Details
-
Bug
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
3.2.0
-
None
Description
Problem
Executing certain goals of the dependency plugin (for example copy-dependencies and unpack-dependencies) causes various Struts 1.3.8 POMs to be downloaded to the user's local Maven repository. This version of Struts has known security vulnerabilities.
Reproduction
Here's a minimal POM that demonstrates the problem:
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>org.example</groupId> <artifactId>dependency-plugin-demo</artifactId> <version>1.0-SNAPSHOT</version> <build> <pluginManagement> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-dependency-plugin</artifactId> <version>3.2.0</version> </plugin> </plugins> </pluginManagement> </build> </project>
Running mvn dependency:copy-dependencies results in the following output:
[INFO] Scanning for projects... [INFO] [INFO] -----------------< org.example:dependency-plugin-demo >----------------- [INFO] Building dependency-plugin-demo 1.0-SNAPSHOT [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- maven-dependency-plugin:3.2.0:copy-dependencies (default-cli) @ dependency-plugin-demo --- Downloading from maven-atlassian-com: https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.pom Downloaded from maven-atlassian-com: https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.pom (4.3 kB at 2.8 kB/s) Downloading from maven-atlassian-com: https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-parent/1.3.8/struts-parent-1.3.8.pom Downloaded from maven-atlassian-com: https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-parent/1.3.8/struts-parent-1.3.8.pom (9.8 kB at 21 kB/s) Downloading from maven-atlassian-com: https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-master/4/struts-master-4.pom Downloaded from maven-atlassian-com: https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-master/4/struts-master-4.pom (11 kB at 25 kB/s) Downloading from maven-atlassian-com: https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-taglib/1.3.8/struts-taglib-1.3.8.pom Downloaded from maven-atlassian-com: https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-taglib/1.3.8/struts-taglib-1.3.8.pom (3.1 kB at 6.4 kB/s) Downloading from maven-atlassian-com: https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-tiles/1.3.8/struts-tiles-1.3.8.pom Downloaded from maven-atlassian-com: https://packages.atlassian.com/maven/repository/internal/org/apache/struts/struts-tiles/1.3.8/struts-tiles-1.3.8.pom (2.9 kB at 5.2 kB/s) [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 4.297 s [INFO] Finished at: 2021-09-09T14:18:10+10:00 [INFO] ------------------------------------------------------------------------
Workaround
One workaround is to downgrade to version 2.8 of the plugin, however this may also require the user to modify their plugin configuration, because the semantics of configuration options like includeScope have changed even between minor versions 3.1.2 and 3.2.0.