You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@maven.apache.org by mi...@apache.org on 2022/07/18 13:09:46 UTC
[maven] 01/01: [MNG-7513] Address commons-io_commons-io vulnerability found in maven latest version
This is an automated email from the ASF dual-hosted git repository.
michaelo pushed a commit to branch MNG-7513
in repository https://gitbox.apache.org/repos/asf/maven.git
commit aa743a6226fa63d3418b1829fc1d94c5e8f976c4
Author: Michael Osipov <mi...@apache.org>
AuthorDate: Mon Jul 18 15:09:01 2022 +0200
[MNG-7513] Address commons-io_commons-io vulnerability found in maven latest version
We can safely remove Commons IO altogether because in no direct or transtive
usecase it is used at compile time or runtime.
This closes #771
---
maven-core/pom.xml | 10 +++++
.../apache/maven/project/ProjectBuilderTest.java | 48 +++++++++-------------
maven-embedder/pom.xml | 5 +++
pom.xml | 20 +++++++++
4 files changed, 55 insertions(+), 28 deletions(-)
diff --git a/maven-core/pom.xml b/maven-core/pom.xml
index f46fdeb1d..61461c8ab 100644
--- a/maven-core/pom.xml
+++ b/maven-core/pom.xml
@@ -160,6 +160,11 @@ under the License.
<artifactId>commons-jxpath</artifactId>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>commons-io</groupId>
+ <artifactId>commons-io</artifactId>
+ <scope>test</scope>
+ </dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
@@ -175,6 +180,11 @@ under the License.
<artifactId>xmlunit-assertj</artifactId>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>org.junit.jupiter</groupId>
+ <artifactId>junit-jupiter-api</artifactId>
+ <scope>test</scope>
+ </dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-params</artifactId>
diff --git a/maven-core/src/test/java/org/apache/maven/project/ProjectBuilderTest.java b/maven-core/src/test/java/org/apache/maven/project/ProjectBuilderTest.java
index 5590b9f72..8cc47a853 100644
--- a/maven-core/src/test/java/org/apache/maven/project/ProjectBuilderTest.java
+++ b/maven-core/src/test/java/org/apache/maven/project/ProjectBuilderTest.java
@@ -20,7 +20,6 @@ package org.apache.maven.project;
*/
import java.io.File;
-import java.nio.file.Files;
import java.nio.file.Path;
import java.util.ArrayList;
import java.util.Collections;
@@ -28,6 +27,7 @@ import java.util.List;
import java.util.Properties;
import java.util.concurrent.atomic.AtomicInteger;
+import org.apache.commons.io.FileUtils;
import org.apache.maven.AbstractCoreMavenComponentTestCase;
import org.apache.maven.execution.MavenSession;
import org.apache.maven.model.Plugin;
@@ -35,8 +35,8 @@ import org.apache.maven.model.building.FileModelSource;
import org.apache.maven.model.building.ModelBuildingRequest;
import org.apache.maven.model.building.ModelProblem;
import org.apache.maven.model.building.ModelSource;
-import org.apache.maven.shared.utils.io.FileUtils;
import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.io.TempDir;
import static org.apache.maven.project.ProjectBuildingResultWithLocationMatcher.projectBuildingResultWithLocation;
import static org.apache.maven.project.ProjectBuildingResultWithProblemMessageMatcher.projectBuildingResultWithProblemMessage;
@@ -166,35 +166,27 @@ public class ProjectBuilderTest
}
@Test
- public void testReadModifiedPoms() throws Exception {
+ public void testReadModifiedPoms( @TempDir Path tempDir ) throws Exception {
// TODO a similar test should be created to test the dependency management (basically all usages
// of DefaultModelBuilder.getCache() are affected by MNG-6530
- Path tempDir = Files.createTempDirectory( null );
- FileUtils.copyDirectoryStructure ( new File( "src/test/resources/projects/grandchild-check" ), tempDir.toFile() );
- try
- {
- MavenSession mavenSession = createMavenSession( null );
- ProjectBuildingRequest configuration = new DefaultProjectBuildingRequest();
- configuration.setRepositorySession( mavenSession.getRepositorySession() );
- org.apache.maven.project.ProjectBuilder projectBuilder = getContainer().lookup( org.apache.maven.project.ProjectBuilder.class );
- File child = new File( tempDir.toFile(), "child/pom.xml" );
- // build project once
- projectBuilder.build( child, configuration );
- // modify parent
- File parent = new File( tempDir.toFile(), "pom.xml" );
- String parentContent = FileUtils.fileRead( parent );
- parentContent = parentContent.replaceAll( "<packaging>pom</packaging>",
- "<packaging>pom</packaging><properties><addedProperty>addedValue</addedProperty></properties>" );
- FileUtils.fileWrite( parent, "UTF-8", parentContent );
- // re-build pom with modified parent
- ProjectBuildingResult result = projectBuilder.build( child, configuration );
- assertThat( result.getProject().getProperties(), hasKey( (Object) "addedProperty" ) );
- }
- finally
- {
- FileUtils.deleteDirectory( tempDir.toFile() );
- }
+ FileUtils.copyDirectory( new File( "src/test/resources/projects/grandchild-check" ), tempDir.toFile() );
+ MavenSession mavenSession = createMavenSession( null );
+ ProjectBuildingRequest configuration = new DefaultProjectBuildingRequest();
+ configuration.setRepositorySession( mavenSession.getRepositorySession() );
+ org.apache.maven.project.ProjectBuilder projectBuilder = getContainer().lookup( org.apache.maven.project.ProjectBuilder.class );
+ File child = new File( tempDir.toFile(), "child/pom.xml" );
+ // build project once
+ projectBuilder.build( child, configuration );
+ // modify parent
+ File parent = new File( tempDir.toFile(), "pom.xml" );
+ String parentContent = FileUtils.readFileToString( parent, "UTF-8" );
+ parentContent = parentContent.replaceAll( "<packaging>pom</packaging>",
+ "<packaging>pom</packaging><properties><addedProperty>addedValue</addedProperty></properties>" );
+ FileUtils.write( parent, parentContent, "UTF-8" );
+ // re-build pom with modified parent
+ ProjectBuildingResult result = projectBuilder.build( child, configuration );
+ assertThat( result.getProject().getProperties(), hasKey( (Object) "addedProperty" ) );
}
@Test
diff --git a/maven-embedder/pom.xml b/maven-embedder/pom.xml
index 842f86823..d49eb8f62 100644
--- a/maven-embedder/pom.xml
+++ b/maven-embedder/pom.xml
@@ -149,6 +149,11 @@ under the License.
<groupId>commons-cli</groupId>
<artifactId>commons-cli</artifactId>
</dependency>
+ <dependency>
+ <groupId>commons-io</groupId>
+ <artifactId>commons-io</artifactId>
+ <scope>test</scope>
+ </dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
diff --git a/pom.xml b/pom.xml
index 1e08bb637..df1b8f402 100644
--- a/pom.xml
+++ b/pom.xml
@@ -49,6 +49,7 @@ under the License.
<javaVersion>8</javaVersion>
<classWorldsVersion>2.6.0</classWorldsVersion>
<commonsCliVersion>1.5.0</commonsCliVersion>
+ <commonsIoVersion>2.11.0</commonsIoVersion>
<commonsLangVersion>3.12.0</commonsLangVersion>
<junitVersion>5.8.1</junitVersion>
<mockitoVersion>3.2.0</mockitoVersion>
@@ -300,6 +301,13 @@ under the License.
<groupId>org.apache.maven.shared</groupId>
<artifactId>maven-shared-utils</artifactId>
<version>3.3.4</version>
+ <exclusions>
+ <!-- We use org.apache.maven.shared.utils.logging only in Maven Core -->
+ <exclusion>
+ <groupId>commons-io</groupId>
+ <artifactId>commons-io</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
<groupId>org.fusesource.jansi</groupId>
@@ -338,6 +346,13 @@ under the License.
<groupId>org.apache.maven.wagon</groupId>
<artifactId>wagon-http</artifactId>
<version>${wagonVersion}</version>
+ <exclusions>
+ <!-- Not used at all -->
+ <exclusion>
+ <groupId>commons-io</groupId>
+ <artifactId>commons-io</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<!-- Repository -->
<dependency>
@@ -386,6 +401,11 @@ under the License.
<artifactId>commons-cli</artifactId>
<version>${commonsCliVersion}</version>
</dependency>
+ <dependency>
+ <groupId>commons-io</groupId>
+ <artifactId>commons-io</artifactId>
+ <version>${commonsIoVersion}</version>
+ </dependency>
<dependency>
<groupId>commons-jxpath</groupId>
<artifactId>commons-jxpath</artifactId>