Vulnerabilities in multiple Maven packages.

[Bradley Atkins <Br...@bjss.com>]

All,

When looking at forking and updating maven-source-plugin to get rid of it's dependency on the vulnerable package - org.codehaus.plexus : plexus-utils

I found that these packages are also using vulnerable version of it. As fixing this issue would require multiple releases, can I prevail upon you guys to do a fix?

org.apache.maven : maven-core 3.0
org.apache.maven : maven-model 3.0
org.apache.maven : maven-compat 3.0
org.apache.maven.plugin-testing : maven-plugin-testing-harness 2.1
org.apache.maven : maven-plugin-api 3.0

Incidentally, this vulnerability was found using the IntelliJ plugin for Snyk. These guys offer the plugin for free to open source projects. Given that you are providing a core service to half the industry, can I ask you to evaluate using it across all Apache packages as standard? Their vulnerability database is very well maintained.

Regards

Bradley Atkins

Synk site - https://snyk.io


The information included in this email and any files transmitted with it may contain information that is confidential and it must not be used by, or its contents or attachments copied or disclosed to, persons other than the intended addressee. If you have received this email in error, please notify BJSS. In the absence of written agreement to the contrary BJSS' relevant standard terms of contract for any work to be undertaken will apply. Please carry out virus or such other checks as you consider appropriate in respect of this email. BJSS does not accept responsibility for any adverse effect upon your system or data in relation to this email or any files transmitted with it. BJSS Limited, a company registered in England and Wales (Company Number 2777575), VAT Registration Number 613295452, Registered Office Address, First Floor, Coronet House, Queen Street, Leeds, LS1 2TW.

Re: Vulnerabilities in multiple Maven packages.

[Robert Scholte <rf...@apache.org>]

On Mon, 25 Mar 2019 11:35:04 +0100, Bradley Atkins  
<Br...@bjss.com> wrote:

> All,
>
> When looking at forking and updating maven-source-plugin to get rid of  
> it's dependency on the vulnerable package - org.codehaus.plexus :  
> plexus-utils

What's the vulnerability?

>
> I found that these packages are also using vulnerable version of it. As  
> fixing this issue would require multiple releases, can I prevail upon  
> you guys to do a fix?
>
> org.apache.maven : maven-core 3.0
> org.apache.maven : maven-model 3.0
> org.apache.maven : maven-compat 3.0
> org.apache.maven.plugin-testing : maven-plugin-testing-harness 2.1
> org.apache.maven : maven-plugin-api 3.0

Not sure what you expect from us here. Do you expect us to patch these and  
re-upload them to Maven Central?

>
> Incidentally, this vulnerability was found using the IntelliJ plugin for  
> Snyk. These guys offer the plugin for free to open source projects.  
> Given that you are providing a core service to half the industry, can I  
> ask you to evaluate using it across all Apache packages as standard?  
> Their vulnerability database is very well maintained.

I have contacts with Snyk, however we've never talked about this yet. I'll  
inform.

thanks,
Robert

>
> Regards
>
> Bradley Atkins
>
> Synk site - https://snyk.io
>
>
> The information included in this email and any files transmitted with it  
> may contain information that is confidential and it must not be used by,  
> or its contents or attachments copied or disclosed to, persons other  
> than the intended addressee. If you have received this email in error,  
> please notify BJSS. In the absence of written agreement to the contrary  
> BJSS' relevant standard terms of contract for any work to be undertaken  
> will apply. Please carry out virus or such other checks as you consider  
> appropriate in respect of this email. BJSS does not accept  
> responsibility for any adverse effect upon your system or data in  
> relation to this email or any files transmitted with it. BJSS Limited, a  
> company registered in England and Wales (Company Number 2777575), VAT  
> Registration Number 613295452, Registered Office Address, First Floor,  
> Coronet House, Queen Street, Leeds, LS1 2TW.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org