Hi Martin, Would you share the output of your [1] setup, where you saw “plexus-utils-1.1.jar is being downloaded“?
mvn -X -s settings.xml -Dmaven.repo.local=repository org.apache.maven.plugins:maven-clean-plugin:3.2.0:clean (Doesn’t the debug flag explain why it’s downloading it?) Regards, Tomo On Thu, Sep 22, 2022 at 04:15 Martin D'Aloia <martindal...@gmail.com> wrote: > Hi, we are seeing that even with the latest maven-clean-plugin (currently > 3.2.0) a plexus-utils-1.1.jar is being downloaded. > We think that it is a real issue but we wanted to check in case we are > overlooking something. > > This is reproducible 100% with a simple setup shown below. [1] > > In theory using 3.2.0 should resolve it as mentioned here: > > https://stackoverflow.com/questions/71711729/java-maven-cve-2017-1000487-on-plexus-utils-2-0-4-jar-plexus-utils-3-0-10-jar > > Executing the dependency:tree on 3.2.0 brings 3.3.0 but with provided > scope. [2] > Executing the dependency:tree on 3.1.0 brings 2.0.4 with compile scope. [3] > > We couldn't determine from where 1.1 comes; Maven 3.8.6 comes with > lib/plexus-utils-3.3.1.jar > > Even declaring the plugin inside the pom.xml and executing > dependency:resolve-plugins doesn't show the 1.1 version. [4] > > Who provides this plexus-utils 1.1? > Should I report it on Jira? > > Thanks in advance > Martin > > ============================== > > [1]: > > settings.xml > > <?xml version="1.0" encoding="UTF-8" standalone="no"?> > > <settings xmlns="http://maven.apache.org/SETTINGS/1.2.0"; xmlns:xsi=" > http://www.w3.org/2001/XMLSchema-instance"; > xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.2.0 > https://maven.apache.org/xsd/settings-1.2.0.xsd";> > > </settings> > > > pom.xml > > <?xml version="1.0" encoding="UTF-8"?> > > <project xmlns="http://maven.apache.org/POM/4.0.0"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 > https://maven.apache.org/xsd/maven-4.0.0.xsd";> > <modelVersion>4.0.0</modelVersion> > > <groupId>example-group</groupId> > <artifactId>clean-bug-example</artifactId> > <version>0.0.1-SNAPSHOT</version> > <packaging>pom</packaging> > </project> > > > Maven 3.8.6: > mvn -X -s settings.xml -Dmaven.repo.local=repository > org.apache.maven.plugins:maven-clean-plugin:3.2.0:clean > > ============================== > > [2]: > mvn -s settings.xml -Dmaven.repo.local=repository -f > > ./repository/org/apache/maven/plugins/maven-clean-plugin/3.2.0/maven-clean-plugin-3.2.0.pom > dependency:tree -Dincludes="*:plexus-utils:*" > > [INFO] org.apache.maven.plugins:maven-clean-plugin:maven-plugin:3.2.0 > [INFO] \- org.apache.maven:maven-compat:jar:3.2.5:test > [INFO] \- org.codehaus.plexus:plexus-utils:jar:3.3.0:provided > > ============================== > > [3]: > mvn -s settings.xml -Dmaven.repo.local=repository -f > > ./repository/org/apache/maven/plugins/maven-clean-plugin/3.1.0/maven-clean-plugin-3.1.0.pom > dependency:tree -Dincludes="*:plexus-utils:*" > > [INFO] org.apache.maven.plugins:maven-clean-plugin:maven-plugin:3.1.0 > [INFO] \- org.apache.maven:maven-compat:jar:3.0:test > [INFO] \- org.codehaus.plexus:plexus-utils:jar:2.0.4:compile > > ============================== > > [4]: > Add to pom.xml > > <build> > <plugins> > <plugin> > <groupId>org.apache.maven.plugins</groupId> > <artifactId>maven-clean-plugin</artifactId> > <version>3.2.0</version> > </plugin> > </plugins> > </build> > > mvn --settings settings.xml -Dmaven.repo.local=repository > dependency:resolve-plugins > > (full output redacted to show only plexus-utils) > > [INFO] Plugin Resolved: maven-install-plugin-2.4.jar > [INFO] Plugin Dependency Resolved: plexus-utils-3.0.5.jar > [INFO] Plugin Resolved: maven-deploy-plugin-2.7.jar > [INFO] Plugin Dependency Resolved: plexus-utils-1.5.6.jar > [INFO] Plugin Resolved: maven-clean-plugin-3.2.0.jar > [INFO] Plugin Dependency Resolved: maven-shared-utils-3.3.4.jar > [INFO] Plugin Resolved: maven-site-plugin-3.3.jar > [INFO] Plugin Dependency Resolved: plexus-utils-1.5.10.jar > > ============================== > -- Regards, Tomo
