search

aleksandr-m / gitflow-maven-plugin

The Git-Flow Maven Plugin supports various Git workflows, including GitFlow and GitHub Flow. This plugin runs Git and Maven commands from the command line.
https://aleksandr-m.github.io/gitflow-maven-plugin/
Apache License 2.0
487 stars 180 forks source link

gitflow:1.19.0:release has vulnerability log4j 1.2.12 #381

Closed AbstractAlao closed 1 year ago

AbstractAlao commented 1 year ago

When runningmvn gitflow:release -DallowSnapshots=true -DskipTestProject=true

It is downloading log4j 1.2.12

[INFO] --- gitflow:1.19.0:release (default-cli) @ quartz-scheduler ---
Downloading from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom
Downloaded from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom (145 B at 349 B/s)
Downloading from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar
Downloaded from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar (358 kB at 2.1 MB/s)

Adding the following to the plugin configuring does not work

<plugin>
                    <groupId>com.amashchenko.maven.plugin</groupId>
                    <artifactId>gitflow-maven-plugin</artifactId>
                    <version>1.19.0</version>
                    <configuration>
                        <versionDigitToIncrement>1</versionDigitToIncrement>
                        <gitFlowConfig>
                            <!-- Optional - uncomment if using main instead of master
                        <productionBranch>main</productionBranch>
                        -->
                        </gitFlowConfig>
                    </configuration>
                    <dependencies>
                        <dependency>
                            <groupId>org.apache.maven.shared</groupId>
                            <artifactId>maven-artifact-transfer</artifactId>
                            <version>0.11.0</version>
                            <exclusions>
                                <exclusion>
                                    <groupId>log4j</groupId>
                                    <artifactId>log4j</artifactId>
                                </exclusion>
                            </exclusions>
                        </dependency>
                    </dependencies>
                </plugin>

Any chance to fix this?

AbstractAlao commented 1 year ago

I'm not sure if this is going to get fixed but I found a workaround if anyone else is running into this issue.

<plugin>
                    <groupId>com.amashchenko.maven.plugin</groupId>
                    <artifactId>gitflow-maven-plugin</artifactId>
                    <version>1.19.0</version>
                    <configuration>
                        <versionDigitToIncrement>1</versionDigitToIncrement>
                        <gitFlowConfig>
                            <!-- Optional - uncomment if using main instead of master
                        <productionBranch>main</productionBranch>
                        -->
                        </gitFlowConfig>
                    </configuration>
                    <dependencies>
                        <dependency>
                            <groupId>org.apache.xbean</groupId>
                            <artifactId>xbean-reflect</artifactId>
                            <exclusions>
                                <exclusion>
                                    <groupId>log4j</groupId>
                                    <artifactId>log4j</artifactId>
                                </exclusion>
                            </exclusions>
                        </dependency>
                    </dependencies>
                </plugin>
aleksandr-m commented 1 year ago

Already addressed in https://github.com/aleksandr-m/gitflow-maven-plugin/pull/365.

aliakhtar commented 1 year ago

@aleksandr-m https://mvnrepository.com/artifact/com.amashchenko.maven.plugin/gitflow-maven-plugin/1.20.0 still shows a vulnerability: CVE-2017-1000487 - any ideas?

aleksandr-m commented 10 months ago

It another cve. Should be ok, now.

aliakhtar commented 10 months ago

@aleksandr-m I don't think its ok because a vulnerability is still showing on https://mvnrepository.com/artifact/com.amashchenko.maven.plugin/gitflow-maven-plugin/1.20.0, can you push a new version which addresses this please

aleksandr-m commented 10 months ago

:) not so fast, but it will be when next version is released.

aliakhtar commented 10 months ago

@aleksandr-m can I send you a PR for this to do a minor release? Just need to know which dependencies to update