You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Sylwester Lachiewicz (Jira)" <ji...@apache.org> on 2021/11/13 21:41:00 UTC

[jira] [Assigned] (MDEP-765) Some goals result in download of Struts 1.3.8 POMs

     [ https://issues.apache.org/jira/browse/MDEP-765?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sylwester Lachiewicz reassigned MDEP-765:
-----------------------------------------

    Assignee: Sylwester Lachiewicz

> Some goals result in download of Struts 1.3.8 POMs
> --------------------------------------------------
>
>                 Key: MDEP-765
>                 URL: https://issues.apache.org/jira/browse/MDEP-765
>             Project: Maven Dependency Plugin
>          Issue Type: Bug
>          Components: copy-dependencies, unpack-dependencies
>    Affects Versions: 3.2.0
>            Reporter: Andrew Swan
>            Assignee: Sylwester Lachiewicz
>            Priority: Minor
>              Labels: security, struts
>
> h1. Problem
> Executing certain goals of the {{dependency}} plugin (for example {{copy-dependencies}} and {{unpack-dependencies}}) causes various Struts 1.3.8 POMs to be downloaded to the user's local Maven repository. This version of Struts has known security vulnerabilities.
> h1. Reproduction
> Here's a minimal POM that demonstrates the problem:
> {code:xml}
> <?xml version="1.0" encoding="UTF-8"?>
> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
>     <modelVersion>4.0.0</modelVersion>
>     <groupId>org.example</groupId>
>     <artifactId>dependency-plugin-demo</artifactId>
>     <version>1.0-SNAPSHOT</version>
>     <build>
>         <pluginManagement>
>             <plugins>
>                 <plugin>
>                     <groupId>org.apache.maven.plugins</groupId>
>                     <artifactId>maven-dependency-plugin</artifactId>
>                     <version>3.2.0</version>
>                 </plugin>
>             </plugins>
>         </pluginManagement>
>     </build>
> </project>{code}
> Running {{mvn dependency:copy-dependencies}} results in the following output:
> {code:java}
> [INFO] Scanning for projects...
> [INFO] 
> [INFO] -----------------< org.example:dependency-plugin-demo >-----------------
> [INFO] Building dependency-plugin-demo 1.0-SNAPSHOT
> [INFO] --------------------------------[ jar ]---------------------------------
> [INFO] 
> [INFO] --- maven-dependency-plugin:3.2.0:copy-dependencies (default-cli) @ dependency-plugin-demo ---
> Downloading from maven-atlassian-com: https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.pom
> Downloaded from maven-atlassian-com: https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.pom (4.3 kB at 2.8 kB/s)
> Downloading from maven-atlassian-com: https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-parent/1.3.8/struts-parent-1.3.8.pom
> Downloaded from maven-atlassian-com: https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-parent/1.3.8/struts-parent-1.3.8.pom (9.8 kB at 21 kB/s)
> Downloading from maven-atlassian-com: https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-master/4/struts-master-4.pom
> Downloaded from maven-atlassian-com: https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-master/4/struts-master-4.pom (11 kB at 25 kB/s)
> Downloading from maven-atlassian-com: https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-taglib/1.3.8/struts-taglib-1.3.8.pom
> Downloaded from maven-atlassian-com: https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-taglib/1.3.8/struts-taglib-1.3.8.pom (3.1 kB at 6.4 kB/s)
> Downloading from maven-atlassian-com: https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-tiles/1.3.8/struts-tiles-1.3.8.pom
> Downloaded from maven-atlassian-com: https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-tiles/1.3.8/struts-tiles-1.3.8.pom (2.9 kB at 5.2 kB/s)
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time:  4.297 s
> [INFO] Finished at: 2021-09-09T14:18:10+10:00
> [INFO] ------------------------------------------------------------------------{code}
> h1. Workaround
> One workaround is to downgrade to version 2.8 of the plugin, however this may also require the user to modify their plugin configuration, because the semantics of configuration options like {{includeScope}} have changed even between minor versions 3.1.2 and 3.2.0.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)