You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tika.apache.org by "Bill Sterns (Jira)" <ji...@apache.org> on 2022/08/17 23:04:00 UTC

[jira] [Created] (TIKA-3838) Failure when building Tika 2.4.1 due to ossindex-maven-plugin warning

Bill Sterns created TIKA-3838:
---------------------------------

             Summary: Failure when building Tika 2.4.1 due to ossindex-maven-plugin warning
                 Key: TIKA-3838
                 URL: https://issues.apache.org/jira/browse/TIKA-3838
             Project: Tika
          Issue Type: Bug
          Components: build
    Affects Versions: 2.4.1
            Reporter: Bill Sterns


I'm getting a failure when building Tika 2.4.1 due to a vulnerability warning. The build fails when building tika-transcribe-aws.

 

I downloaded tika-2.4.1-src.zip, extracted the contents, then ran "mvn clean install -Dmaven.wagon.http.ssl.insecure=true -DskipTests" to build Tika. The failure is below:

 

[INFO] ----------------< org.apache.tika:tika-transcribe-aws >-----------------
[INFO] Building Apache Tika transcribe aws 2.4.1                         [1/52]
[INFO] -------------------------------[ bundle ]-------------------------------
[INFO]
[INFO] --- ossindex-maven-plugin:3.2.0:audit (audit-dependencies) @ tika-transcribe-aws ---
[INFO] Checking for vulnerabilities; 26 artifacts
[INFO] Exclude coordinates: [com.ibm.icu:icu4j:62.2, com.google.guava:guava:31.1-jre, org.apache.lucene:lucene-queryparser:4.0.0, com.drewnoakes:metadata-extractor:2.18.0, io.netty:netty-handler:4.1.77.Final, log4j:log4j:1.2.17, xerces:xercesImpl:2.12.2, com.h2database:h2:2.1.212, commons-dbcp:commons-dbcp:1.4]
[INFO] Exclude vulnerability identifiers: []
[INFO] CVSS-score threshold: 0.0
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for Apache Tika 2.4.1:
[INFO] Apache Tika transcribe aws ......................... FAILURE [  0.814 s]
...
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  3.645 s
[INFO] Finished at: 2022-08-17T16:52:44-05:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit (audit-dependencies) on project tika-transcribe-aws: Detected 1 vulnerable components:
[ERROR]   com.amazonaws:aws-java-sdk-s3:jar:1.12.237:compile; https://ossindex.sonatype.org/component/pkg:maven/com.amazonaws/aws-java-sdk-s3@1.12.237?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR]     * [CVE-2022-31159] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (6.5); https://ossindex.sonatype.org/vulnerability/CVE-2022-31159?component-type=maven&component-name=com.amazonaws%2Faws-java-sdk-s3&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR]
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException



--
This message was sent by Atlassian Jira
(v8.20.10#820010)