You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@maven.apache.org by Robert Scholte <rf...@apache.org> on 2019/03/25 20:41:36 UTC

Re: Vulnerabilities in multiple Maven packages.

On Mon, 25 Mar 2019 11:35:04 +0100, Bradley Atkins  
<Br...@bjss.com> wrote:

> All,
>
> When looking at forking and updating maven-source-plugin to get rid of  
> it's dependency on the vulnerable package - org.codehaus.plexus :  
> plexus-utils

What's the vulnerability?

>
> I found that these packages are also using vulnerable version of it. As  
> fixing this issue would require multiple releases, can I prevail upon  
> you guys to do a fix?
>
> org.apache.maven : maven-core 3.0
> org.apache.maven : maven-model 3.0
> org.apache.maven : maven-compat 3.0
> org.apache.maven.plugin-testing : maven-plugin-testing-harness 2.1
> org.apache.maven : maven-plugin-api 3.0

Not sure what you expect from us here. Do you expect us to patch these and  
re-upload them to Maven Central?

>
> Incidentally, this vulnerability was found using the IntelliJ plugin for  
> Snyk. These guys offer the plugin for free to open source projects.  
> Given that you are providing a core service to half the industry, can I  
> ask you to evaluate using it across all Apache packages as standard?  
> Their vulnerability database is very well maintained.

I have contacts with Snyk, however we've never talked about this yet. I'll  
inform.

thanks,
Robert

>
> Regards
>
> Bradley Atkins
>
> Synk site - https://snyk.io
>
>
> The information included in this email and any files transmitted with it  
> may contain information that is confidential and it must not be used by,  
> or its contents or attachments copied or disclosed to, persons other  
> than the intended addressee. If you have received this email in error,  
> please notify BJSS. In the absence of written agreement to the contrary  
> BJSS' relevant standard terms of contract for any work to be undertaken  
> will apply. Please carry out virus or such other checks as you consider  
> appropriate in respect of this email. BJSS does not accept  
> responsibility for any adverse effect upon your system or data in  
> relation to this email or any files transmitted with it. BJSS Limited, a  
> company registered in England and Wales (Company Number 2777575), VAT  
> Registration Number 613295452, Registered Office Address, First Floor,  
> Coronet House, Queen Street, Leeds, LS1 2TW.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org