search

MarcGiffing / wicket-spring-boot

Spring Boot starter for Apache Wicket
151 stars 61 forks source link

Maven central release rejected due to dependency vulnerabilities #184

Closed MarcGiffing closed 2 years ago

MarcGiffing commented 2 years ago

The dependency

<groupId>com.github.jennybrown8.wicket-source</groupId>
<artifactId>wicket-source</artifactId>

has a transitive dependency to

maven/org.apache.wicket/wicket@8.0.0-M1

which hase a vulnerability

[CVE-2016-6806] Cross-Site Request Forgery (CSRF)

martin-g commented 2 years ago

https://github.com/jennybrown8/wicket-source/issues/4 :-/

jennybrown8 commented 2 years ago

Seen, thanks for the note. I'll see what I can do to get a fixed build; not sure on timeline.

martin-g commented 2 years ago

Thank you, @jennybrown8 !

Another option is to donate wicket-source project to https://github.com/wicketstuff/core/

MarcGiffing commented 2 years ago

I don't understand why I can't deploy to nexus. I've always get the following message:

[INFO] [INFO] Upload of locally staged artifacts finished. [INFO] [INFO] Closing staging repository with ID "comgiffing-1119". [INFO] [INFO] Waiting for operation to complete... [INFO] ...................................................................................... [INFO] [WARNING] TIMEOUT after 302,4 s [INFO] [INFO] [ERROR] Rule failure while trying to close staging repository with ID "comgiffing-1119". [INFO] [ERROR] [INFO] [ERROR] Nexus Staging Rules Failure Report [INFO] [ERROR] ================================== [INFO] [ERROR] [INFO] [ERROR] [INFO] [ERROR] Cleaning up local stage directory after a Rule failure during close of staging repositories: [] [INFO] [ERROR] Deleting context 4aa2f4b9b81fda.properties [INFO] [ERROR] Cleaning up remote stage repositories after a Rule failure during close of staging repositories: [] [INFO] [ERROR] Dropping failed staging repository with ID "comgiffing-1119" (Rule failure during close of staging repositories: []). [INFO] [INFO] Waiting for operation to complete...

There is not information about what is going wrong. For some failures I got a mail with dependency vulnerabilities. But I'm not sure if that's the real problem. Most of the time its only the log output above.

I've analyzed the master branch with the help of lift.sonytype.com. There are critical errors for a tomcat version which is not used.

Development environment: image

lieft.sonatype.com: image

I

MarcGiffing commented 2 years ago

It seems that the problem is Apache Shiro. I'm not sure if provided dependencies should result in critical error because there are NOT provided.... any ideas?

image

MarcGiffing commented 2 years ago

It's not a dependency vulnerability issue. I've got the following message:

image

martin-g commented 2 years ago

I have no idea. Better file a ticket at https://issues.sonatype.org/

MarcGiffing commented 2 years ago

https://issues.sonatype.org/browse/OSSRH-76391

jennybrown8 commented 2 years ago

I've made a release of wicket-source:9.0.0 to maven central, which should become available in the indexes shortly. Not sure if that actually helps your issue here or not, but it's available.