[
https://issues.apache.org/jira/browse/MDEP-626?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Scholte updated MDEP-626:
--------------------------------
Summary: Upgrade struts and xerces due to CVEs (was: Cannot use in
environment with Nexus IQ (or similar))
> Upgrade struts and xerces due to CVEs
> -------------------------------------
>
> Key: MDEP-626
> URL: https://issues.apache.org/jira/browse/MDEP-626
> Project: Maven Dependency Plugin
> Issue Type: Dependency upgrade
> Components: get
> Affects Versions: 3.1.1
> Reporter: Richard Cross
> Priority: Major
>
> If running behind a proxy (e.g. Nexus, with a security vulnerability scanner
> (e.g. Nexus IQ), the get command (and possibly others) fails due to a
> dependency on libraries deemed "vulnerable".
>
> {code:java}
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-dependency-plugin:3.1.1:get (default-cli) on
> project project1-sample: Execution default-cli of goal
> org.apache.maven.plugins:maven-dependency-plugin:3.1.1:get failed: Plugin
> org.apache.maven.plugins:maven-dependency-plugin:LATEST or one of its
> dependencies could not be resolved: The following artifacts could not be
> resolved: xerces:xercesImpl:jar:2.9.1,
> org.apache.struts:struts-core:jar:1.3.8: Could not transfer artifact
> xerces:xercesImpl:jar:2.9.1 from/to efx.nexus
> (https://mynexusserver/nexus/repository/maven-public/): Access denied to:
> https://mynexusserver/nexus/repository/maven-public/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar
> , ReasonPhrase:Requested item is quarantined. -> [Help 1]
> {code}
> struts2-core 1.3.8 has 4 CVEs against it - "safe" versions are 2.3.35 or
> 2.5.17
> xercesImpl 2.9.1 has 2 CVEs and a Sonatype security warning - 2.12.0 is
> better, although still problematic.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
