AlexandrosMor
commented
1 year ago Hello @joschi Could you please merge this one ? It is a security issue. Furthermore, I was wondering how many maintainers are ? Thank you in advance
Closed AlexandrosMor closed 1 year ago
AlexandrosMor
commented
1 year ago Hello @joschi Could you please merge this one ? It is a security issue. Furthermore, I was wondering how many maintainers are ? Thank you in advance
joschi
commented
1 year ago @AlexandrosMor Could you please share details about the vulnerability?
I don't find anything about it in the release notes for Maven 3.8.2 and on the Maven Security page.
Furthermore, this dependency is the minimum version of Maven the openapi-diff Maven plugin is working with. If we bump that version, people will (potentially) have to use Maven 3.8.2 or later for using the plugin.
And last but not least, the dependency is in provided scope which means that we don't even include it in our artifact and the version of Maven importing the plugin will control which version is actually on the class path.
As an example, the Maven Surefire plugin defines an even lower version of these dependencies:
AlexandrosMor
commented
1 year ago Hello @joschi, thank you for the quick response. I see that there is a vulnerability here, Apart from that I run the repo using the https://snyk.io/ and I found even more but all of them are nested dependencies Kind regards, Alexandros
joschi
commented
1 year ago @AlexandrosMor Thanks for providing the links!
As explained before, the version of Maven using the openapi-diff Maven plugin ultimately decides which version of the Maven libraries which are declared as provided are being used.
So there is no security issue in this Maven plugin and I'm closing this PR.
There is a vulnerability to
maven-shared-utilsand it is fixed by updating maven-core to 3.8.2