search

siom79 / japicmp

Comparison of two versions of a jar archive
https://siom79.github.io/japicmp
Apache License 2.0
712 stars 107 forks source link

Upgrade maven-core to fix vulnerability #334

Closed zly123987123 closed 2 years ago

zly123987123 commented 2 years ago

Hi, the current version of artifact org.apache.maven:maven-core:3.6.3 is subject to CVE: CVE-2021-26291 https://nvd.nist.gov/vuln/detail/CVE-2021-26291. Would you please consider upgrading it to the closest secure version 3.8.1 ? The unit tests have been passed:


[INFO] 
[INFO] -----------< com.github.siom79.japicmp:japicmp-maven-plugin >-----------
[INFO] Building japicmp-maven-plugin 0.16.1-SNAPSHOT
[INFO] ----------------------------[ maven-plugin ]----------------------------
[INFO] 
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ japicmp-maven-plugin ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory /Users/lyuye/workspace/remediation/real_pr_repos/japicmp/japicmp-maven-plugin/src/main/resources
[INFO] 
[INFO] --- maven-compiler-plugin:3.10.1:compile (default-compile) @ japicmp-maven-plugin ---
[INFO] Nothing to compile - all classes are up to date
[INFO] 
[INFO] --- maven-plugin-plugin:3.6.4:descriptor (default-descriptor) @ japicmp-maven-plugin ---
[INFO] Using 'UTF-8' encoding to read mojo source files.
[INFO] java-javadoc mojo extractor found 0 mojo descriptor.
[INFO] bsh mojo extractor found 0 mojo descriptor.
[INFO] ant mojo extractor found 0 mojo descriptor.
[INFO] java-annotations mojo extractor found 2 mojo descriptors.
[INFO] 
[INFO] --- maven-plugin-plugin:3.6.4:helpmojo (help-descriptor) @ japicmp-maven-plugin ---
[INFO] Using 'UTF-8' encoding to read mojo source files.
[INFO] java-javadoc mojo extractor found 0 mojo descriptor.
[INFO] bsh mojo extractor found 0 mojo descriptor.
[INFO] ant mojo extractor found 0 mojo descriptor.
[INFO] java-annotations mojo extractor found 2 mojo descriptors.
[INFO] 
[INFO] --- maven-dependency-plugin:3.3.0:copy (copy) @ japicmp-maven-plugin ---
[INFO] Configured Artifact: com.google.guava:guava:19.0:jar
[INFO] Configured Artifact: com.google.guava:guava:18.0:jar
[INFO] Copying guava-19.0.jar to /Users/lyuye/workspace/remediation/real_pr_repos/japicmp/japicmp-maven-plugin/target/guava-19.0.jar
[INFO] Copying guava-18.0.jar to /Users/lyuye/workspace/remediation/real_pr_repos/japicmp/japicmp-maven-plugin/target/guava-18.0.jar
[INFO] 
[INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ japicmp-maven-plugin ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory /Users/lyuye/workspace/remediation/real_pr_repos/japicmp/japicmp-maven-plugin/src/test/resources
[INFO] 
[INFO] --- maven-compiler-plugin:3.10.1:testCompile (default-testCompile) @ japicmp-maven-plugin ---
[INFO] Nothing to compile - all classes are up to date
[INFO] 
[INFO] --- maven-surefire-plugin:3.0.0-M7:test (default-test) @ japicmp-maven-plugin ---
[INFO] Using auto detected provider org.apache.maven.surefire.junit4.JUnit4Provider
[INFO] 
[INFO] -------------------------------------------------------
[INFO]  T E S T S
[INFO] -------------------------------------------------------
[INFO] Running japicmp.maven.SkipModuleStrategyTest
[INFO] Tests run: 7, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.718 s - in japicmp.maven.SkipModuleStrategyTest
[INFO] Running japicmp.maven.JApiCmpMojoTest
[INFO] Tests run: 12, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.211 s - in japicmp.maven.JApiCmpMojoTest
[INFO] Running japicmp.maven.VersionChangeTest
[INFO] Tests run: 15, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.004 s - in japicmp.maven.VersionChangeTest
[INFO] 
[INFO] Results:
[INFO] 
[INFO] Tests run: 34, Failures: 0, Errors: 0, Skipped: 0
[INFO] 
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  8.539 s
[INFO] Finished at: 2022-08-31T13:40:49+08:00
[INFO] ------------------------------------------------------------------------```

Thank you for your attention!
zly123987123 commented 2 years ago

Btw, based on our reachability analysis, the breaking APIs detected by japicmp of maven-core are not used by your project.

siom79 commented 2 years ago

Merge manually due to conflicts.