Re: How secure is invoking a single mojo?

2022-12-29 Thread Romain Manni-Bucau
Hi Aldrin, Maybe DefaultModelReader from maen-model-builder module but depends if you want the pom resolved or just the raw pom too. Romain Manni-Bucau @rmannibucau | Blog | Old Blog |

Re: How secure is invoking a single mojo?

2022-12-28 Thread Aldrin Leal
Tamas, Thanks for your idea. If I wanted to resolve from reading a pom file from scratch, where you'd point me at (thinking MavenXpp3Reader and friends perhaps?). -- -- Aldrin Leal, / https://aldrinleal.link On Fri, Dec 16, 2022 at 4:17 PM Tamás Cservenák wrote: > You can write a simple

Re: How secure is invoking a single mojo?

2022-12-16 Thread Tamás Cservenák
Howdy, just an interesting fact: if we remain in "java realm", kinda are afraid of "arbitrary Java code execution", I'd convert the plugin to Takari Incremental plugin https://github.com/takari/io.takari.incrementalbuild Its runtime "cages" the Mojos and allows them to read from and write to

Re: How secure is invoking a single mojo?

2022-12-16 Thread Elliotte Rusty Harold
On Fri, Dec 16, 2022 at 5:02 PM Aldrin Leal wrote: > > Hello, > > Just a question I'd like to confirm with you guys: How "safe" is to run > `dependency:tree` on a given arbitrary pom? > All that should do is load various XML files from possibly remote servers and parse them, so it's about as

Re: How secure is invoking a single mojo?

2022-12-16 Thread Tamás Cservenák
You can write a simple app, using resolver. There are demo that perform fully functional things, for example https://github.com/apache/maven-resolver/blob/master/maven-resolver-demos/maven-resolver-demo-snippets/src/main/java/org/apache/maven/resolver/examples/GetDependencyTree.java Hth T On

Re: How secure is invoking a single mojo?

2022-12-16 Thread Aldrin Leal
Thanks Michael, indeed this can be better worded What about? How to programatically list a poms dependencies (incl transitive) without the risk of running untrusted/unauthorized code? -- -- Aldrin Leal, / https://aldrinleal.link On Fri, Dec 16, 2022 at 3:55 PM Michael Osipov wrote: > Am

Re: How secure is invoking a single mojo?

2022-12-16 Thread Michael Osipov
Am 2022-12-16 um 18:02 schrieb Aldrin Leal: Hello, Just a question I'd like to confirm with you guys: How "safe" is to run `dependency:tree` on a given arbitrary pom? I mean, whats the likelihood of that pom.xml triggering some "unsafe" code? And how would you do this in (listing all the

How secure is invoking a single mojo?

2022-12-16 Thread Aldrin Leal
Hello, Just a question I'd like to confirm with you guys: How "safe" is to run `dependency:tree` on a given arbitrary pom? I mean, whats the likelihood of that pom.xml triggering some "unsafe" code? And how would you do this in (listing all the required runtime jar files for a given project)