search

aleksandr-m / gitflow-maven-plugin

The Git-Flow Maven Plugin supports various Git workflows, including GitFlow and GitHub Flow. This plugin runs Git and Maven commands from the command line.
https://aleksandr-m.github.io/gitflow-maven-plugin/
Apache License 2.0
487 stars 180 forks source link

Update dependencies to avoid CVE-2015-3253 and CVE-2016-6814 #395

Closed koenigroland closed 10 months ago

koenigroland commented 11 months ago

Please Update 

    <dependency>
        <groupId>org.apache.maven.release</groupId>
        <artifactId>maven-release-manager</artifactId>
        <version>2.5.3</version>
        <scope>compile</scope>
    </dependency>

to version 3.0.1 to avoid critical vulnerabilities in a transitive dependency to groovy.

CVE-2016-6814 CVE-2015-3253

Current version uses groovy [INFO] +- org.apache.maven.release:maven-release-manager:jar:2.5.3:compile [INFO] | +- org.apache.maven.release:maven-release-api:jar:2.5.3:compile [INFO] | | - org.eclipse.aether:aether-util:jar:1.0.0.v20140518:compile [INFO] | | - org.eclipse.aether:aether-api:jar:1.0.0.v20140518:compile [INFO] | +- org.sonatype.plexus:plexus-sec-dispatcher:jar:1.3:compile [INFO] | | - org.sonatype.plexus:plexus-cipher:jar:1.4:compile [INFO] | +- org.apache.maven:maven-artifact-manager:jar:2.2.1:compile [INFO] | | +- org.apache.maven.wagon:wagon-provider-api:jar:1.0-beta-6:compile [INFO] | | - backport-util-concurrent:backport-util-concurrent:jar:3.1:compile [INFO] | +- org.apache.maven:maven-project:jar:2.2.1:compile [INFO] | | +- org.apache.maven:maven-profile:jar:2.2.1:compile [INFO] | | - org.apache.maven:maven-plugin-registry:jar:2.2.1:compile [INFO] | +- org.apache.maven.shared:maven-invoker:jar:2.2:compile [INFO] | +- commons-lang:commons-lang:jar:2.4:compile [INFO] | +- commons-cli:commons-cli:jar:1.2:compile [INFO] | +- commons-io:commons-io:jar:2.2:compile [INFO] | +- org.apache.maven.scm:maven-scm-providers-standard:pom:1.9.4:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-accurev:jar:1.9.4:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-bazaar:jar:1.9.4:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-clearcase:jar:1.9.4:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-cvsexe:jar:1.9.4:runtime [INFO] | | | - org.apache.maven.scm:maven-scm-provider-cvs-commons:jar:1.9.4:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-cvsjava:jar:1.9.4:runtime [INFO] | | | +- org.netbeans.lib:cvsclient:jar:20060125:runtime [INFO] | | | - ch.ethz.ganymed:ganymed-ssh2:jar:build210:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-gitexe:jar:1.9.4:runtime [INFO] | | | - org.apache.maven.scm:maven-scm-provider-git-commons:jar:1.9.4:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-hg:jar:1.9.4:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-perforce:jar:1.9.4:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-starteam:jar:1.9.4:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-svnexe:jar:1.9.4:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-synergy:jar:1.9.4:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-vss:jar:1.9.4:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-tfs:jar:1.9.4:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-integrity:jar:1.9.4:runtime [INFO] | | | +- com.mks.api:mksapi-jar:jar:4.10.9049:runtime [INFO] | | | - org.codehaus.groovy:groovy-all:jar:1.7.6:runtime

new version avoids it [INFO] +- org.apache.maven.release:maven-release-manager:jar:3.0.1:compile [INFO] | +- org.apache.maven.release:maven-release-api:jar:3.0.1:compile [INFO] | | - org.eclipse.aether:aether-util:jar:1.0.0.v20140518:compile [INFO] | +- org.codehaus.plexus:plexus-sec-dispatcher:jar:2.0:compile [INFO] | +- org.codehaus.plexus:plexus-cipher:jar:2.0:compile [INFO] | +- org.apache.maven.shared:maven-invoker:jar:3.2.0:compile [INFO] | +- org.eclipse.aether:aether-api:jar:1.0.0.v20140518:compile [INFO] | +- org.apache.maven.scm:maven-scm-providers-standard:pom:2.0.0:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-gitexe:jar:2.0.0:runtime [INFO] | | | - org.apache.maven.scm:maven-scm-provider-git-commons:jar:2.0.0:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-jgit:jar:2.0.0:runtime [INFO] | | | +- org.eclipse.jgit:org.eclipse.jgit:jar:5.13.1.202206130422-r:runtime [INFO] | | | | - com.googlecode.javaewah:JavaEWAH:jar:1.1.13:runtime [INFO] | | | +- org.eclipse.jgit:org.eclipse.jgit.ssh.apache:jar:5.13.1.202206130422-r:runtime [INFO] | | | | +- org.apache.sshd:sshd-osgi:jar:2.7.0:runtime [INFO] | | | | +- org.apache.sshd:sshd-sftp:jar:2.7.0:runtime [INFO] | | | | | - org.apache.sshd:sshd-core:jar:2.7.0:runtime [INFO] | | | | | - org.apache.sshd:sshd-common:jar:2.7.0:runtime [INFO] | | | | - net.i2p.crypto:eddsa:jar:0.3.0:runtime [INFO] | | | - org.slf4j:jcl-over-slf4j:jar:1.7.36:runtime [INFO] | | +- org.apache.maven.scm:maven-scm-provider-hg:jar:2.0.0:runtime [INFO] | | - org.apache.maven.scm:maven-scm-provider-svnexe:jar:2.0.0:runtime [INFO] | +- org.apache.maven.scm:maven-scm-manager-plexus:jar:2.0.0:runtime [INFO] | +- org.apache.maven.scm:maven-scm-api:jar:2.0.0:compile [INFO] | +- org.apache.maven.scm:maven-scm-provider-svn-commons:jar:2.0.0:compile [INFO] | - org.jdom:jdom2:jar:2.0.6.1:compile

DRoppelt commented 11 months ago

I have a PR open that fixes it, see #369 / #389

Cannot say how critical this CVE is here, as in if the groovy classes touch any untrusted inputs, but I can tell you that it would get fixed with the PR granted it gets merged.

aleksandr-m commented 10 months ago

Done.