You are viewing a plain text version of this content. The canonical link for it is here.

Posted to pr@cassandra.apache.org by GitBox <gi...@apache.org> on 2022/07/14 19:16:46 UTC

[GitHub] [cassandra] aratno commented on pull request #1725: CASSANDRA-17750: Remove Maven Ant Tasks

aratno commented on PR #1725:
URL: https://github.com/apache/cassandra/pull/1725#issuecomment-1184807504

   @michaelsembwever - thanks for taking a look.
   
   > Furthermore, I'm not sure how we define or pin the plexus dependency that is the source of the CVE here
   
   The plexus-utils2 dependency is a transitive dependency included in the last released version of Maven Ant Tasks, which we pull in as a JAR here: https://github.com/apache/cassandra/blob/889ca60edc8afd85b4a594442883c1b5efdf3c6b/build.xml#L472
   
   As an alternative to address CVE-2017-1000487, I considered authoring a forked Maven Ant Tasks and bumping the plexus-utils2 dependency to bypass the vulnerable version. I figured that it was worse to maintain a fork of a long-retired project, even with a very simple fork. It's unfortunate that Maven Artifact Resolver Ant Tasks [doesn't support an alternative](https://lists.apache.org/thread/o0llzvf55zgo2nqn6yq1m4lhv3t9vdk7) to the writepom task - in my opinion, that would be ideal. And because Maven Ant Tasks is required so early in our build, we can't use exclusion rules to re-write the plexus-utils2 dependency since Maven Ant Tasks is what resolves those exclusions in the first place.
   
   It might be possible to simplify to two POMs, by removing `apache-cassandra-build-deps.pom`. I'm not clear on why that's necessary when Maven already supports different classpath scopes for dependencies (compile, provided, test, etc), and we could ideally include all the build dependencies in `apache-cassandra.pom` with the compile scope.
   
   I agree that this adds some pain to dependency management for contributors. I tried to simplify this as much as possible with my changes in f80da9b, by centralizing all dependency versions and scopes in the parent POM, and making the child POMs reference those.
   
   Do you have any other thoughts on this approach before I share this discussion with the dev list?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: pr-unsubscribe@cassandra.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: pr-unsubscribe@cassandra.apache.org
For additional commands, e-mail: pr-help@cassandra.apache.org