You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@maven.apache.org by Robert Scholte <rf...@apache.org> on 2019/03/25 20:41:36 UTC
Re: Vulnerabilities in multiple Maven packages.
On Mon, 25 Mar 2019 11:35:04 +0100, Bradley Atkins
<Br...@bjss.com> wrote:
> All,
>
> When looking at forking and updating maven-source-plugin to get rid of
> it's dependency on the vulnerable package - org.codehaus.plexus :
> plexus-utils
What's the vulnerability?
>
> I found that these packages are also using vulnerable version of it. As
> fixing this issue would require multiple releases, can I prevail upon
> you guys to do a fix?
>
> org.apache.maven : maven-core 3.0
> org.apache.maven : maven-model 3.0
> org.apache.maven : maven-compat 3.0
> org.apache.maven.plugin-testing : maven-plugin-testing-harness 2.1
> org.apache.maven : maven-plugin-api 3.0
Not sure what you expect from us here. Do you expect us to patch these and
re-upload them to Maven Central?
>
> Incidentally, this vulnerability was found using the IntelliJ plugin for
> Snyk. These guys offer the plugin for free to open source projects.
> Given that you are providing a core service to half the industry, can I
> ask you to evaluate using it across all Apache packages as standard?
> Their vulnerability database is very well maintained.
I have contacts with Snyk, however we've never talked about this yet. I'll
inform.
thanks,
Robert
>
> Regards
>
> Bradley Atkins
>
> Synk site - https://snyk.io
>
>
> The information included in this email and any files transmitted with it
> may contain information that is confidential and it must not be used by,
> or its contents or attachments copied or disclosed to, persons other
> than the intended addressee. If you have received this email in error,
> please notify BJSS. In the absence of written agreement to the contrary
> BJSS' relevant standard terms of contract for any work to be undertaken
> will apply. Please carry out virus or such other checks as you consider
> appropriate in respect of this email. BJSS does not accept
> responsibility for any adverse effect upon your system or data in
> relation to this email or any files transmitted with it. BJSS Limited, a
> company registered in England and Wales (Company Number 2777575), VAT
> Registration Number 613295452, Registered Office Address, First Floor,
> Coronet House, Queen Street, Leeds, LS1 2TW.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org