You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@maven.apache.org by Mark Derricutt <ma...@talios.com> on 2023/02/14 10:22:56 UTC
CVEs in maven-compat via toolchains
Hey all,
I was alerted the other day about a security issue with my
clojure-maven-plugin apparently pulling in log4j 1.2, but using the
dependency:tree plugin showed nothing.
Seems this is due to dependencies being overridden by newer maven
versions, anyway - I use toolchains in the plugin and have this
dependency tree:
```
[INFO] +- org.apache.maven:maven-toolchain:jar:3.0-alpha-2:compile
[INFO] | +- (org.apache.maven:maven-core:jar:3.0-alpha-2:compile -
omitted for conflict with 3.9.0)
[INFO] | \- org.apache.maven:maven-compat:jar:3.0-alpha-2:compile
[INFO] | +- (org.apache.maven:maven-model:jar:3.0-alpha-2:compile -
omitted for conflict with 3.9.0)
[INFO] | +-
(org.codehaus.plexus:plexus-container-default:jar:1.0-beta-3.0.5:compile
- omitted for duplicate)
[INFO] | +-
(org.codehaus.plexus:plexus-component-annotations:jar:1.0-beta-3.0.5:compile
- omitted for conflict with 1.5.5)
```
This trips up with:
```
[ERROR] org.apache.maven:maven-compat:jar:3.0-alpha-2:compile;
https://ossindex.sonatype.org/component/pkg:maven/org.apache.maven/maven-compat@3.0-alpha-2?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] * [CVE-2021-26291] CWE-346: Origin Validation Error (9.1);
https://ossindex.sonatype.org/vulnerability/CVE-2021-26291?component-type=maven&component-name=org.apache.maven%2Fmaven-compat&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
```
There doesn't appear to be a newer version of `maven-toolchain` at all -
or is there and I'm just looking in the wrong place these days?
Cheers,
Mark
---
"The ease with which a change can be implemented has no relevance at all
to whether it is the right change for the (Java) Platform for all time."
— Mark Reinhold.
Mark Derricutt
http://www.chaliceofblood.net
http://www.theoryinpractice.net
http://twitter.com/talios
http://facebook.com/mderricutt
Re: CVEs in maven-compat via toolchains
Posted by Karl Heinz Marbaise <kh...@gmx.de>.
Hi,
On 14.02.23 11:22, Mark Derricutt wrote:
> Hey all,
>
> I was alerted the other day about a security issue with my
> clojure-maven-plugin apparently pulling in log4j 1.2, but using the
> dependency:tree plugin showed nothing.
>
> Seems this is due to dependencies being overridden by newer maven
> versions, anyway - I use toolchains in the plugin and have this
> dependency tree:
>
> ```
> [INFO] +- org.apache.maven:maven-toolchain:jar:3.0-alpha-2:compile
> [INFO] | +- (org.apache.maven:maven-core:jar:3.0-alpha-2:compile -
> omitted for conflict with 3.9.0)
> [INFO] | \- org.apache.maven:maven-compat:jar:3.0-alpha-2:compile
> [INFO] | +- (org.apache.maven:maven-model:jar:3.0-alpha-2:compile -
> omitted for conflict with 3.9.0)
> [INFO] | +-
> (org.codehaus.plexus:plexus-container-default:jar:1.0-beta-3.0.5:compile
> - omitted for duplicate)
> [INFO] | +-
> (org.codehaus.plexus:plexus-component-annotations:jar:1.0-beta-3.0.5:compile - omitted for conflict with 1.5.5)
> ```
The version maven-toolchain 3.0-alpha-2 is of 2009 !!!
https://search.maven.org/search?q=g:org.apache.maven%20a:maven-toolchain
Also taken a look at:
https://github.com/talios/clojure-maven-plugin/blob/develop/pom.xml
which exactly shows this:
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-toolchain</artifactId>
<version>3.0-alpha-2</version>
</dependency>
which I think is the culprit...
The current version of toolchains-plugin:
https://maven.apache.org/plugins/maven-toolchains-plugin/
The current ToolchainManager can be obtained from the maven-core (I
would suggest to set minimum maven version to 3.2.5)...(Take a deeper
look into maven-compiler-plugin)...
Kind regards
Karl Heinz Marbaise
>
> This trips up with:
>
> ```
> [ERROR] org.apache.maven:maven-compat:jar:3.0-alpha-2:compile;
> https://ossindex.sonatype.org/component/pkg:maven/org.apache.maven/maven-compat@3.0-alpha-2?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
> [ERROR] * [CVE-2021-26291] CWE-346: Origin Validation Error (9.1);
> https://ossindex.sonatype.org/vulnerability/CVE-2021-26291?component-type=maven&component-name=org.apache.maven%2Fmaven-compat&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
> ```
>
> There doesn't appear to be a newer version of `maven-toolchain` at all -
> or is there and I'm just looking in the wrong place these days?
>
> Cheers,
> Mark
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: CVEs in maven-compat via toolchains
Posted by Mark Derricutt <ma...@talios.com>.
On 15 Feb 2023, at 8:30, Tamás Cservenák wrote:
> This artifact ceased to exist (well, to be produced) since.
Sweet - dropped the dependency and all good - and re-released.
Cheers,
Mark
---
"The ease with which a change can be implemented has no relevance at all
to whether it is the right change for the (Java) Platform for all time."
— Mark Reinhold.
Mark Derricutt
http://www.chaliceofblood.net
http://www.theoryinpractice.net
http://twitter.com/talios
http://facebook.com/mderricutt
Re: CVEs in maven-compat via toolchains
Posted by Tamás Cservenák <ta...@cservenak.net>.
No, it doesn't.
Somewhere around 3.0-alpha-3 (?) the toolchains were pulled into maven
https://github.com/apache/maven/commit/5377165201decef84c10ad00b0ecef18935e0539
And I guess some reshuffle happened, and finally it ended up in maven-core.
This artifact ceased to exist (well, to be produced) since.
HTH
T
On Tue, Feb 14, 2023 at 8:19 PM Mark Derricutt <ma...@talios.com> wrote:
> On 15 Feb 2023, at 1:19, Elliotte Rusty Harold wrote:
>
> > That's extremely old and seems unmaintained and never released. You
> > probably want the maven-toolchains-plugin
>
> Isn't that for USING toolchains - not adding tool chain support to a
> plugin? Will do some more digging.
>
>
>
> ---
> "The ease with which a change can be implemented has no relevance at all
> to whether it is the right change for the (Java) Platform for all time."
> — Mark Reinhold.
>
> Mark Derricutt
> http://www.chaliceofblood.net
> http://www.theoryinpractice.net
> http://twitter.com/talios
> http://facebook.com/mderricutt
>
Re: CVEs in maven-compat via toolchains
Posted by Mark Derricutt <ma...@talios.com>.
On 15 Feb 2023, at 1:19, Elliotte Rusty Harold wrote:
> That's extremely old and seems unmaintained and never released. You
> probably want the maven-toolchains-plugin
Isn't that for USING toolchains - not adding tool chain support to a
plugin? Will do some more digging.
---
"The ease with which a change can be implemented has no relevance at all
to whether it is the right change for the (Java) Platform for all time."
— Mark Reinhold.
Mark Derricutt
http://www.chaliceofblood.net
http://www.theoryinpractice.net
http://twitter.com/talios
http://facebook.com/mderricutt
Re: CVEs in maven-compat via toolchains
Posted by Elliotte Rusty Harold <el...@ibiblio.org>.
On Tue, Feb 14, 2023 at 5:23 AM Mark Derricutt <ma...@talios.com> wrote:
>
> Hey all,
>
> I was alerted the other day about a security issue with my
> clojure-maven-plugin apparently pulling in log4j 1.2, but using the
> dependency:tree plugin showed nothing.
Interesting discovery. It sounds like the security tool doesn't
properly analyze Maven classpaths, whereas the dependency:tree plugin
does. If that's so, file a bug against the security analyzer. These
sorts of false positives really reduce its functionality and make all
of us less secure.
> [ERROR] org.apache.maven:maven-compat:jar:3.0-alpha-2:compile;
> https://ossindex.sonatype.org/component/pkg:maven/org.apache.maven/maven-compat@3.0-alpha-2?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
> [ERROR] * [CVE-2021-26291] CWE-346: Origin Validation Error (9.1);
> https://ossindex.sonatype.org/vulnerability/CVE-2021-26291?component-type=maven&component-name=org.apache.maven%2Fmaven-compat&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
> ```
That's extremely old and seems unmaintained and never released. You
probably want the maven-toolchains-plugin instead.
--
Elliotte Rusty Harold
elharo@ibiblio.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org