Hi,
On 14.02.23 11:22, Mark Derricutt wrote:
Hey all, I was alerted the other day about a security issue with my clojure-maven-plugin apparently pulling in log4j 1.2, but using the dependency:tree plugin showed nothing. Seems this is due to dependencies being overridden by newer maven versions, anyway - I use toolchains in the plugin and have this dependency tree: ``` [INFO] +- org.apache.maven:maven-toolchain:jar:3.0-alpha-2:compile [INFO] | +- (org.apache.maven:maven-core:jar:3.0-alpha-2:compile - omitted for conflict with 3.9.0) [INFO] | \- org.apache.maven:maven-compat:jar:3.0-alpha-2:compile [INFO] | +- (org.apache.maven:maven-model:jar:3.0-alpha-2:compile - omitted for conflict with 3.9.0) [INFO] | +- (org.codehaus.plexus:plexus-container-default:jar:1.0-beta-3.0.5:compile - omitted for duplicate) [INFO] | +- (org.codehaus.plexus:plexus-component-annotations:jar:1.0-beta-3.0.5:compile - omitted for conflict with 1.5.5) ```
The version maven-toolchain 3.0-alpha-2 is of 2009 !!! https://search.maven.org/search?q=g:org.apache.maven%20a:maven-toolchain Also taken a look at: https://github.com/talios/clojure-maven-plugin/blob/develop/pom.xml which exactly shows this: <dependency> <groupId>org.apache.maven</groupId> <artifactId>maven-toolchain</artifactId> <version>3.0-alpha-2</version> </dependency> which I think is the culprit... The current version of toolchains-plugin: https://maven.apache.org/plugins/maven-toolchains-plugin/ The current ToolchainManager can be obtained from the maven-core (I would suggest to set minimum maven version to 3.2.5)...(Take a deeper look into maven-compiler-plugin)... Kind regards Karl Heinz Marbaise
This trips up with: ``` [ERROR] org.apache.maven:maven-compat:jar:3.0-alpha-2:compile; https://ossindex.sonatype.org/component/pkg:maven/org.apache.maven/maven-compat@3.0-alpha-2?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1 [ERROR] * [CVE-2021-26291] CWE-346: Origin Validation Error (9.1); https://ossindex.sonatype.org/vulnerability/CVE-2021-26291?component-type=maven&component-name=org.apache.maven%2Fmaven-compat&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1 ``` There doesn't appear to be a newer version of `maven-toolchain` at all - or is there and I'm just looking in the wrong place these days? Cheers, Mark
--------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org