You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Michael Osipov (Jira)" <ji...@apache.org> on 2022/05/15 09:07:00 UTC

[jira] [Updated] (MNG-7359) Dependency-Management insufficient to cope with today's security threats

     [ https://issues.apache.org/jira/browse/MNG-7359?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Michael Osipov updated MNG-7359:
--------------------------------
    Summary: Dependency-Management insufficient to cope with today's security threats  (was: Dependency-Management insufficient to cope with todays security threads)

> Dependency-Management insufficient to cope with today's security threats
> ------------------------------------------------------------------------
>
>                 Key: MNG-7359
>                 URL: https://issues.apache.org/jira/browse/MNG-7359
>             Project: Maven
>          Issue Type: Improvement
>            Reporter: Jörg Hohwiller
>            Priority: Major
>
> Maven is a great and flexible tool. However, today critical CVEs come up every day (see log4j desaster). The idea of maven is that via some parent POM build logic can be reused to manage and maintain bigger projects.
> To fix such CVE I tried to update the version of log4j in parent pom and imported the BOM of log4j. However, this does not help and projects derived from that pom still load vulnerable versions of log4j as they get it from transitive dependencies.
> What is required in maven is some configuration in dependencyManagement to tell maven "Hey, whenever you choose X as depndency you have to use AT LEAST version Y". However, maven is lacking this feature and hence fixing CVEs is error prone and leads to unexpected results.
> Maybe the new maven major version gives the opportunity to address this issue. In case it was already addressed and I missed this somehow, simply cloase as invalid and sorry for the spam.
> Side note: Also a maven repo should somehow have the ability to mark releases with critical CVEs so the download is either aborted (maybe unintendet) or at least a FAT WARNING is logged whenever that dependency is pulled.
> Maybe in todays world of cyberwar it would even be suitable to have a tool like owasp-dependency-check built into maven natively by default...



--
This message was sent by Atlassian Jira
(v8.20.7#820007)