Hey all,
I was alerted the other day about a security issue with my
clojure-maven-plugin apparently pulling in log4j 1.2, but using the
dependency:tree plugin showed nothing.
Seems this is due to dependencies being overridden by newer maven
versions, anyway - I use toolchains in the plugin and have this
dependency tree:
```
[INFO] +- org.apache.maven:maven-toolchain:jar:3.0-alpha-2:compile
[INFO] | +- (org.apache.maven:maven-core:jar:3.0-alpha-2:compile -
omitted for conflict with 3.9.0)
[INFO] | \- org.apache.maven:maven-compat:jar:3.0-alpha-2:compile
[INFO] | +- (org.apache.maven:maven-model:jar:3.0-alpha-2:compile -
omitted for conflict with 3.9.0)
[INFO] | +-
(org.codehaus.plexus:plexus-container-default:jar:1.0-beta-3.0.5:compile
- omitted for duplicate)
[INFO] | +-
(org.codehaus.plexus:plexus-component-annotations:jar:1.0-beta-3.0.5:compile
- omitted for conflict with 1.5.5)
```
This trips up with:
```
[ERROR] org.apache.maven:maven-compat:jar:3.0-alpha-2:compile;
https://ossindex.sonatype.org/component/pkg:maven/org.apache.maven/maven-compat@3.0-alpha-2?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] * [CVE-2021-26291] CWE-346: Origin Validation Error (9.1);
https://ossindex.sonatype.org/vulnerability/CVE-2021-26291?component-type=maven&component-name=org.apache.maven%2Fmaven-compat&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
```
There doesn't appear to be a newer version of `maven-toolchain` at all -
or is there and I'm just looking in the wrong place these days?
Cheers,
Mark
---
"The ease with which a change can be implemented has no relevance at all
to whether it is the right change for the (Java) Platform for all time."
— Mark Reinhold.
Mark Derricutt
http://www.chaliceofblood.net
http://www.theoryinpractice.net
http://twitter.com/talios
http://facebook.com/mderricutt