wing328
commented
2 years ago Do you have the details of the major flaw such as the CVE? I couldn't find anything with a google search "plexus-build-api security vulnerabilities"
Open soleanos opened 2 years ago
wing328
commented
2 years ago Do you have the details of the major flaw such as the CVE? I couldn't find anything with a google search "plexus-build-api security vulnerabilities"
soleanos
commented
2 years ago Hello, yes that is what xray say to us :
The vulnerability is in plexus-utils
soleanos
commented
2 years ago they are two vulnerabilities exactly in this version of plexus-utils, the second is :
soleanos
commented
2 years ago And our maven dependency tree :
[INFO] - org.openapitools:openapi-generator-maven-plugin:jar:5.4.0:compile [INFO] +- org.sonatype.plexus:plexus-build-api:jar:0.0.7:compile [INFO] | - org.codehaus.plexus:plexus-utils:jar:1.5.8:compile [INFO] - org.apache.maven:maven-core:jar:3.3.1:compile [INFO] +- org.codehaus.plexus:plexus-interpolation:jar:1.21:compile [INFO] +- org.codehaus.plexus:plexus-classworlds:jar:2.5.2:compile [INFO] - org.codehaus.plexus:plexus-component-annotations:jar:1.5.5:compile
SergeS
commented
1 year ago Any update on this topic ?
Hello, this issue is related to the previous 11881 about security dependency.
First, thank you very much for your previous action for the increase in addiction for maven core and sorry for my response time I had very little time lately to come back to it.
After passing my professional application to the XRAY scan, it appears that your application has one more last dependencies which open up major flaw: the version of org.sonatype.plexus:plexus-build-api:jar (0.0.7) is very old (from 2011) and contains org.codehaus.plexus:plexus-utils:jar:1.5.8:compile reassembled by xray.
Would you please have some time to look at how to mount the version in order to fill this security gap? Thank you in advance
I also have a small question when is planned the availability of your next release of your maven plugin? Have a great day