[ https://issues.apache.org/jira/browse/MDEP-626?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Richard Cross updated MDEP-626: ------------------------------- Description: If running behind a proxy (e.g. Nexus, with a security vulnerability scanner (e.g. Nexus IQ), the get command (and possibly others) fails due to a dependency on libraries deemed "vulnerable". {code:java} [ERROR] Failed to execute goal org.apache.maven.plugins:maven-dependency-plugin:3.1.1:get (default-cli) on project project1-sample: Execution default-cli of goal org.apache.maven.plugins:maven-dependency-plugin:3.1.1:get failed: Plugin org.apache.maven.plugins:maven-dependency-plugin:LATEST or one of its dependencies could not be resolved: The following artifacts could not be resolved: xerces:xercesImpl:jar:2.9.1, org.apache.struts:struts-core:jar:1.3.8: Could not transfer artifact xerces:xercesImpl:jar:2.9.1 from/to efx.nexus (https://mynexusserver/nexus/repository/maven-public/): Access denied to: https://mynexusserver/nexus/repository/maven-public/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar , ReasonPhrase:Requested item is quarantined. -> [Help 1] {code} struts2-core 1.3.8 has 4 CVEs against it - "safe" versions are 2.3.35 or 2.5.17 xercesImpl 2.9.1 has 2 CVEs and a Sonatype security warning - 2.12.0 is better, although still problematic. was: If running behind a proxy such as Nexus, the get command (and possibly others) fails due to a dependency on libraries deemed "vulnerable". {code:java} [ERROR] Failed to execute goal org.apache.maven.plugins:maven-dependency-plugin:3.1.1:get (default-cli) on project project1-sample: Execution default-cli of goal org.apache.maven.plugins:maven-dependency-plugin:3.1.1:get failed: Plugin org.apache.maven.plugins:maven-dependency-plugin:LATEST or one of its dependencies could not be resolved: The following artifacts could not be resolved: xerces:xercesImpl:jar:2.9.1, org.apache.struts:struts-core:jar:1.3.8: Could not transfer artifact xerces:xercesImpl:jar:2.9.1 from/to efx.nexus (https://mynexusserver/nexus/repository/maven-public/): Access denied to: https://mynexusserver/nexus/repository/maven-public/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar , ReasonPhrase:Requested item is quarantined. -> [Help 1] {code} struts2-core 1.3.8 has 4 CVEs against it - "safe" versions are 2.3.35 or 2.5.17 xercesImpl 2.9.1 has 2 CVEs and a Sonatype security warning - 2.12.0 is better, although still problematic. > Cannot use in environment with Nexus IQ (or similar) > ---------------------------------------------------- > > Key: MDEP-626 > URL: https://issues.apache.org/jira/browse/MDEP-626 > Project: Maven Dependency Plugin > Issue Type: Dependency upgrade > Components: get > Affects Versions: 3.1.1 > Reporter: Richard Cross > Priority: Major > > If running behind a proxy (e.g. Nexus, with a security vulnerability scanner > (e.g. Nexus IQ), the get command (and possibly others) fails due to a > dependency on libraries deemed "vulnerable". > > {code:java} > [ERROR] Failed to execute goal > org.apache.maven.plugins:maven-dependency-plugin:3.1.1:get (default-cli) on > project project1-sample: Execution default-cli of goal > org.apache.maven.plugins:maven-dependency-plugin:3.1.1:get failed: Plugin > org.apache.maven.plugins:maven-dependency-plugin:LATEST or one of its > dependencies could not be resolved: The following artifacts could not be > resolved: xerces:xercesImpl:jar:2.9.1, > org.apache.struts:struts-core:jar:1.3.8: Could not transfer artifact > xerces:xercesImpl:jar:2.9.1 from/to efx.nexus > (https://mynexusserver/nexus/repository/maven-public/): Access denied to: > https://mynexusserver/nexus/repository/maven-public/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar > , ReasonPhrase:Requested item is quarantined. -> [Help 1] > {code} > struts2-core 1.3.8 has 4 CVEs against it - "safe" versions are 2.3.35 or > 2.5.17 > xercesImpl 2.9.1 has 2 CVEs and a Sonatype security warning - 2.12.0 is > better, although still problematic. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)