You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Michael Osipov (Jira)" <ji...@apache.org> on 2022/10/15 18:19:00 UTC
[jira] [Closed] (MWAR-456) Latest maven-war-plugin causing vulnerable .jars to be downloaded
[ https://issues.apache.org/jira/browse/MWAR-456?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michael Osipov closed MWAR-456.
-------------------------------
Fix Version/s: 3.4.0
(was: waiting-for-feedback)
Assignee: Dennis Lundberg
Resolution: Fixed
Implicitly fixed by https://github.com/apache/maven-war-plugin/commit/136f2df8874a105f901e2f01fc0184d6d8a0c994.
> Latest maven-war-plugin causing vulnerable .jars to be downloaded
> -----------------------------------------------------------------
>
> Key: MWAR-456
> URL: https://issues.apache.org/jira/browse/MWAR-456
> Project: Maven WAR Plugin
> Issue Type: Bug
> Affects Versions: 3.3.2
> Environment: Linux, Windows
> Reporter: Joseph Angotti
> Assignee: Dennis Lundberg
> Priority: Blocker
> Fix For: 3.4.0
>
> Attachments: Console-Log-Edit.JPG
>
> Original Estimate: 60h
> Remaining Estimate: 60h
>
> We are planning to upgrade our project's parent pom.xml file to use maven-war-plugin 3.3.2, which is the latest version, but somehow it is causing 2 vulnerable .jar files, plexus-utils-2.0.5.jar, and maven-shared-utils-3.2.1.jar, to download from our JFrog Artifactory repository when it shouldn't be. Other versions of the maven-war-plugin seem to result in the same issue.
> Is there someone available who can assist with this issue as soon as possible? Our development efforts are currently blocked because of this issue. We need to be able to upgrade to the latest version of the maven-war-plugin and prevent vulnerable .jar files from being downloaded as soon as possible before our remediation deadline in a few weeks. Thank you (see the maven console logs attached for more details).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)