You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@maven.apache.org by mi...@apache.org on 2022/07/18 15:27:50 UTC
[maven] branch MNG-7513 updated (aa743a622 -> efa9f0c67)
This is an automated email from the ASF dual-hosted git repository.
michaelo pushed a change to branch MNG-7513
in repository https://gitbox.apache.org/repos/asf/maven.git
discard aa743a622 [MNG-7513] Address commons-io_commons-io vulnerability found in maven latest version
new efa9f0c67 [MNG-7513] Address commons-io_commons-io vulnerability found in maven latest version
This update added new revisions after undoing existing revisions.
That is to say, some revisions that were in the old version of the
branch are not in the new version. This situation occurs
when a user --force pushes a change and generates a repository
containing something like this:
* -- * -- B -- O -- O -- O (aa743a622)
\
N -- N -- N refs/heads/MNG-7513 (efa9f0c67)
You should already have received notification emails for all of the O
revisions, and so the following emails describe only the N revisions
from the common base, B.
Any revisions marked "omit" are not gone; other references still
refer to them. Any revisions marked "discard" are gone forever.
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
[maven] 01/01: [MNG-7513] Address commons-io_commons-io vulnerability found in maven latest version
Posted by mi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
michaelo pushed a commit to branch MNG-7513
in repository https://gitbox.apache.org/repos/asf/maven.git
commit efa9f0c67888c0d88e6611560994c8c00ca92491
Author: Michael Osipov <mi...@apache.org>
AuthorDate: Mon Jul 18 15:09:01 2022 +0200
[MNG-7513] Address commons-io_commons-io vulnerability found in maven latest version
We can safely remove Commons IO altogether because it is not used in any direct or
transitive usecase at compile time or runtime.
This closes #771
---
maven-core/pom.xml | 10 +++++
.../apache/maven/project/ProjectBuilderTest.java | 48 +++++++++-------------
maven-embedder/pom.xml | 5 +++
pom.xml | 20 +++++++++
4 files changed, 55 insertions(+), 28 deletions(-)
diff --git a/maven-core/pom.xml b/maven-core/pom.xml
index f46fdeb1d..61461c8ab 100644
--- a/maven-core/pom.xml
+++ b/maven-core/pom.xml
@@ -160,6 +160,11 @@ under the License.
<artifactId>commons-jxpath</artifactId>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>commons-io</groupId>
+ <artifactId>commons-io</artifactId>
+ <scope>test</scope>
+ </dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
@@ -175,6 +180,11 @@ under the License.
<artifactId>xmlunit-assertj</artifactId>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>org.junit.jupiter</groupId>
+ <artifactId>junit-jupiter-api</artifactId>
+ <scope>test</scope>
+ </dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-params</artifactId>
diff --git a/maven-core/src/test/java/org/apache/maven/project/ProjectBuilderTest.java b/maven-core/src/test/java/org/apache/maven/project/ProjectBuilderTest.java
index 5590b9f72..8cc47a853 100644
--- a/maven-core/src/test/java/org/apache/maven/project/ProjectBuilderTest.java
+++ b/maven-core/src/test/java/org/apache/maven/project/ProjectBuilderTest.java
@@ -20,7 +20,6 @@ package org.apache.maven.project;
*/
import java.io.File;
-import java.nio.file.Files;
import java.nio.file.Path;
import java.util.ArrayList;
import java.util.Collections;
@@ -28,6 +27,7 @@ import java.util.List;
import java.util.Properties;
import java.util.concurrent.atomic.AtomicInteger;
+import org.apache.commons.io.FileUtils;
import org.apache.maven.AbstractCoreMavenComponentTestCase;
import org.apache.maven.execution.MavenSession;
import org.apache.maven.model.Plugin;
@@ -35,8 +35,8 @@ import org.apache.maven.model.building.FileModelSource;
import org.apache.maven.model.building.ModelBuildingRequest;
import org.apache.maven.model.building.ModelProblem;
import org.apache.maven.model.building.ModelSource;
-import org.apache.maven.shared.utils.io.FileUtils;
import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.io.TempDir;
import static org.apache.maven.project.ProjectBuildingResultWithLocationMatcher.projectBuildingResultWithLocation;
import static org.apache.maven.project.ProjectBuildingResultWithProblemMessageMatcher.projectBuildingResultWithProblemMessage;
@@ -166,35 +166,27 @@ public class ProjectBuilderTest
}
@Test
- public void testReadModifiedPoms() throws Exception {
+ public void testReadModifiedPoms( @TempDir Path tempDir ) throws Exception {
// TODO a similar test should be created to test the dependency management (basically all usages
// of DefaultModelBuilder.getCache() are affected by MNG-6530
- Path tempDir = Files.createTempDirectory( null );
- FileUtils.copyDirectoryStructure ( new File( "src/test/resources/projects/grandchild-check" ), tempDir.toFile() );
- try
- {
- MavenSession mavenSession = createMavenSession( null );
- ProjectBuildingRequest configuration = new DefaultProjectBuildingRequest();
- configuration.setRepositorySession( mavenSession.getRepositorySession() );
- org.apache.maven.project.ProjectBuilder projectBuilder = getContainer().lookup( org.apache.maven.project.ProjectBuilder.class );
- File child = new File( tempDir.toFile(), "child/pom.xml" );
- // build project once
- projectBuilder.build( child, configuration );
- // modify parent
- File parent = new File( tempDir.toFile(), "pom.xml" );
- String parentContent = FileUtils.fileRead( parent );
- parentContent = parentContent.replaceAll( "<packaging>pom</packaging>",
- "<packaging>pom</packaging><properties><addedProperty>addedValue</addedProperty></properties>" );
- FileUtils.fileWrite( parent, "UTF-8", parentContent );
- // re-build pom with modified parent
- ProjectBuildingResult result = projectBuilder.build( child, configuration );
- assertThat( result.getProject().getProperties(), hasKey( (Object) "addedProperty" ) );
- }
- finally
- {
- FileUtils.deleteDirectory( tempDir.toFile() );
- }
+ FileUtils.copyDirectory( new File( "src/test/resources/projects/grandchild-check" ), tempDir.toFile() );
+ MavenSession mavenSession = createMavenSession( null );
+ ProjectBuildingRequest configuration = new DefaultProjectBuildingRequest();
+ configuration.setRepositorySession( mavenSession.getRepositorySession() );
+ org.apache.maven.project.ProjectBuilder projectBuilder = getContainer().lookup( org.apache.maven.project.ProjectBuilder.class );
+ File child = new File( tempDir.toFile(), "child/pom.xml" );
+ // build project once
+ projectBuilder.build( child, configuration );
+ // modify parent
+ File parent = new File( tempDir.toFile(), "pom.xml" );
+ String parentContent = FileUtils.readFileToString( parent, "UTF-8" );
+ parentContent = parentContent.replaceAll( "<packaging>pom</packaging>",
+ "<packaging>pom</packaging><properties><addedProperty>addedValue</addedProperty></properties>" );
+ FileUtils.write( parent, parentContent, "UTF-8" );
+ // re-build pom with modified parent
+ ProjectBuildingResult result = projectBuilder.build( child, configuration );
+ assertThat( result.getProject().getProperties(), hasKey( (Object) "addedProperty" ) );
}
@Test
diff --git a/maven-embedder/pom.xml b/maven-embedder/pom.xml
index 842f86823..d49eb8f62 100644
--- a/maven-embedder/pom.xml
+++ b/maven-embedder/pom.xml
@@ -149,6 +149,11 @@ under the License.
<groupId>commons-cli</groupId>
<artifactId>commons-cli</artifactId>
</dependency>
+ <dependency>
+ <groupId>commons-io</groupId>
+ <artifactId>commons-io</artifactId>
+ <scope>test</scope>
+ </dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
diff --git a/pom.xml b/pom.xml
index 1e08bb637..df1b8f402 100644
--- a/pom.xml
+++ b/pom.xml
@@ -49,6 +49,7 @@ under the License.
<javaVersion>8</javaVersion>
<classWorldsVersion>2.6.0</classWorldsVersion>
<commonsCliVersion>1.5.0</commonsCliVersion>
+ <commonsIoVersion>2.11.0</commonsIoVersion>
<commonsLangVersion>3.12.0</commonsLangVersion>
<junitVersion>5.8.1</junitVersion>
<mockitoVersion>3.2.0</mockitoVersion>
@@ -300,6 +301,13 @@ under the License.
<groupId>org.apache.maven.shared</groupId>
<artifactId>maven-shared-utils</artifactId>
<version>3.3.4</version>
+ <exclusions>
+ <!-- We use org.apache.maven.shared.utils.logging only in Maven Core -->
+ <exclusion>
+ <groupId>commons-io</groupId>
+ <artifactId>commons-io</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
<groupId>org.fusesource.jansi</groupId>
@@ -338,6 +346,13 @@ under the License.
<groupId>org.apache.maven.wagon</groupId>
<artifactId>wagon-http</artifactId>
<version>${wagonVersion}</version>
+ <exclusions>
+ <!-- Not used at all -->
+ <exclusion>
+ <groupId>commons-io</groupId>
+ <artifactId>commons-io</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<!-- Repository -->
<dependency>
@@ -386,6 +401,11 @@ under the License.
<artifactId>commons-cli</artifactId>
<version>${commonsCliVersion}</version>
</dependency>
+ <dependency>
+ <groupId>commons-io</groupId>
+ <artifactId>commons-io</artifactId>
+ <version>${commonsIoVersion}</version>
+ </dependency>
<dependency>
<groupId>commons-jxpath</groupId>
<artifactId>commons-jxpath</artifactId>