You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Michael Osipov (Jira)" <ji...@apache.org> on 2022/08/26 16:29:00 UTC

[jira] [Comment Edited] (MNG-7533) jar v2.6 has medium (CVE-2021-29425) Prisma vulnerability associated with maven v3.8.6

    [ https://issues.apache.org/jira/browse/MNG-7533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17585528#comment-17585528 ] 

Michael Osipov edited comment on MNG-7533 at 8/26/22 4:28 PM:
--------------------------------------------------------------

The dependency isn't used:
{noformat}
[INFO] --- maven-dependency-plugin:3.1.1:analyze (default-cli) @ wagon-http-shared ---
[WARNING] Used undeclared dependencies found:
[WARNING]    org.codehaus.plexus:plexus-utils:jar:3.3.0:compile
[WARNING] Unused declared dependencies found:
[WARNING]    commons-io:commons-io:jar:2.6:compile
[WARNING]    org.slf4j:slf4j-simple:jar:1.7.32:test
[WARNING]    org.apache.maven.wagon:wagon-provider-test:jar:3.5.3-SNAPSHOT:test
{noformat}

{{grep}} the source code...

This is a stupid, mechanical false positive.


was (Author: michael-o):
The dependency isn't used:
{noformat}
[INFO] --- maven-dependency-plugin:3.1.1:analyze (default-cli) @ wagon-http-shared ---
[WARNING] Used undeclared dependencies found:
[WARNING]    org.codehaus.plexus:plexus-utils:jar:3.3.0:compile
[WARNING] Unused declared dependencies found:
[WARNING]    commons-io:commons-io:jar:2.6:compile
[WARNING]    org.slf4j:slf4j-simple:jar:1.7.32:test
[WARNING]    org.apache.maven.wagon:wagon-provider-test:jar:3.5.3-SNAPSHOT:test
{noformat}

{{grep}} the source code...

> jar v2.6 has medium (CVE-2021-29425) Prisma vulnerability associated with maven v3.8.6
> --------------------------------------------------------------------------------------
>
>                 Key: MNG-7533
>                 URL: https://issues.apache.org/jira/browse/MNG-7533
>             Project: Maven
>          Issue Type: Bug
>         Environment: Production
>            Reporter: John Roddy
>            Priority: Major
>         Attachments: MicrosoftTeams-image (5).png
>
>
> jar v2.6 has medium (CVE-2021-29425) Prisma vulnerability associated with maven v3.8.6. We're using the latest for maven which is v3.8.6. Please upgrade jar to the latest to remediate the Prisma vulnerability associated with maven v3.8.6. Thank you!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)