Hi,
recently I had an issue, where a security problem was claimed, because
a published POM was using a jar version, for which a CVE exists. The
reporter requested to upgrade to a current version, and publish an
updated POM.
As you know, we cannot update the POM. We only publish new POM's, so
the case resulted in publication of a new version. However, this case
got me thinking:
1.) Whether we like it, or not, the published POM is an artifact, that we have
to maintain. (And, in the case of the ASF: For which we might be legally
responsible.)
2.) Knowing, that one can exclude the jar file in question in a
downstream POM, is not sufficient. You've got to know, that there is a
problem.
Point one is a simple statement of fact. Nothing much to do
here.Regarding point two, however: Here's something, that the Maven
world could do better.
My suggestion would be:
a) Introduce a new artifact (say <ARTIFACTID>-<VERSION>-issues.xml).
The idea would be, to publish such an artifact, if an issue with the jar,
war, or whatever file (the original artifact, without
classifier) has been
detected.
b) On occasion, Maven would check, whether there is an issues file
for a dependency. If so, it would issue a warning, break the build, or
do whatever seems appropriate.
Of course, this action would be done in a plugin, which might be
skipped.
Leaving out questions like update of an issues file (There might be
other issues, later on, or more serious issues.), I think this should
be doable with moderate efforts.
Jochen
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org
