You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Nico Werlein (Jira)" <ji...@apache.org> on 2020/02/25 09:17:00 UTC

[jira] [Comment Edited] (MDEP-626) Upgrade struts and xerces due to CVEs

    [ https://issues.apache.org/jira/browse/MDEP-626?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17044277#comment-17044277 ] 

Nico Werlein edited comment on MDEP-626 at 2/25/20 9:16 AM:
------------------------------------------------------------

On _master_ {{org.apache.struts:struts-core:jar:1.3.8}} is still part of the dependency tree, i.e. doing the following

{{git clone [https://github.com/apache/maven-dependency-plugin.git]}}
{{cd maven-dependency-plugin}}
{{mvn dependency:tree}}

results in the subsequent output:

{{[...]}}
{{[INFO] +- org.apache.maven.doxia:doxia-site-renderer:jar:1.9:compile}}
{{[INFO] | +- org.apache.maven.doxia:doxia-skin-model:jar:1.9:compile}}
{{[INFO] | +- org.apache.maven.doxia:doxia-module-xhtml:jar:1.9:compile}}
{{[INFO] | +- org.apache.maven.doxia:doxia-module-xhtml5:jar:1.9:compile}}
{{[INFO] | +- org.codehaus.plexus:plexus-i18n:jar:1.0-beta-10:compile}}
{{[INFO] | +- org.codehaus.plexus:plexus-velocity:jar:1.2:compile}}
{{[INFO] | +- org.apache.velocity:velocity:jar:1.7:compile}}
{{[INFO] | - org.apache.velocity:velocity-tools:jar:2.0:compile}}
{{[INFO] | +- commons-beanutils:commons-beanutils:jar:1.7.0:compile}}
{{[INFO] | +- commons-digester:commons-digester:jar:1.8:compile}}
{{[INFO] | +- commons-chain:commons-chain:jar:1.1:compile}}
{{[INFO] | +- commons-validator:commons-validator:jar:1.3.1:compile}}
{{[INFO] | +- dom4j:dom4j:jar:1.1:compile}}
{{[INFO] | +- oro:oro:jar:2.0.8:compile}}
{{[INFO] | +- sslext:sslext:jar:1.2-0:compile}}
{{[INFO] | +- org.apache.struts:struts-core:jar:1.3.8:compile}}
{{[INFO] | | - antlr:antlr:jar:2.7.2:compile}}
{{[INFO] | +- org.apache.struts:struts-taglib:jar:1.3.8:compile}}
{{[INFO] | - org.apache.struts:struts-tiles:jar:1.3.8:compile}}
{{[...]}}


was (Author: nico-wrl):
On _master_ {{org.apache.struts:struts-core:jar:1.3.8}} is still part of the dependency tree, i.e. doing the following

{{git clone [https://github.com/apache/maven-dependency-plugin.git]}}
{{ cd maven-dependency-plugin}}
{{ mvn dependency:tree}}

results in the subsequent output:

{{[...]}}
{{ [INFO] +- org.apache.maven.doxia:doxia-site-renderer:jar:1.9:compile}}
{{ [INFO] | +- org.apache.maven.doxia:doxia-skin-model:jar:1.9:compile}}
{{ [INFO] | +- org.apache.maven.doxia:doxia-module-xhtml:jar:1.9:compile}}
{{ [INFO] | +- org.apache.maven.doxia:doxia-module-xhtml5:jar:1.9:compile}}
{{ [INFO] | +- org.codehaus.plexus:plexus-i18n:jar:1.0-beta-10:compile}}
{{ [INFO] | +- org.codehaus.plexus:plexus-velocity:jar:1.2:compile}}
{{ [INFO] | +- org.apache.velocity:velocity:jar:1.7:compile}}
{{ [INFO] | - org.apache.velocity:velocity-tools:jar:2.0:compile}}
{{ [INFO] | +- commons-beanutils:commons-beanutils:jar:1.7.0:compile}}
{{ [INFO] | +- commons-digester:commons-digester:jar:1.8:compile}}
{{ [INFO] | +- commons-chain:commons-chain:jar:1.1:compile}}
{{ [INFO] | +- commons-validator:commons-validator:jar:1.3.1:compile}}
{{ [INFO] | +- dom4j:dom4j:jar:1.1:compile}}
{{ [INFO] | +- oro:oro:jar:2.0.8:compile}}
{{ [INFO] | +- sslext:sslext:jar:1.2-0:compile}}
{{ [INFO] | +- org.apache.struts:struts-core:jar:1.3.8:compile}}
{{ [INFO] | | - antlr:antlr:jar:2.7.2:compile}}
{{ [INFO] | +- org.apache.struts:struts-taglib:jar:1.3.8:compile}}
{{ [INFO] | - org.apache.struts:struts-tiles:jar:1.3.8:compile}}
{{ [...]}}

> Upgrade struts and xerces due to CVEs
> -------------------------------------
>
>                 Key: MDEP-626
>                 URL: https://issues.apache.org/jira/browse/MDEP-626
>             Project: Maven Dependency Plugin
>          Issue Type: Dependency upgrade
>          Components: get
>    Affects Versions: 3.1.1
>            Reporter: Richard Cross
>            Assignee: Karl Heinz Marbaise
>            Priority: Major
>             Fix For: 3.1.2
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> If running behind a proxy (e.g. Nexus, with a security vulnerability scanner (e.g. Nexus IQ), the get command (and possibly others) fails due to a dependency on libraries deemed "vulnerable".
>  
> {code:java}
> [ERROR] Failed to execute goal org.apache.maven.plugins:maven-dependency-plugin:3.1.1:get (default-cli) on project project1-sample: Execution default-cli of goal org.apache.maven.plugins:maven-dependency-plugin:3.1.1:get failed: Plugin org.apache.maven.plugins:maven-dependency-plugin:LATEST or one of its dependencies could not be resolved: The following artifacts could not be resolved: xerces:xercesImpl:jar:2.9.1, org.apache.struts:struts-core:jar:1.3.8: Could not transfer artifact xerces:xercesImpl:jar:2.9.1 from/to efx.nexus (https://mynexusserver/nexus/repository/maven-public/): Access denied to: https://mynexusserver/nexus/repository/maven-public/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar , ReasonPhrase:Requested item is quarantined. -> [Help 1]
> {code}
> struts2-core 1.3.8 has 4 CVEs against it - "safe" versions are 2.3.35 or 2.5.17
> xercesImpl 2.9.1 has 2 CVEs and a Sonatype security warning - 2.12.0 is better, although still problematic.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)