Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade to maven-enforcer-api 3.0.0 #57

Merged
merged 2 commits into from
Jan 27, 2022
Merged

Conversation

krah034
Copy link
Contributor

@krah034 krah034 commented Sep 22, 2021

Breaks Java 1.7 compatibility. Is this still a hard requirement?

Closes #56

Inspired by changes in mojohaus/extra-enforcer-rules@d380fe5

@DarthHater
Copy link
Member

@bkrahl-nli can you go to: https://sonatypecla.herokuapp.com/sign-cla and sign the CLA for us? Once you have done so let me know!

@krah034
Copy link
Contributor Author

krah034 commented Dec 16, 2021

Hi @DarthHater! I signed the CLA.

@DarthHater
Copy link
Member

@bkrahl-nli awesome. Next step, just some help on testing this out would be nice. I'm the second string on this project, but I'd like to help verify it's all gravy. Do you have an example I can follow?

krah034 added a commit to krah034/oss-vulnerability-check-demo that referenced this pull request Dec 17, 2021
krah034 pushed a commit to krah034/oss-vulnerability-check-demo that referenced this pull request Dec 17, 2021
@krah034
Copy link
Contributor Author

krah034 commented Dec 17, 2021

@DarthHater, sure. I created a little demo project based on https://start.spring.io/. It requires JDK 8. And the build will fail since it has a dependency on log4j 2.15.0 with the incomplete fix for CVE-2021-44228 here for testing (low vulnerability).

https://github.com/bkrahl-nli/oss-vulnerability-check-demo

I would suggest that you clone it and build it first. It should fail since it can't find the ossindex-maven-enforcer-rules 3.1.1-SNAPSHOT dependency.

Afterwards checkout this pull request and trigger a mvn clean install. Now the oss-vulnerability-check-demo project should build and fail with a vulnerability warning.

I described this in more detail in README.md.

krah034 pushed a commit to krah034/oss-vulnerability-check-demo that referenced this pull request Dec 17, 2021
@krah034
Copy link
Contributor Author

krah034 commented Dec 23, 2021

@DarthHater can I further assist you on testing this change?

@@ -41,7 +41,7 @@
<dependency>
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical OSS Vulnerability:

pkg:maven/org.apache.maven.enforcer/enforcer-api@3.0.0

3 Critical, 0 Severe, 0 Moderate, 6 Unknown vulnerabilities have been found across 3 dependencies

Components
    pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
      CRITICAL Vulnerabilities (1)

        [CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)

        Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

      UNKNOWN Vulnerabilities (2)
        OSSINDEX-d093-0e6b-3210

        Possible XML Injection

        > org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int) does not check if the comment includes a &quot;--&gt;&quot; sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- github.com

        CVSS Score: 0

        OSSINDEX-d89d-15b4-33be

        Directory traversal in org.codehaus.plexus.util.Expand

        > org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com

        CVSS Score: 0

    pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
      CRITICAL Vulnerabilities (1)

        [CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)

        Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

      UNKNOWN Vulnerabilities (2)
        OSSINDEX-d093-0e6b-3210

        Possible XML Injection

        > org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int) does not check if the comment includes a &quot;--&gt;&quot; sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- github.com

        CVSS Score: 0

        OSSINDEX-d89d-15b4-33be

        Directory traversal in org.codehaus.plexus.util.Expand

        > org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com

        CVSS Score: 0

    pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
      CRITICAL Vulnerabilities (1)

        [CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)

        Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

      UNKNOWN Vulnerabilities (2)
        OSSINDEX-d093-0e6b-3210

        Possible XML Injection

        > org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int) does not check if the comment includes a &quot;--&gt;&quot; sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- github.com

        CVSS Score: 0

        OSSINDEX-d89d-15b4-33be

        Directory traversal in org.codehaus.plexus.util.Expand

        > org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com

        CVSS Score: 0

(at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with `help` or `ignore`)

@@ -64,11 +64,9 @@
<artifactId>maven-artifact</artifactId>
</dependency>

<!-- maven-enforcer-plugin uses older maven-dependency-tree 2.x API and is not compatible with latest 3.x -->
<dependency>
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical OSS Vulnerability:

pkg:maven/org.apache.maven.shared/maven-dependency-tree@3.1.0

18 Critical, 0 Severe, 0 Moderate, 36 Unknown vulnerabilities have been found across 18 dependencies

Components
    pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
      CRITICAL Vulnerabilities (1)

        [CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)

        Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

      UNKNOWN Vulnerabilities (2)
        OSSINDEX-d093-0e6b-3210

        Possible XML Injection

        > org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int) does not check if the comment includes a &quot;--&gt;&quot; sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- github.com

        CVSS Score: 0

        OSSINDEX-d89d-15b4-33be

        Directory traversal in org.codehaus.plexus.util.Expand

        > org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com

        CVSS Score: 0

    pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
      CRITICAL Vulnerabilities (1)

        [CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)

        Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

      UNKNOWN Vulnerabilities (2)
        OSSINDEX-d093-0e6b-3210

        Possible XML Injection

        > org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int) does not check if the comment includes a &quot;--&gt;&quot; sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- github.com

        CVSS Score: 0

        OSSINDEX-d89d-15b4-33be

        Directory traversal in org.codehaus.plexus.util.Expand

        > org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com

        CVSS Score: 0

    pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
      CRITICAL Vulnerabilities (1)

        [CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)

        Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

      UNKNOWN Vulnerabilities (2)
        OSSINDEX-d093-0e6b-3210

        Possible XML Injection

        > org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int) does not check if the comment includes a &quot;--&gt;&quot; sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- github.com

        CVSS Score: 0

        OSSINDEX-d89d-15b4-33be

        Directory traversal in org.codehaus.plexus.util.Expand

        > org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com

        CVSS Score: 0

    pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
      CRITICAL Vulnerabilities (1)

        [CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)

        Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

      UNKNOWN Vulnerabilities (2)
        OSSINDEX-d093-0e6b-3210

        Possible XML Injection

        > org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int) does not check if the comment includes a &quot;--&gt;&quot; sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- github.com

        CVSS Score: 0

        OSSINDEX-d89d-15b4-33be

        Directory traversal in org.codehaus.plexus.util.Expand

        > org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com

        CVSS Score: 0

    pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
      CRITICAL Vulnerabilities (1)

        [CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)

        Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

      UNKNOWN Vulnerabilities (2)
        OSSINDEX-d093-0e6b-3210

        Possible XML Injection

        > org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int) does not check if the comment includes a &quot;--&gt;&quot; sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- github.com

        CVSS Score: 0

        OSSINDEX-d89d-15b4-33be

        Directory traversal in org.codehaus.plexus.util.Expand

        > org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com

        CVSS Score: 0

    pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
      CRITICAL Vulnerabilities (1)

        [CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)

        Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

      UNKNOWN Vulnerabilities (2)
        OSSINDEX-d093-0e6b-3210

        Possible XML Injection

        > org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int) does not check if the comment includes a &quot;--&gt;&quot; sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- github.com

        CVSS Score: 0

        OSSINDEX-d89d-15b4-33be

        Directory traversal in org.codehaus.plexus.util.Expand

        > org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com

        CVSS Score: 0

    pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
      CRITICAL Vulnerabilities (1)

        [CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)

        Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

      UNKNOWN Vulnerabilities (2)
        OSSINDEX-d093-0e6b-3210

        Possible XML Injection

        > org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int) does not check if the comment includes a &quot;--&gt;&quot; sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- github.com

        CVSS Score: 0

        OSSINDEX-d89d-15b4-33be

        Directory traversal in org.codehaus.plexus.util.Expand

        > org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com

        CVSS Score: 0

    pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
      CRITICAL Vulnerabilities (1)

        [CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)

        Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

      UNKNOWN Vulnerabilities (2)
        OSSINDEX-d093-0e6b-3210

        Possible XML Injection

        > org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int) does not check if the comment includes a &quot;--&gt;&quot; sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- github.com

        CVSS Score: 0

        OSSINDEX-d89d-15b4-33be

        Directory traversal in org.codehaus.plexus.util.Expand

        > org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com

        CVSS Score: 0

    pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
      CRITICAL Vulnerabilities (1)

        [CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)

        Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

      UNKNOWN Vulnerabilities (2)
        OSSINDEX-d093-0e6b-3210

        Possible XML Injection

        > org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int) does not check if the comment includes a &quot;--&gt;&quot; sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- github.com

        CVSS Score: 0

        OSSINDEX-d89d-15b4-33be

        Directory traversal in org.codehaus.plexus.util.Expand

        > org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com

        CVSS Score: 0

    pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
      CRITICAL Vulnerabilities (1)

        [CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)

        Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

      UNKNOWN Vulnerabilities (2)
        OSSINDEX-d093-0e6b-3210

        Possible XML Injection

        > org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int) does not check if the comment includes a &quot;--&gt;&quot; sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- github.com

        CVSS Score: 0

        OSSINDEX-d89d-15b4-33be

        Directory traversal in org.codehaus.plexus.util.Expand

        > org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com

        CVSS Score: 0

    pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
      CRITICAL Vulnerabilities (1)

        [CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)

        Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

      UNKNOWN Vulnerabilities (2)
        OSSINDEX-d093-0e6b-3210

        Possible XML Injection

        > org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int) does not check if the comment includes a &quot;--&gt;&quot; sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- github.com

        CVSS Score: 0

        OSSINDEX-d89d-15b4-33be

        Directory traversal in org.codehaus.plexus.util.Expand

        > org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com

        CVSS Score: 0

    pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
      CRITICAL Vulnerabilities (1)

        [CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)

        Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

      UNKNOWN Vulnerabilities (2)
        OSSINDEX-d093-0e6b-3210

        Possible XML Injection

        > org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int) does not check if the comment includes a &quot;--&gt;&quot; sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- github.com

        CVSS Score: 0

        OSSINDEX-d89d-15b4-33be

        Directory traversal in org.codehaus.plexus.util.Expand

        > org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com

        CVSS Score: 0

    pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
      CRITICAL Vulnerabilities (1)

        [CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)

        Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

      UNKNOWN Vulnerabilities (2)
        OSSINDEX-d093-0e6b-3210

        Possible XML Injection

        > org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int) does not check if the comment includes a &quot;--&gt;&quot; sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- github.com

        CVSS Score: 0

        OSSINDEX-d89d-15b4-33be

        Directory traversal in org.codehaus.plexus.util.Expand

        > org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com

        CVSS Score: 0

    pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
      CRITICAL Vulnerabilities (1)

        [CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)

        Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

      UNKNOWN Vulnerabilities (2)
        OSSINDEX-d093-0e6b-3210

        Possible XML Injection

        > org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int) does not check if the comment includes a &quot;--&gt;&quot; sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- github.com

        CVSS Score: 0

        OSSINDEX-d89d-15b4-33be

        Directory traversal in org.codehaus.plexus.util.Expand

        > org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com

        CVSS Score: 0

    pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
      CRITICAL Vulnerabilities (1)

        [CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)

        Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

      UNKNOWN Vulnerabilities (2)
        OSSINDEX-d093-0e6b-3210

        Possible XML Injection

        > org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int) does not check if the comment includes a &quot;--&gt;&quot; sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- github.com

        CVSS Score: 0

        OSSINDEX-d89d-15b4-33be

        Directory traversal in org.codehaus.plexus.util.Expand

        > org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com

        CVSS Score: 0

    pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
      CRITICAL Vulnerabilities (1)

        [CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)

        Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

      UNKNOWN Vulnerabilities (2)
        OSSINDEX-d093-0e6b-3210

        Possible XML Injection

        > org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int) does not check if the comment includes a &quot;--&gt;&quot; sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- github.com

        CVSS Score: 0

        OSSINDEX-d89d-15b4-33be

        Directory traversal in org.codehaus.plexus.util.Expand

        > org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com

        CVSS Score: 0

    pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
      CRITICAL Vulnerabilities (1)

        [CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)

        Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

      UNKNOWN Vulnerabilities (2)
        OSSINDEX-d093-0e6b-3210

        Possible XML Injection

        > org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int) does not check if the comment includes a &quot;--&gt;&quot; sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- github.com

        CVSS Score: 0

        OSSINDEX-d89d-15b4-33be

        Directory traversal in org.codehaus.plexus.util.Expand

        > org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com

        CVSS Score: 0

    pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
      CRITICAL Vulnerabilities (1)

        [CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)

        Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

        CVSS Score: 9.8

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

      UNKNOWN Vulnerabilities (2)
        OSSINDEX-d093-0e6b-3210

        Possible XML Injection

        > org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int) does not check if the comment includes a &quot;--&gt;&quot; sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- github.com

        CVSS Score: 0

        OSSINDEX-d89d-15b4-33be

        Directory traversal in org.codehaus.plexus.util.Expand

        > org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com

        CVSS Score: 0

(at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with `help` or `ignore`)

* Upgrades vulnerable transitive dependency plexus-utils from 2.0.4
  to version 3.0.24
@krah034
Copy link
Contributor Author

krah034 commented Jan 4, 2022

I updated the Maven dependencies and ossindex-service-client so that we don't rely on vulnerable plexus-utils 2.0.4 anymore as reported by sonartype-lift. I pushed it to a separate branch in commit krah034/ossindex-maven@dacf3cb.

@jdillon, should I added the above commit to this pull request too?

@DarthHater
Copy link
Member

@bkrahl-nli I wouldn't mind if you did so!

@krah034
Copy link
Contributor Author

krah034 commented Jan 11, 2022

Is there anything I can do to help here?

Copy link
Contributor

@ndonewar ndonewar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bkrahl-nli Sorry for the delay, and thank you for your contribution! I've tested these changes locally, and they look good.

Previously the output for building the test project was:

[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  2.516 s
[INFO] Finished at: 2022-01-26T15:09:06-05:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0:enforce (vulnerability-checks) on project demo: Execution vulnerability-checks of goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0:enforce failed: An API incompatibility was encountered while executing org.apache.maven.plugins:maven-enforcer-plugin:3.0.0:enforce: java.lang.NoSuchMethodError: 'org.apache.maven.shared.dependency.graph.DependencyNode org.apache.maven.shared.dependency.graph.DependencyGraphBuilder.buildDependencyGraph(org.apache.maven.project.MavenProject, org.apache.maven.artifact.resolver.filter.ArtifactFilter)'

With these changes, the output for building the test project is (as expected):

[WARNING] Rule 0: org.sonatype.ossindex.maven.enforcer.BanVulnerableDependencies failed with message:
Detected 1 vulnerable components:
  org.apache.logging.log4j:log4j-core:jar:2.15.0:compile; https://ossindex.sonatype.org/component/pkg:maven/org.apache.logging.log4j/log4j-core@2.15.0?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
    * [CVE-2021-45105] Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not prot... (7.5); https://ossindex.sonatype.org/vulnerability/7cc258a5-d3ab-451f-bd27-415ae0e3b457?component-type=maven&component-name=org.apache.logging.log4j.log4j-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
    * [CVE-2021-45046] It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was i... (3.7); https://ossindex.sonatype.org/vulnerability/edaf092e-e7f3-4c69-8f01-a5c6fc44890a?component-type=maven&component-name=org.apache.logging.log4j.log4j-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1

[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------

@ndonewar ndonewar merged commit 07633ec into sonatype:master Jan 27, 2022
@astubbs
Copy link

astubbs commented Jan 28, 2022

Is there somewhere we can track the next release this will be included in?

@ndonewar
Copy link
Contributor

ndonewar commented Feb 1, 2022

Is there somewhere we can track the next release this will be included in?

Normally a release would be created soon after such a change is merged. However, the project needed some attention to get the release out, as this project hadn't been released in a few years. The 3.2.0 release, which includes the changes in this PR, is out now:
https://github.com/sonatype/ossindex-maven/releases

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Not compatible with Maven Enforcer Plugin 3.0.0?
5 participants