[jira] [Commented] (MENFORCER-349) Include Java vendor in display-info output
[ https://issues.apache.org/jira/browse/MENFORCER-349?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17390629#comment-17390629 ] Mark Symons commented on MENFORCER-349: --- With the release of 3.0.0, I have tested. From Jenkins: {noformat} [INFO] --- maven-enforcer-plugin:3.0.0:display-info (default-cli) @ --- [INFO] Maven Version: 3.8.1 [INFO] JDK Version: 1.8.0_282 normalized as: 1.8.0-282 [INFO] Java Vendor: Azul Systems, Inc. [INFO] OS Info: Arch: amd64 Family: unix Name: linux Version: 3.10.0-1160.15.2.el7.x86_64 {noformat} This is exactly what I was looking for. Thanks! > Include Java vendor in display-info output > -- > > Key: MENFORCER-349 > URL: https://issues.apache.org/jira/browse/MENFORCER-349 > Project: Maven Enforcer Plugin > Issue Type: Improvement > Components: Plugin >Affects Versions: 3.0.0-M3 >Reporter: Mark Symons >Assignee: Michael Osipov >Priority: Major > Fix For: 3.0.0 > > > Include JavaVendor in the output of the {{display-info}} goal. > This addition would make it much easier to determine whether Oracle or > OpenJDK is being used (or which flavour of OpenJDK). Currently: > {noformat} > [INFO] --- maven-enforcer-plugin:3.0.0-M3:display-info (default-cli) @ x > --- > [INFO] Maven Version: 3.6.3 > [INFO] JDK Version: 1.8.0_232 normalized as: 1.8.0-232 > [INFO] OS Info: Arch: amd64 Family: unix Name: linux Version: > 3.10.0-693.21.1.el7.x86_64 > {noformat} > The JDK here is Zulu OpenJDK... but one would have to do some research to > know for sure that it could not be Oracle (a no-no in my organisation) where > the latest version at time of writing happens to be 1.8.0-221. > MENFORCER-338 requests that Javavendor be enforceable. I have voted for that > enhancement but log this as something that might (hopefully) be easier to > implement in the short term. > It would also provide the benefit of making it clearer whether one has a > problem that requires going to the effort of configuring enforcement. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MDEP-708) dependency:analyze should recommend narrower scope where possible
[ https://issues.apache.org/jira/browse/MDEP-708?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17324941#comment-17324941 ] Mark Symons commented on MDEP-708: -- [~michael-o], this issue has now been re-assigned fix version 3.1.3. This is a version released in Jira and Github last October... but not available in Maven Central, and not listed on the [Available Plugins|https://maven.apache.org/plugins/index.html] page. Is it actually a "real" version? I sure am looking forward to this MDEP-708 functionality... it's going to be really useful. > dependency:analyze should recommend narrower scope where possible > - > > Key: MDEP-708 > URL: https://issues.apache.org/jira/browse/MDEP-708 > Project: Maven Dependency Plugin > Issue Type: New Feature >Reporter: Elliotte Rusty Harold >Assignee: Elliotte Rusty Harold >Priority: Major > Labels: intern > Fix For: 3.1.3 > > > E.g. if a dependency is indeed used but has compile scope and is only needed > in tests, mvn dependency:analyze should suggest reducing its scope. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MRELEASE-1038) releaseProfiles get overriden by exec.pomFileName
[ https://issues.apache.org/jira/browse/MRELEASE-1038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17324930#comment-17324930 ] Mark Symons commented on MRELEASE-1038: --- [~olamy], with 3.0.0-M2 never having been released and 3.0.0-M4 now released and available in Maven Central, should this issue (and others with fix version 3.0.0-M2), have the fix version tweaked to 3.0.0-M4? > releaseProfiles get overriden by exec.pomFileName > - > > Key: MRELEASE-1038 > URL: https://issues.apache.org/jira/browse/MRELEASE-1038 > Project: Maven Release Plugin > Issue Type: Bug > Components: perform >Affects Versions: 3.0.0-M1 >Reporter: Benoit MESSAGER >Assignee: Olivier Lamy >Priority: Minor > Fix For: 3.0.0-M2 > > Time Spent: 20m > Remaining Estimate: 0h > > Profiles specified in . are overrided by the > pom file name. > This come from : org.apache.maven.shared.release.config.ReleaseUtils line 130 > : > {code:java} > if ( properties.containsKey( "exec.activateProfiles" ) ) > { > builder.setActivateProfiles( Arrays.asList( properties.getProperty( > "exec.pomFileName" ).split( "," ) ) ); > } > {code} > this look like a failed copy/paste > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MENFORCER-349) Include Java vendor in display-info output
[ https://issues.apache.org/jira/browse/MENFORCER-349?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17167175#comment-17167175 ] Mark Symons commented on MENFORCER-349: --- (y) Thanks for clarification > Include Java vendor in display-info output > -- > > Key: MENFORCER-349 > URL: https://issues.apache.org/jira/browse/MENFORCER-349 > Project: Maven Enforcer Plugin > Issue Type: Improvement > Components: Plugin >Affects Versions: 3.0.0-M3 >Reporter: Mark Symons >Assignee: Michael Osipov >Priority: Major > Fix For: 3.0.0-M4 > > > Include JavaVendor in the output of the {{display-info}} goal. > This addition would make it much easier to determine whether Oracle or > OpenJDK is being used (or which flavour of OpenJDK). Currently: > {noformat} > [INFO] --- maven-enforcer-plugin:3.0.0-M3:display-info (default-cli) @ x > --- > [INFO] Maven Version: 3.6.3 > [INFO] JDK Version: 1.8.0_232 normalized as: 1.8.0-232 > [INFO] OS Info: Arch: amd64 Family: unix Name: linux Version: > 3.10.0-693.21.1.el7.x86_64 > {noformat} > The JDK here is Zulu OpenJDK... but one would have to do some research to > know for sure that it could not be Oracle (a no-no in my organisation) where > the latest version at time of writing happens to be 1.8.0-221. > MENFORCER-338 requests that Javavendor be enforceable. I have voted for that > enhancement but log this as something that might (hopefully) be easier to > implement in the short term. > It would also provide the benefit of making it clearer whether one has a > problem that requires going to the effort of configuring enforcement. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MENFORCER-349) Include Java vendor in display-info output
[ https://issues.apache.org/jira/browse/MENFORCER-349?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17167161#comment-17167161 ] Mark Symons commented on MENFORCER-349: --- I have read [PR #73|https://github.com/apache/maven-enforcer/pull/73] But per my previous comment, wont {{java.vendor}} output "Oracle Corporation" even when using OpenJDK? > Include Java vendor in display-info output > -- > > Key: MENFORCER-349 > URL: https://issues.apache.org/jira/browse/MENFORCER-349 > Project: Maven Enforcer Plugin > Issue Type: Improvement > Components: Plugin >Affects Versions: 3.0.0-M3 >Reporter: Mark Symons >Assignee: Michael Osipov >Priority: Major > Fix For: 3.0.0-M4 > > > Include JavaVendor in the output of the {{display-info}} goal. > This addition would make it much easier to determine whether Oracle or > OpenJDK is being used (or which flavour of OpenJDK). Currently: > {noformat} > [INFO] --- maven-enforcer-plugin:3.0.0-M3:display-info (default-cli) @ x > --- > [INFO] Maven Version: 3.6.3 > [INFO] JDK Version: 1.8.0_232 normalized as: 1.8.0-232 > [INFO] OS Info: Arch: amd64 Family: unix Name: linux Version: > 3.10.0-693.21.1.el7.x86_64 > {noformat} > The JDK here is Zulu OpenJDK... but one would have to do some research to > know for sure that it could not be Oracle (a no-no in my organisation) where > the latest version at time of writing happens to be 1.8.0-221. > MENFORCER-338 requests that Javavendor be enforceable. I have voted for that > enhancement but log this as something that might (hopefully) be easier to > implement in the short term. > It would also provide the benefit of making it clearer whether one has a > problem that requires going to the effort of configuring enforcement. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MENFORCER-349) Include Java vendor in display-info output
[ https://issues.apache.org/jira/browse/MENFORCER-349?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17167151#comment-17167151 ] Mark Symons commented on MENFORCER-349: --- In a single sentence: when I use the {{display-info}} goal I need the output to quite clearly state whether the JDK in use is from Oracle or OpenJDK. > Include Java vendor in display-info output > -- > > Key: MENFORCER-349 > URL: https://issues.apache.org/jira/browse/MENFORCER-349 > Project: Maven Enforcer Plugin > Issue Type: Improvement > Components: Plugin >Affects Versions: 3.0.0-M3 >Reporter: Mark Symons >Assignee: Michael Osipov >Priority: Major > Fix For: 3.0.0-M4 > > > Include JavaVendor in the output of the {{display-info}} goal. > This addition would make it much easier to determine whether Oracle or > OpenJDK is being used (or which flavour of OpenJDK). Currently: > {noformat} > [INFO] --- maven-enforcer-plugin:3.0.0-M3:display-info (default-cli) @ x > --- > [INFO] Maven Version: 3.6.3 > [INFO] JDK Version: 1.8.0_232 normalized as: 1.8.0-232 > [INFO] OS Info: Arch: amd64 Family: unix Name: linux Version: > 3.10.0-693.21.1.el7.x86_64 > {noformat} > The JDK here is Zulu OpenJDK... but one would have to do some research to > know for sure that it could not be Oracle (a no-no in my organisation) where > the latest version at time of writing happens to be 1.8.0-221. > MENFORCER-338 requests that Javavendor be enforceable. I have voted for that > enhancement but log this as something that might (hopefully) be easier to > implement in the short term. > It would also provide the benefit of making it clearer whether one has a > problem that requires going to the effort of configuring enforcement. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MENFORCER-349) Include Java vendor in display-info output
[ https://issues.apache.org/jira/browse/MENFORCER-349?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17167144#comment-17167144 ] Mark Symons commented on MENFORCER-349: --- [~michael-o], I am not a dev and whilst I referenced "vendor", I see that this might not quite give us what is wanted. System Information screens on various different servers I run all report: * {{java.vendor}} = Oracle Corporation (not helpful) * {{java.vm.name}} = OpenJDK 64-Bit Server VM (Much better!) > Include Java vendor in display-info output > -- > > Key: MENFORCER-349 > URL: https://issues.apache.org/jira/browse/MENFORCER-349 > Project: Maven Enforcer Plugin > Issue Type: Improvement > Components: Plugin >Affects Versions: 3.0.0-M3 >Reporter: Mark Symons >Assignee: Michael Osipov >Priority: Major > Fix For: 3.0.0-M4 > > > Include JavaVendor in the output of the {{display-info}} goal. > This addition would make it much easier to determine whether Oracle or > OpenJDK is being used (or which flavour of OpenJDK). Currently: > {noformat} > [INFO] --- maven-enforcer-plugin:3.0.0-M3:display-info (default-cli) @ x > --- > [INFO] Maven Version: 3.6.3 > [INFO] JDK Version: 1.8.0_232 normalized as: 1.8.0-232 > [INFO] OS Info: Arch: amd64 Family: unix Name: linux Version: > 3.10.0-693.21.1.el7.x86_64 > {noformat} > The JDK here is Zulu OpenJDK... but one would have to do some research to > know for sure that it could not be Oracle (a no-no in my organisation) where > the latest version at time of writing happens to be 1.8.0-221. > MENFORCER-338 requests that Javavendor be enforceable. I have voted for that > enhancement but log this as something that might (hopefully) be easier to > implement in the short term. > It would also provide the benefit of making it clearer whether one has a > problem that requires going to the effort of configuring enforcement. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (MENFORCER-349) include JavaVendor in display-info output
Mark Symons created MENFORCER-349: - Summary: include JavaVendor in display-info output Key: MENFORCER-349 URL: https://issues.apache.org/jira/browse/MENFORCER-349 Project: Maven Enforcer Plugin Issue Type: Improvement Components: Plugin Affects Versions: 3.0.0-M3 Reporter: Mark Symons Include JavaVendor in the output of the {{display-info}} goal. This addition would make it much easier to determine whether Oracle or OpenJDK is being used (or which flavour of OpenJDK). Currently: {noformat} [INFO] --- maven-enforcer-plugin:3.0.0-M3:display-info (default-cli) @ x --- [INFO] Maven Version: 3.6.3 [INFO] JDK Version: 1.8.0_232 normalized as: 1.8.0-232 [INFO] OS Info: Arch: amd64 Family: unix Name: linux Version: 3.10.0-693.21.1.el7.x86_64 {noformat} The JDK here is Zulu OpenJDK... but one would have to do some research to know for sure that it could not be Oracle (a no-no in my organisation) where the latest version at time of writing happens to be 1.8.0-221. MENFORCER-338 requests that Javavendor be enforceable. I have voted for that enhancement but log this as something that might (hopefully) be easier to implement in the short term. It would also provide the benefit of making it clearer whether one has a problem that requires going to the effort of configuring enforcement. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MASSEMBLY-907) Dependencies are not included when run with mvn install
[ https://issues.apache.org/jira/browse/MASSEMBLY-907?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16911189#comment-16911189 ] Mark Symons commented on MASSEMBLY-907: --- Is there any progress on this? Our teams ran into exactly the same problem after upgrading from 3.1.0 to 3.1.1. Like [~lbakman], we also have bouncy castle dependencies that necesitate usage of 3.1.1 due to MASSEMBLY-873. > Dependencies are not included when run with mvn install > --- > > Key: MASSEMBLY-907 > URL: https://issues.apache.org/jira/browse/MASSEMBLY-907 > Project: Maven Assembly Plugin > Issue Type: Bug >Affects Versions: 3.1.1 >Reporter: Lau Bakman >Assignee: Karl Heinz Marbaise >Priority: Major > Attachments: 310_install.log, 310_install_verbose.log, > 311_install.log, 311_install_verbose.log, 311_package_verbose.log, > assembly_deps.zip > > > We have just updated to version 3.1.1 due to MASSEMBLY-873 and have stumbled > upon a problem. > Our project is structured similar to the attached project. When we build our > project using "mvn clean package" the project is assembled correctly > including dependencies. If we on the other hand build our project using "mvn > clean install", only the top level jar files are assembled and all > dependencies are missing. > This worked in version 3.1.0. > Is this by design? And if it is, is there a way to revert to the old behavior? -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Comment Edited] (MJAR-252) Upgrade plexus-archiver to 3.6.0
[ https://issues.apache.org/jira/browse/MJAR-252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16678167#comment-16678167 ] Mark Symons edited comment on MJAR-252 at 11/7/18 12:47 PM: I think that this issue should be reclassified as major/critical, as the update to {{plexus-archiver 3.6.0}} addresses [CVE-2018-1002200|https://nvd.nist.gov/vuln/detail/CVE-2018-1002200] {panel} plexus-archiver before 3.6.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. {panel} Will maven-jar-plugin v3.1.1 be released soon? was (Author: marks): I think that this issue should be reclassified as major/critical. as the update to {{plexus-archiver 3.6.0}} addresses [CVE-2018-1002200|https://nvd.nist.gov/vuln/detail/CVE-2018-1002200] {panel} plexus-archiver before 3.6.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. {panel} Will v3.1.1 be released soon? > Upgrade plexus-archiver to 3.6.0 > > > Key: MJAR-252 > URL: https://issues.apache.org/jira/browse/MJAR-252 > Project: Maven JAR Plugin > Issue Type: Dependency upgrade >Affects Versions: 3.1.1 >Reporter: Karl Heinz Marbaise >Assignee: Karl Heinz Marbaise >Priority: Minor > Fix For: 3.1.1 > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MJAR-252) Upgrade plexus-archiver to 3.6.0
[ https://issues.apache.org/jira/browse/MJAR-252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16678167#comment-16678167 ] Mark Symons commented on MJAR-252: -- I think that this issue should be reclassified as major/critical. as the update to {{plexus-archiver 3.6.0}} addresses [CVE-2018-1002200|https://nvd.nist.gov/vuln/detail/CVE-2018-1002200] {panel} plexus-archiver before 3.6.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. {panel} Will v3.1.1 be released soon? > Upgrade plexus-archiver to 3.6.0 > > > Key: MJAR-252 > URL: https://issues.apache.org/jira/browse/MJAR-252 > Project: Maven JAR Plugin > Issue Type: Dependency upgrade >Affects Versions: 3.1.1 >Reporter: Karl Heinz Marbaise >Assignee: Karl Heinz Marbaise >Priority: Minor > Fix For: 3.1.1 > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (MSHARED-726) Upgrade plexus-archiver to 3.6.0
[ https://issues.apache.org/jira/browse/MSHARED-726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16678147#comment-16678147 ] Mark Symons edited comment on MSHARED-726 at 11/7/18 12:33 PM: --- is there any idea when this fix might be released? Also, should not affects-version and fix-version be different? was (Author: marks): is there any idea when this fix might be released? > Upgrade plexus-archiver to 3.6.0 > > > Key: MSHARED-726 > URL: https://issues.apache.org/jira/browse/MSHARED-726 > Project: Maven Shared Components > Issue Type: Dependency upgrade > Components: maven-archiver >Affects Versions: maven-archiver-3.2.1 >Reporter: Karl Heinz Marbaise >Assignee: Karl Heinz Marbaise >Priority: Critical > Fix For: maven-archiver-3.2.1 > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MSHARED-726) Upgrade plexus-archiver to 3.6.0
[ https://issues.apache.org/jira/browse/MSHARED-726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16678147#comment-16678147 ] Mark Symons commented on MSHARED-726: - is there any idea when this fix might be released? > Upgrade plexus-archiver to 3.6.0 > > > Key: MSHARED-726 > URL: https://issues.apache.org/jira/browse/MSHARED-726 > Project: Maven Shared Components > Issue Type: Dependency upgrade > Components: maven-archiver >Affects Versions: maven-archiver-3.2.1 >Reporter: Karl Heinz Marbaise >Assignee: Karl Heinz Marbaise >Priority: Critical > Fix For: maven-archiver-3.2.1 > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MSHARED-726) Upgrade plexus-archiver to 3.6.0
[ https://issues.apache.org/jira/browse/MSHARED-726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16559696#comment-16559696 ] Mark Symons commented on MSHARED-726: - h2. CVE-2018-1002200 plexus-archiver before 3.6.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. > Upgrade plexus-archiver to 3.6.0 > > > Key: MSHARED-726 > URL: https://issues.apache.org/jira/browse/MSHARED-726 > Project: Maven Shared Components > Issue Type: Dependency upgrade > Components: maven-archiver >Affects Versions: maven-archiver-3.2.1 >Reporter: Karl Heinz Marbaise >Assignee: Karl Heinz Marbaise >Priority: Critical > Fix For: maven-archiver-3.2.1 > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (MWAR-369) Upgrade to XStream 1.4.9
Mark Symons created MWAR-369: Summary: Upgrade to XStream 1.4.9 Key: MWAR-369 URL: https://issues.apache.org/jira/browse/MWAR-369 Project: Maven WAR Plugin Issue Type: Bug Components: manifest Affects Versions: 2.6 Reporter: Mark Symons maven-war-plugin v2.6 has dependency on {{com.thoughtworks.xstream:xstream}} 1.4.4 There are two security threats: * CVE-2013-7285, an arbitrary execution of commands when unmarshalling. Addressed in 1.4.7 * XXE vulnerability, addressed in 1.4.9 CVE-2013-7285 is identified as an "unscored" threat by Nexus Repository Manager. -- This message was sent by Atlassian JIRA (v6.3.4#6332)