Hi Devs
The vulnerability CVE-2021-26291
<https://nvd.nist.gov/vuln/detail/CVE-2021-26291> affects Maven versions
prior to 3.8.1 and has a severity score of 9.1. We currently depend on
maven-core 3.6.3, which appears to be the last release we can expect in
the 3.6 series. In the draft PR #2432
<https://github.com/apache/drill/pull/2432> I am working to address
severe vulnerabilities reported by the OWASP dependency checker and I
have updated maven-core to 3.8.4.
Having adjusted an enforcer rule in the PR, I am still able to build the
project using Maven 3.6.3, the version on my laptop and also currently
used by our GitHub CI. So I do not believe that this upgrade will leave
any users or developers unable to build. However, if you know of some
reason why we should not upgrade maven-core to 3.8 please say so here or
in the PR linked to above.
Thanks
James