You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@drill.apache.org by James Turton <dz...@apache.org> on 2022/01/21 10:10:40 UTC

[DISCUSS] maven-core upgrade to 3.8

Hi Devs

The vulnerability CVE-2021-26291 
<https://nvd.nist.gov/vuln/detail/CVE-2021-26291> affects Maven versions 
prior to 3.8.1 and has a severity score of 9.1.  We currently depend on 
maven-core 3.6.3, which appears to be the last release we can expect in 
the 3.6 series.  In the draft PR #2432 
<https://github.com/apache/drill/pull/2432> I am working to address 
severe vulnerabilities reported by the OWASP dependency checker and I 
have updated maven-core to 3.8.4.

Having adjusted an enforcer rule in the PR, I am still able to build the 
project using Maven 3.6.3, the version on my laptop and also currently 
used by our GitHub CI.  So I do not believe that this upgrade will leave 
any users or developers unable to build. However, if you know of some 
reason why we should not upgrade maven-core to 3.8 please say so here or 
in the PR linked to above.

Thanks
James