CVE triggered by outdated plexus-utils

[binkley]

CVE scanning by the DependencyCheck plugin detects an outdated, insecure dependency on plexus-utils, so fails my build.

Removing Modernizer plugin from my build fixes this passes CVS scanning.

I can get around it for now with this in build.gradle:

configurations.modernizer {
    exclude group: "org.codehaus.plexus", module: "plexus-utils"
}

I was not able to track down the transitive dependency on plexus-utils, but gradle clean build passes after this exclusion when using DependencyCheck and Modernizer together.

[gaul]

I think this is caused by modernizer-maven-plugin 2.3.0 use of maven-project 2.0.9. 2.4.0-SNAPSHOT recently upgraded to 2.2.1 (which is still over 10 years old). Could you try overriding this dependency?

[binkley]

What I did was exclude plexus-utils altogether. There may be something needed, but for me no ill effects resulted.

[binkley]

I do note a lot of outdated dependencies for the Maven plugin. I'll drop an issue on that project to note this.

[binkley]

To clarify for this Issue, the CVE is https://nvd.nist.gov/vuln/detail/CVE-2017-1000487

[andygoossens]

Thanks for your report.

I will create a new release of the Gradle plugin soon after the Maven plugin sees a new release. But if I am late to do so (or people want to upgrade even faster 😄), then you can already switch to a later version of the Maven plugin by providing another toolVersion like so:

modernizer {
  toolVersion = "..." // e.g. "2.4.0", assuming it keeps the same API
}

While excluding plexus-utils does not seem to do any harm, another workaround would be to upgrade plexus-utils to a non-vulnerable version:

dependencies {
  modernizer 'org.gaul:modernizer-maven-plugin:2.3.0'
  modernizer 'org.codehaus.plexus:plexus-utils:3.4.1'
}

These dependencies would override whatever the default dependency is that the Gradle plugin uses. (Usually "org.gaul:modernizer-maven-plugin:$toolVersion")

[binkley]

Hi, updating this issue ... it's been a while 😀

My sample is a Gradle project using modernizer 1.6.1.
To keep DependencyCheck from failing my build, I still have this in my build.gradle:

// TODO: Work around GitHub issue #92.  <-- Refers to an issue in my repo, no Modernizer
configurations.modernizer {
    exclude group: "org.codehaus.plexus", module: "plexus-utils"
}

I'm switching to your suggestion for dependencies. Is this a change you can put into the plugin?
My sample project is used to showcase to other devs best practices, and this is something I'd like to not explain when they clone my project as a starter.

[andygoossens]

I was waiting for a new modernizer-maven-plugin release but there was none since the issue got fixed on their end. I don't want to rush @gaul either as there seems to be no way to be affected by this security issue, and nothing else looks urgent enough to create another release of his plugin.

Moments ago, I committed a change that excludes the "plexus-utils" dependency from gradle-modernizer-plugin. (Similar to the code in your repository.)

I verified the change with "org.owasp.dependencycheck" and it no longer displays a CVE warning.

Enjoy the new 1.6.2 release. :-)

[gaul]

Sorry for the delay: https://github.com/gaul/modernizer-maven-plugin/releases/tag/modernizer-maven-plugin-2.4.0

[binkley]

This works great now -- thank you! 💯