[MWAR-456] Latest maven-war-plugin causing vulnerable .jars to be downloaded - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 3.3.2
Fix Version/s: 3.4.0
Component/s: None
Labels:
None
Environment:
Linux, Windows

Flags:

Patch, Important
Language:
- Java

Description

We are planning to upgrade our project's parent pom.xml file to use maven-war-plugin 3.3.2, which is the latest version, but somehow it is causing 2 vulnerable .jar files, plexus-utils-2.0.5.jar, and maven-shared-utils-3.2.1.jar, to download from our JFrog Artifactory repository when it shouldn't be. Other versions of the maven-war-plugin seem to result in the same issue.

Is there someone available who can assist with this issue as soon as possible? Our development efforts are currently blocked because of this issue. We need to be able to upgrade to the latest version of the maven-war-plugin and prevent vulnerable .jar files from being downloaded as soon as possible before our remediation deadline in a few weeks. Thank you (see the maven console logs attached for more details).

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

Console-Log-Edit.JPG
12/Sep/22 17:37
91 kB
Joseph Angotti

Activity

People

Assignee:: Dennis Lundberg

Reporter:: Joseph Angotti

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 12/Sep/22 14:35

Updated:: 15/Oct/22 18:18

Resolved:: 15/Oct/22 18:18

Time Tracking

Estimated:

60h

Remaining:

60h

Logged:

Not Specified