[jira] [Created] (MDEP-765) Some goals result in download of insecure version of Struts

[Andrew Swan (Jira)]

Andrew Swan created MDEP-765:
--------------------------------

             Summary: Some goals result in download of insecure version of 
Struts
                 Key: MDEP-765
                 URL: https://issues.apache.org/jira/browse/MDEP-765
             Project: Maven Dependency Plugin
          Issue Type: Bug
          Components: copy-dependencies, unpack-dependencies
    Affects Versions: 3.2.0
            Reporter: Andrew Swan


h1. Problem

Executing certain goals of the {{dependency}} plugin (for example 
{{copy-dependencies}} and {{unpack-dependencies}}) causes various Struts 1.3.8 
artifacts to be downloaded to the user's local Maven repository. This version 
of Struts has known security vulnerabilities.

h1. Reproduction

Here's a minimal POM that demonstrates the problem:
{code:xml}<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 
http://maven.apache.org/xsd/maven-4.0.0.xsd";>
    <modelVersion>4.0.0</modelVersion>
    <groupId>org.example</groupId>
    <artifactId>dependency-plugin-demo</artifactId>
    <version>1.0-SNAPSHOT</version>
    <build>
        <pluginManagement>
            <plugins>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-dependency-plugin</artifactId>
                    <version>3.2.0</version>
                </plugin>
            </plugins>
        </pluginManagement>
    </build>
</project>{code}

Running {{mvn dependency:copy-dependencies}} results in the following output:

{code}[INFO] Scanning for projects...
[INFO] 
[INFO] -----------------< org.example:dependency-plugin-demo >-----------------
[INFO] Building dependency-plugin-demo 1.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:3.2.0:copy-dependencies (default-cli) @ 
dependency-plugin-demo ---
Downloading from maven-atlassian-com: 
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.pom
Downloaded from maven-atlassian-com: 
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.pom
 (4.3 kB at 2.8 kB/s)
Downloading from maven-atlassian-com: 
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-parent/1.3.8/struts-parent-1.3.8.pom
Downloaded from maven-atlassian-com: 
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-parent/1.3.8/struts-parent-1.3.8.pom
 (9.8 kB at 21 kB/s)
Downloading from maven-atlassian-com: 
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-master/4/struts-master-4.pom
Downloaded from maven-atlassian-com: 
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-master/4/struts-master-4.pom
 (11 kB at 25 kB/s)
Downloading from maven-atlassian-com: 
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-taglib/1.3.8/struts-taglib-1.3.8.pom
Downloaded from maven-atlassian-com: 
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-taglib/1.3.8/struts-taglib-1.3.8.pom
 (3.1 kB at 6.4 kB/s)
Downloading from maven-atlassian-com: 
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-tiles/1.3.8/struts-tiles-1.3.8.pom
Downloaded from maven-atlassian-com: 
https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-tiles/1.3.8/struts-tiles-1.3.8.pom
 (2.9 kB at 5.2 kB/s)
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  4.297 s
[INFO] Finished at: 2021-09-09T14:18:10+10:00
[INFO] 
------------------------------------------------------------------------{code}

h1. Workaround
One workaround is to downgrade to version 2.8 of the plugin, however this may 
also require the user to modify their plugin configuration, because the 
semantics of configuration options like {{includeScope}} have changed even 
between minor versions 3.1.2 and 3.2.0.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)