Uploaded image for project: 'Maven Dependency Plugin'
  1. Maven Dependency Plugin
  2. MDEP-626

Upgrade struts and xerces due to CVEs

    XMLWordPrintableJSON

    Details

    • Type: Dependency upgrade
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.1
    • Fix Version/s: 3.1.2
    • Component/s: get
    • Labels:
      None

      Description

      If running behind a proxy (e.g. Nexus, with a security vulnerability scanner (e.g. Nexus IQ), the get command (and possibly others) fails due to a dependency on libraries deemed "vulnerable".

       

      [ERROR] Failed to execute goal org.apache.maven.plugins:maven-dependency-plugin:3.1.1:get (default-cli) on project project1-sample: Execution default-cli of goal org.apache.maven.plugins:maven-dependency-plugin:3.1.1:get failed: Plugin org.apache.maven.plugins:maven-dependency-plugin:LATEST or one of its dependencies could not be resolved: The following artifacts could not be resolved: xerces:xercesImpl:jar:2.9.1, org.apache.struts:struts-core:jar:1.3.8: Could not transfer artifact xerces:xercesImpl:jar:2.9.1 from/to efx.nexus (https://mynexusserver/nexus/repository/maven-public/): Access denied to: https://mynexusserver/nexus/repository/maven-public/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar , ReasonPhrase:Requested item is quarantined. -> [Help 1]
      

      struts2-core 1.3.8 has 4 CVEs against it - "safe" versions are 2.3.35 or 2.5.17

      xercesImpl 2.9.1 has 2 CVEs and a Sonatype security warning - 2.12.0 is better, although still problematic.

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                khmarbaise Karl Heinz Marbaise
                Reporter:
                RobotLime Richard Cross
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 20m
                  20m