You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@maven.apache.org by mi...@apache.org on 2022/07/18 15:59:53 UTC
[maven] branch maven-3.9.x updated: [MNG-7513] Address commons-io_commons-io vulnerability found in maven latest version
This is an automated email from the ASF dual-hosted git repository.
michaelo pushed a commit to branch maven-3.9.x
in repository https://gitbox.apache.org/repos/asf/maven.git
The following commit(s) were added to refs/heads/maven-3.9.x by this push:
new f164ab5f8 [MNG-7513] Address commons-io_commons-io vulnerability found in maven latest version
f164ab5f8 is described below
commit f164ab5f89c85657f6f5d8a6c05978e60c87dcc5
Author: Michael Osipov <mi...@apache.org>
AuthorDate: Mon Jul 18 15:09:01 2022 +0200
[MNG-7513] Address commons-io_commons-io vulnerability found in maven latest version
We can safely remove Commons IO altogether because it is not used in any direct or
transitive usecase at compile time or runtime.
This closes #771
---
maven-core/pom.xml | 5 +++++
.../org/apache/maven/project/ProjectBuilderTest.java | 9 ++++-----
maven-embedder/pom.xml | 5 +++++
pom.xml | 20 ++++++++++++++++++++
4 files changed, 34 insertions(+), 5 deletions(-)
diff --git a/maven-core/pom.xml b/maven-core/pom.xml
index 5d7c10a0d..77d17a0e9 100644
--- a/maven-core/pom.xml
+++ b/maven-core/pom.xml
@@ -147,6 +147,11 @@ under the License.
<artifactId>commons-jxpath</artifactId>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>commons-io</groupId>
+ <artifactId>commons-io</artifactId>
+ <scope>test</scope>
+ </dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
diff --git a/maven-core/src/test/java/org/apache/maven/project/ProjectBuilderTest.java b/maven-core/src/test/java/org/apache/maven/project/ProjectBuilderTest.java
index aae5f24ba..6e86aab73 100644
--- a/maven-core/src/test/java/org/apache/maven/project/ProjectBuilderTest.java
+++ b/maven-core/src/test/java/org/apache/maven/project/ProjectBuilderTest.java
@@ -34,6 +34,7 @@ import java.util.List;
import java.util.Properties;
import java.util.concurrent.atomic.AtomicInteger;
+import org.apache.commons.io.FileUtils;
import org.apache.maven.AbstractCoreMavenComponentTestCase;
import org.apache.maven.artifact.InvalidArtifactRTException;
import org.apache.maven.execution.MavenSession;
@@ -41,8 +42,6 @@ import org.apache.maven.model.Plugin;
import org.apache.maven.model.building.FileModelSource;
import org.apache.maven.model.building.ModelBuildingRequest;
import org.apache.maven.model.building.ModelSource;
-import org.apache.maven.shared.utils.io.FileUtils;
-
public class ProjectBuilderTest
extends AbstractCoreMavenComponentTestCase
@@ -159,7 +158,7 @@ public class ProjectBuilderTest
// of DefaultModelBuilder.getCache() are affected by MNG-6530
Path tempDir = Files.createTempDirectory( null );
- FileUtils.copyDirectoryStructure ( new File( "src/test/resources/projects/grandchild-check" ), tempDir.toFile() );
+ FileUtils.copyDirectory( new File( "src/test/resources/projects/grandchild-check" ), tempDir.toFile() );
try
{
MavenSession mavenSession = createMavenSession( null );
@@ -171,10 +170,10 @@ public class ProjectBuilderTest
projectBuilder.build( child, configuration );
// modify parent
File parent = new File( tempDir.toFile(), "pom.xml" );
- String parentContent = FileUtils.fileRead( parent );
+ String parentContent = FileUtils.readFileToString( parent, "UTF-8" );
parentContent = parentContent.replaceAll( "<packaging>pom</packaging>",
"<packaging>pom</packaging><properties><addedProperty>addedValue</addedProperty></properties>" );
- FileUtils.fileWrite( parent, "UTF-8", parentContent );
+ FileUtils.write( parent, parentContent, "UTF-8" );
// re-build pom with modified parent
ProjectBuildingResult result = projectBuilder.build( child, configuration );
assertThat( result.getProject().getProperties(), hasKey( (Object) "addedProperty" ) );
diff --git a/maven-embedder/pom.xml b/maven-embedder/pom.xml
index 9142dfaaa..2b7a4f6b2 100644
--- a/maven-embedder/pom.xml
+++ b/maven-embedder/pom.xml
@@ -146,6 +146,11 @@ under the License.
<groupId>commons-cli</groupId>
<artifactId>commons-cli</artifactId>
</dependency>
+ <dependency>
+ <groupId>commons-io</groupId>
+ <artifactId>commons-io</artifactId>
+ <scope>test</scope>
+ </dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
diff --git a/pom.xml b/pom.xml
index 2e426bf1c..93438096e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -50,6 +50,7 @@ under the License.
<javaVersion>8</javaVersion>
<classWorldsVersion>2.6.0</classWorldsVersion>
<commonsCliVersion>1.4</commonsCliVersion>
+ <commonsIoVersion>2.11.0</commonsIoVersion>
<commonsLangVersion>3.8.1</commonsLangVersion>
<junitVersion>4.13.2</junitVersion>
<mockitoVersion>2.21.0</mockitoVersion>
@@ -339,6 +340,13 @@ under the License.
<groupId>org.apache.maven.shared</groupId>
<artifactId>maven-shared-utils</artifactId>
<version>3.3.4</version>
+ <exclusions>
+ <!-- We use org.apache.maven.shared.utils.logging only in Maven Core -->
+ <exclusion>
+ <groupId>commons-io</groupId>
+ <artifactId>commons-io</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
<groupId>org.fusesource.jansi</groupId>
@@ -377,6 +385,13 @@ under the License.
<groupId>org.apache.maven.wagon</groupId>
<artifactId>wagon-http</artifactId>
<version>${wagonVersion}</version>
+ <exclusions>
+ <!-- Not used at all -->
+ <exclusion>
+ <groupId>commons-io</groupId>
+ <artifactId>commons-io</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<!-- Repository -->
<dependency>
@@ -435,6 +450,11 @@ under the License.
</exclusion>
</exclusions>
</dependency>
+ <dependency>
+ <groupId>commons-io</groupId>
+ <artifactId>commons-io</artifactId>
+ <version>${commonsIoVersion}</version>
+ </dependency>
<dependency>
<groupId>commons-jxpath</groupId>
<artifactId>commons-jxpath</artifactId>