[ https://issues.apache.org/jira/browse/MDEP-765?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Swan updated MDEP-765: ----------------------------- Summary: Some goals result in download of Struts 1.3.8 POMs (was: Some goals result in download of insecure version of Struts) > Some goals result in download of Struts 1.3.8 POMs > -------------------------------------------------- > > Key: MDEP-765 > URL: https://issues.apache.org/jira/browse/MDEP-765 > Project: Maven Dependency Plugin > Issue Type: Bug > Components: copy-dependencies, unpack-dependencies > Affects Versions: 3.2.0 > Reporter: Andrew Swan > Priority: Major > Labels: security, struts > > h1. Problem > Executing certain goals of the {{dependency}} plugin (for example > {{copy-dependencies}} and {{unpack-dependencies}}) causes various Struts > 1.3.8 artifacts to be downloaded to the user's local Maven repository. This > version of Struts has known security vulnerabilities. > h1. Reproduction > Here's a minimal POM that demonstrates the problem: > {code:xml}<?xml version="1.0" encoding="UTF-8"?> > <project xmlns="http://maven.apache.org/POM/4.0.0" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 > http://maven.apache.org/xsd/maven-4.0.0.xsd"> > <modelVersion>4.0.0</modelVersion> > <groupId>org.example</groupId> > <artifactId>dependency-plugin-demo</artifactId> > <version>1.0-SNAPSHOT</version> > <build> > <pluginManagement> > <plugins> > <plugin> > <groupId>org.apache.maven.plugins</groupId> > <artifactId>maven-dependency-plugin</artifactId> > <version>3.2.0</version> > </plugin> > </plugins> > </pluginManagement> > </build> > </project>{code} > Running {{mvn dependency:copy-dependencies}} results in the following output: > {code}[INFO] Scanning for projects... > [INFO] > [INFO] -----------------< org.example:dependency-plugin-demo > >----------------- > [INFO] Building dependency-plugin-demo 1.0-SNAPSHOT > [INFO] --------------------------------[ jar > ]--------------------------------- > [INFO] > [INFO] --- maven-dependency-plugin:3.2.0:copy-dependencies (default-cli) @ > dependency-plugin-demo --- > Downloading from maven-atlassian-com: > https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.pom > Downloaded from maven-atlassian-com: > https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.pom > (4.3 kB at 2.8 kB/s) > Downloading from maven-atlassian-com: > https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-parent/1.3.8/struts-parent-1.3.8.pom > Downloaded from maven-atlassian-com: > https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-parent/1.3.8/struts-parent-1.3.8.pom > (9.8 kB at 21 kB/s) > Downloading from maven-atlassian-com: > https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-master/4/struts-master-4.pom > Downloaded from maven-atlassian-com: > https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-master/4/struts-master-4.pom > (11 kB at 25 kB/s) > Downloading from maven-atlassian-com: > https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-taglib/1.3.8/struts-taglib-1.3.8.pom > Downloaded from maven-atlassian-com: > https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-taglib/1.3.8/struts-taglib-1.3.8.pom > (3.1 kB at 6.4 kB/s) > Downloading from maven-atlassian-com: > https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-tiles/1.3.8/struts-tiles-1.3.8.pom > Downloaded from maven-atlassian-com: > https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-tiles/1.3.8/struts-tiles-1.3.8.pom > (2.9 kB at 5.2 kB/s) > [INFO] > ------------------------------------------------------------------------ > [INFO] BUILD SUCCESS > [INFO] > ------------------------------------------------------------------------ > [INFO] Total time: 4.297 s > [INFO] Finished at: 2021-09-09T14:18:10+10:00 > [INFO] > ------------------------------------------------------------------------{code} > h1. Workaround > One workaround is to downgrade to version 2.8 of the plugin, however this may > also require the user to modify their plugin configuration, because the > semantics of configuration options like {{includeScope}} have changed even > between minor versions 3.1.2 and 3.2.0. -- This message was sent by Atlassian Jira (v8.3.4#803005)