You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@maven.apache.org by Romain Manni-Bucau <rm...@gmail.com> on 2021/02/15 17:26:37 UTC
Plan to enable developers to consume maven-core without CVE
Hi everybody,
As of today if you depend on maven-core 3.6.3 you get CVE warning until you
force in your project another guava version.
Do we have any plan to make it hurtless?
Is it related to make a plugin oriented (public) API dependency?
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>
Re: Plan to enable developers to consume maven-core without CVE
Posted by Romain Manni-Bucau <rm...@gmail.com>.
Le lun. 15 févr. 2021 à 19:37, Robert Scholte <rf...@apache.org> a
écrit :
> We could consider to do Maven APIs/SPIs for Maven 5, not earlier. Maven 4
> is already hard enough to reach release ready status, so let's not increase
> the scope.
>
Ok
> It will require a complete new set of interfaces in their own packages,
> which would also help with the split package issue of the java module
> system.
>
Note sure I fully get this one, Maven will not go with JPMS anyway I
think/hope since it will not bring anything for most of its runtime (ie
plugins).
> The challenge would be to define which classes and components we consider
> internal, and which one should be exposed via an API or SPI.
>
Guess we can start by a quick github review but out of my head dependency
management (transitive or not), MavenProject meta etc are all very common
so will likely need to be facaded in your proposed path.
That said, even if we agree to not do it now we still have the issue maven
3.6 is no more usable due to guava (thanks guice) so we need to do a 3.6.4
or 4 but at least something users can consume safely and without build
errors due to security scans IMHO (guess just upgrading guava is a cheap
option).
>
> Robert
>
>
> On 15-2-2021 18:27:09, Romain Manni-Bucau <rm...@gmail.com> wrote:
> Hi everybody,
>
> As of today if you depend on maven-core 3.6.3 you get CVE warning until you
> force in your project another guava version.
> Do we have any plan to make it hurtless?
> Is it related to make a plugin oriented (public) API dependency?
>
> Romain Manni-Bucau
> @rmannibucau | Blog
> | Old Blog
> | Github |
> LinkedIn | Book
>
>
Re: Plan to enable developers to consume maven-core without CVE
Posted by Robert Scholte <rf...@apache.org>.
We could consider to do Maven APIs/SPIs for Maven 5, not earlier. Maven 4 is already hard enough to reach release ready status, so let's not increase the scope.
It will require a complete new set of interfaces in their own packages, which would also help with the split package issue of the java module system.
The challenge would be to define which classes and components we consider internal, and which one should be exposed via an API or SPI.
Robert
On 15-2-2021 18:27:09, Romain Manni-Bucau <rm...@gmail.com> wrote:
Hi everybody,
As of today if you depend on maven-core 3.6.3 you get CVE warning until you
force in your project another guava version.
Do we have any plan to make it hurtless?
Is it related to make a plugin oriented (public) API dependency?
Romain Manni-Bucau
@rmannibucau | Blog
| Old Blog
| Github |
LinkedIn | Book