Having the wrong version in pom.xml results in the deb having the
following files incorrectly named:
root@d19edf0ef10b:/app# diff before after
9c9
< -rw-r--r-- root/root 323778 2024-01-05 16:32
./usr/share/java/dom4j-2.1.1.jar
---
> -rw-r--r-- root/root 323778 2024-01-05 16:32
./usr/share/java/dom4j-2.1.4.jar
18,19c18,19
< drwxr-xr-x root/root 0 2024-01-05 16:32
./usr/share/maven-repo/org/dom4j/dom4j/2.1.1/
< -rw-r--r-- root/root 2230 2024-01-05 16:32
./usr/share/maven-repo/org/dom4j/dom4j/2.1.1/dom4j-2.1.1.pom
---
> drwxr-xr-x root/root 0 2024-01-05 16:32
./usr/share/maven-repo/org/dom4j/dom4j/2.1.4/
> -rw-r--r-- root/root 2230 2024-01-05 16:32
./usr/share/maven-repo/org/dom4j/dom4j/2.1.4/dom4j-2.1.4.pom
22,24c22,24
< lrwxrwxrwx root/root 0 2024-01-05 16:32
./usr/share/java/dom4j.jar -> dom4j-2.1.1.jar
< lrwxrwxrwx root/root 0 2024-01-05 16:32
./usr/share/maven-repo/org/dom4j/dom4j/2.1.1/dom4j-2.1.1.jar ->
../../../../../java/dom4j-2.1.1.jar
< lrwxrwxrwx root/root 0 2024-01-05 16:32
./usr/share/maven-repo/org/dom4j/dom4j/debian/dom4j-debian.jar ->
../../../../../java/dom4j-2.1.1.jar
---
> lrwxrwxrwx root/root 0 2024-01-05 16:32
./usr/share/java/dom4j.jar -> dom4j-2.1.4.jar
> lrwxrwxrwx root/root 0 2024-01-05 16:32
./usr/share/maven-repo/org/dom4j/dom4j/2.1.4/dom4j-2.1.4.jar ->
../../../../../java/dom4j-2.1.4.jar
> lrwxrwxrwx root/root 0 2024-01-05 16:32
./usr/share/maven-repo/org/dom4j/dom4j/debian/dom4j-debian.jar ->
../../../../../java/dom4j-2.1.4.jar
That may be responsible for at least one tool flagging a security
vulnerability that was fixed in 2.1.3. Docker scout reports:
CRITICAL CVE-2020-10683
pkg:maven/org.dom4j/dom4j@2.1.1
9.8
1 image
Yes
2.1.3
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
debian-j...@lists.debian.org for discussions and questions.
