Best pratice for aggregator plugin

[tison]

Hi,

I'm developing a Maven plugin to check files' license header with
aggregator=true because the backed functions are expected to work against
the root path of the whole project.

As stated in[1], I met an issue that although it works well if you
configure the plugin in the parent module and run the goal from the root
path. But what if you want to bind it with the VERIFY phase?

The plugin will be inherited into all of the children modules and they will
resolve relative path incorrectly.

I'd like to ask the Maven devs for best practices in this situation.

Best,
tison.

[1] https://github.com/korandoru/hawkeye/pull/96

Re: CVE-2021-26291 for plugin writers

[Jeremy Landis]

Make sure your maven artifacts are provided scope then your users can continue 
using old versions just fine to the 3.3.9 support level you have now.

Sent from my Verizon, Samsung Galaxy smartphone
Get Outlook for Android

From: Anton Vodonosov 
Sent: Monday, August 28, 2023 11:14:30 AM
To: dev@maven.apache.org 
Subject: CVE-2021-26291 for plugin writers

Maven 3.8.1 release notes describe CVE-2021-26291 fixed in that version:
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmaven.apache.org%2Fdocs%2F3.8.1%2Frelease-notes.html&data=05%7C01%7C%7Cfb1603297a0149d3585e08dba7d986e8%7C84df9e7fe9f640afb435%7C1%7C0%7C638288324934621732%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EYAH%2FA7JWCBPcZ%2F4wNuUVHJCiNcrh0oB1C8cYeIDhu0%3D&reserved=0

That's the best explanation of this CVE of all I saw online.

But it misses guide for plugin authors.

GitHub's security scanner created this alert for my plugin
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Favodonosov%2Fhashver-maven-plugin%2Fsecurity%2Fdependabot%2F3&data=05%7C01%7C%7Cfb1603297a0149d3585e08dba7d986e8%7C84df9e7fe9f640afb435%7C1%7C0%7C638288324934621732%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=rB3V4hX6%2BaN9B8yhv7yrQolTXDL7USf0VkLn75fFvmU%3D&reserved=0
and a corresponding pull request, where it suggest to change
dependency maven-core from 3.3.8 to 3.8.1:
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Favodonosov%2Fhashver-maven-plugin%2Fpull%2F11&data=05%7C01%7C%7Cfb1603297a0149d3585e08dba7d986e8%7C84df9e7fe9f640afb435%7C1%7C0%7C638288324934621732%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=09QeFG3AtERkHZAQ0Wyd%2BjIJMaYQmYqf8qoNl20K%2FZ4%3D&reserved=0

I am reluctant to commit this change because
I am afraid the plugin may stop working for users of older maven versions.
I suppose this CVE is not relevant to plugin authors, my reasoning
is in the pull request comments.

Am I right that the CVE does not affect the plugin?

It would be good if the 3.8.1 release notes were extended with explanations
is it safe for plugins to depend on older versions of maven libs.

Best regards,
- Anton

-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org