of your [1] setup, where you saw > “plexus-utils-1.1.jar > is being downloaded“? > > mvn -X -s settings.xml -Dmaven.repo.local=repository > org.apache.maven.plugins:maven-clean-plugin:3.2.0:clean > > > (Doesn’t the debug flag explain why it’s downloading it?) > > Regards, > Tomo > > On Thu, Sep 22, 2022 at 04:15 Martin D'Aloia <martindal...@gmail.com> > wrote: > > > Hi, we are seeing that even with the latest maven-clean-plugin (currently > > 3.2.0) a plexus-utils-1.1.jar is being downloaded. > > We think that it is a real issue but we wanted to check in case we are > > overlooking something. > > > > This is reproducible 100% with a simple setup shown below. [1] > > > > In theory using 3.2.0 should resolve it as mentioned here: > > > > > https://stackoverflow.com/questions/71711729/java-maven-cve-2017-1000487-on-plexus-utils-2-0-4-jar-plexus-utils-3-0-10-jar > > > > Executing the dependency:tree on 3.2.0 brings 3.3.0 but with provided > > scope. [2] > > Executing the dependency:tree on 3.1.0 brings 2.0.4 with compile scope. > [3] > > > > We couldn't determine from where 1.1 comes; Maven 3.8.6 comes with > > lib/plexus-utils-3.3.1.jar > > > > Even declaring the plugin inside the pom.xml and executing > > dependency:resolve-plugins doesn't show the 1.1 version. [4] > > > > Who provides this plexus-utils 1.1? > > Should I report it on Jira? > > > > Thanks in advance > > Martin > > > > ============================== > > > > [1]: > > > > settings.xml > > > > <?xml version="1.0" encoding="UTF-8" standalone="no"?> > > > > <settings xmlns="http://maven.apache.org/SETTINGS/1.2.0"; xmlns:xsi=" > > http://www.w3.org/2001/XMLSchema-instance"; > > xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.2.0 > > https://maven.apache.org/xsd/settings-1.2.0.xsd";> > > > > </settings> > > > > > > pom.xml > > > > <?xml version="1.0" encoding="UTF-8"?> > > > > <project xmlns="http://maven.apache.org/POM/4.0.0"; > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > > xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 > > https://maven.apache.org/xsd/maven-4.0.0.xsd";> > > <modelVersion>4.0.0</modelVersion> > > > > <groupId>example-group</groupId> > > <artifactId>clean-bug-example</artifactId> > > <version>0.0.1-SNAPSHOT</version> > > <packaging>pom</packaging> > > </project> > > > > > > Maven 3.8.6: > > mvn -X -s settings.xml -Dmaven.repo.local=repository > > org.apache.maven.plugins:maven-clean-plugin:3.2.0:clean > > > > ============================== > > > > [2]: > > mvn -s settings.xml -Dmaven.repo.local=repository -f > > > > > ./repository/org/apache/maven/plugins/maven-clean-plugin/3.2.0/maven-clean-plugin-3.2.0.pom > > dependency:tree -Dincludes="*:plexus-utils:*" > > > > [INFO] org.apache.maven.plugins:maven-clean-plugin:maven-plugin:3.2.0 > > [INFO] \- org.apache.maven:maven-compat:jar:3.2.5:test > > [INFO] \- org.codehaus.plexus:plexus-utils:jar:3.3.0:provided > > > > ============================== > > > > [3]: > > mvn -s settings.xml -Dmaven.repo.local=repository -f > > > > > ./repository/org/apache/maven/plugins/maven-clean-plugin/3.1.0/maven-clean-plugin-3.1.0.pom > > dependency:tree -Dincludes="*:plexus-utils:*" > > > > [INFO] org.apache.maven.plugins:maven-clean-plugin:maven-plugin:3.1.0 > > [INFO] \- org.apache.maven:maven-compat:jar:3.0:test > > [INFO] \- org.codehaus.plexus:plexus-utils:jar:2.0.4:compile > > > > ============================== > > > > [4]: > > Add to pom.xml > > > > <build> > > <plugins> > > <plugin> > > <groupId>org.apache.maven.plugins</groupId> > > <artifactId>maven-clean-plugin</artifactId> > > <version>3.2.0</version> > > </plugin> > > </plugins> > > </build> > > > > mvn --settings settings.xml -Dmaven.repo.local=repository > > dependency:resolve-plugins > > > > (full output redacted to show only plexus-utils) > > > > [INFO] Plugin Resolved: maven-install-plugin-2.4.jar > > [INFO] Plugin Dependency Resolved: plexus-utils-3.0.5.jar > > [INFO] Plugin Resolved: maven-deploy-plugin-2.7.jar > > [INFO] Plugin Dependency Resolved: plexus-utils-1.5.6.jar > > [INFO] Plugin Resolved: maven-clean-plugin-3.2.0.jar > > [INFO] Plugin Dependency Resolved: maven-shared-utils-3.3.4.jar > > [INFO] Plugin Resolved: maven-site-plugin-3.3.jar > > [INFO] Plugin Dependency Resolved: plexus-utils-1.5.10.jar > > > > ============================== > > > -- > Regards, > Tomo >
