[jira] [Commented] (MNG-7359) Dependency-Management insufficient to cope with todays security threads

["Jörg Hohwiller (Jira)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/MNG-7359?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458488#comment-17458488 ] 

Jörg Hohwiller commented on MNG-7359:
-------------------------------------

According to my analysis with current maven (3.x) it behaves as following:
* The first declaration in dependencyManagement overrides later declarations - e.g. when importing multiple BOMs
* When I add a dependency or import a BOM in a child it will automatically override anything from the parent POM. 
 
In general this gives me some kind of control so the parent does not "block" me. However, all this behaviour is rather intransparent and I do not know if it is even documented.
Obviously it is kind of complex both for the developer writing POMs as well as for developers crafting maven.
However, I would just like to ask if you can think about some feature in maven (potentially 4.x+) to ensure something like my requirement to say "whenever you choose X as depndency you have to use AT LEAST version Y" in a POM that will then apply for all derived POMs.

Maybe the strategy to how to choose between multiple versions for the same artifact in dependencyManagement should be revisited. Instead of deciding by order (first declaration wins) a decision of "latest is grates" would be more beneficial for CVEs. However, there will always be cases, where I want to have some kind of manual override in my actual POM.
However, my thoughts are:
* In my child POM I always have control by adding an explicit dependency with the version included to override  any dependencyManagement.
* When I want to express this "whenever you choose X as depndency you have to use AT LEAST version Y" from a security point of view, it may make sense to add a new way to explicitly express this in dependencyManagement of a new extended model for maven 4.x due to downward compatibility. Making things explicit is also always a good idea. While current dependencyManagement is more something like a "recommendation" the new feature from security PoV is something else: a hard constraint as I want to express "use at least version Y because older versions are insecure".

> Dependency-Management insufficient to cope with todays security threads
> -----------------------------------------------------------------------
>
>                 Key: MNG-7359
>                 URL: https://issues.apache.org/jira/browse/MNG-7359
>             Project: Maven
>          Issue Type: Improvement
>            Reporter: Jörg Hohwiller
>            Priority: Major
>
> Maven is a great and flexible tool. However, today critical CVEs come up every day (see log4j desaster). The idea of maven is that via some parent POM build logic can be reused to manage and maintain bigger projects.
> To fix such CVE I tried to update the version of log4j in parent pom and imported the BOM of log4j. However, this does not help and projects derived from that pom still load vulnerable versions of log4j as they get it from transitive dependencies.
> What is required in maven is some configuration in dependencyManagement to tell maven "Hey, whenever you choose X as depndency you have to use AT LEAST version Y". However, maven is lacking this feature and hence fixing CVEs is error prone and leads to unexpected results.
> Maybe the new maven major version gives the opportunity to address this issue. In case it was already addressed and I missed this somehow, simply cloase as invalid and sorry for the spam.
> Side note: Also a maven repo should somehow have the ability to mark releases with critical CVEs so the download is either aborted (maybe unintendet) or at least a FAT WARNING is logged whenever that dependency is pulled.
> Maybe in todays world of cyberwar it would even be suitable to have a tool like owasp-dependency-check built into maven natively by default...



--
This message was sent by Atlassian Jira
(v8.20.1#820001)