-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE triggered by outdated plexus-utils #1
Comments
I think this is caused by modernizer-maven-plugin 2.3.0 use of maven-project 2.0.9. 2.4.0-SNAPSHOT recently upgraded to 2.2.1 (which is still over 10 years old). Could you try overriding this dependency? |
What I did was exclude |
I do note a lot of outdated dependencies for the Maven plugin. I'll drop an issue on that project to note this. |
The `plexus-utils` dependency is upstream in this project, and triggers a CVE for XML injection. I was unable to find ill effect from expluding `plexus-utils` as a transitive dependency. See https://nvd.nist.gov/vuln/detail/CVE-2017-1000487
The plexus-utils dependency is upstream in this project, and triggers a CVE for XML injection. I was unable to find ill effect from excluding plexus-utils as a transitive dependency. See https://nvd.nist.gov/vuln/detail/CVE-2017-1000487 Fixes andygoossens/gradle-modernizer-plugin#1. References #131. Co-authored-by: Brian Oxley <boxley@thoughtworks.com>
To clarify for this Issue, the CVE is https://nvd.nist.gov/vuln/detail/CVE-2017-1000487 |
Thanks for your report. I will create a new release of the Gradle plugin soon after the Maven plugin sees a new release. But if I am late to do so (or people want to upgrade even faster 😄), then you can already switch to a later version of the Maven plugin by providing another modernizer {
toolVersion = "..." // e.g. "2.4.0", assuming it keeps the same API
} While excluding dependencies {
modernizer 'org.gaul:modernizer-maven-plugin:2.3.0'
modernizer 'org.codehaus.plexus:plexus-utils:3.4.1'
} These dependencies would override whatever the default dependency is that the Gradle plugin uses. (Usually "org.gaul:modernizer-maven-plugin:$toolVersion") |
Hi, updating this issue ... it's been a while 😀 My sample is a Gradle project using modernizer 1.6.1.
I'm switching to your suggestion for dependencies. Is this a change you can put into the plugin? |
I was waiting for a new modernizer-maven-plugin release but there was none since the issue got fixed on their end. I don't want to rush @gaul either as there seems to be no way to be affected by this security issue, and nothing else looks urgent enough to create another release of his plugin. Moments ago, I committed a change that excludes the "plexus-utils" dependency from gradle-modernizer-plugin. (Similar to the code in your repository.) I verified the change with "org.owasp.dependencycheck" and it no longer displays a CVE warning. Enjoy the new 1.6.2 release. :-) |
This works great now -- thank you! 💯 |
CVE scanning by the DependencyCheck plugin detects an outdated, insecure dependency on
plexus-utils
, so fails my build.Removing Modernizer plugin from my build fixes this passes CVS scanning.
I can get around it for now with this in
build.gradle
:I was not able to track down the transitive dependency on
plexus-utils
, butgradle clean build
passes after this exclusion when using DependencyCheck and Modernizer together.The text was updated successfully, but these errors were encountered: