-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade to maven-enforcer-api 3.0.0 #57
Conversation
@bkrahl-nli can you go to: https://sonatypecla.herokuapp.com/sign-cla and sign the CLA for us? Once you have done so let me know! |
Hi @DarthHater! I signed the CLA. |
@bkrahl-nli awesome. Next step, just some help on testing this out would be nice. I'm the second string on this project, but I'd like to help verify it's all gravy. Do you have an example I can follow? |
@DarthHater, sure. I created a little demo project based on https://start.spring.io/. It requires JDK 8. And the build will fail since it has a dependency on log4j 2.15.0 with the incomplete fix for CVE-2021-44228 here for testing (low vulnerability). https://github.com/bkrahl-nli/oss-vulnerability-check-demo I would suggest that you clone it and build it first. It should fail since it can't find the Afterwards checkout this pull request and trigger a I described this in more detail in README.md. |
@DarthHater can I further assist you on testing this change? |
...rcer-rules/src/main/java/org/sonatype/ossindex/maven/enforcer/BanVulnerableDependencies.java
Outdated
Show resolved
Hide resolved
@@ -41,7 +41,7 @@ | |||
<dependency> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Critical OSS Vulnerability:
pkg:maven/org.apache.maven.enforcer/enforcer-api@3.0.0
3 Critical, 0 Severe, 0 Moderate, 6 Unknown vulnerabilities have been found across 3 dependencies
Components
pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
CRITICAL Vulnerabilities (1)
[CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
UNKNOWN Vulnerabilities (2)
OSSINDEX-d093-0e6b-3210
Possible XML Injection
>
org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int)
does not check if the comment includes a"-->"
sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- git.luolix.topCVSS Score: 0
OSSINDEX-d89d-15b4-33be
Directory traversal in org.codehaus.plexus.util.Expand
> org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com
CVSS Score: 0
pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
CRITICAL Vulnerabilities (1)
[CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
UNKNOWN Vulnerabilities (2)
OSSINDEX-d093-0e6b-3210
Possible XML Injection
>
org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int)
does not check if the comment includes a"-->"
sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- git.luolix.topCVSS Score: 0
OSSINDEX-d89d-15b4-33be
Directory traversal in org.codehaus.plexus.util.Expand
> org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com
CVSS Score: 0
pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
CRITICAL Vulnerabilities (1)
[CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
UNKNOWN Vulnerabilities (2)
OSSINDEX-d093-0e6b-3210
Possible XML Injection
>
org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int)
does not check if the comment includes a"-->"
sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- git.luolix.topCVSS Score: 0
OSSINDEX-d89d-15b4-33be
Directory traversal in org.codehaus.plexus.util.Expand
> org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com
CVSS Score: 0
@@ -64,11 +64,9 @@ | |||
<artifactId>maven-artifact</artifactId> | |||
</dependency> | |||
|
|||
<!-- maven-enforcer-plugin uses older maven-dependency-tree 2.x API and is not compatible with latest 3.x --> | |||
<dependency> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Critical OSS Vulnerability:
pkg:maven/org.apache.maven.shared/maven-dependency-tree@3.1.0
18 Critical, 0 Severe, 0 Moderate, 36 Unknown vulnerabilities have been found across 18 dependencies
Components
pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
CRITICAL Vulnerabilities (1)
[CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
UNKNOWN Vulnerabilities (2)
OSSINDEX-d093-0e6b-3210
Possible XML Injection
>
org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int)
does not check if the comment includes a"-->"
sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- git.luolix.topCVSS Score: 0
OSSINDEX-d89d-15b4-33be
Directory traversal in org.codehaus.plexus.util.Expand
> org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com
CVSS Score: 0
pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
CRITICAL Vulnerabilities (1)
[CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
UNKNOWN Vulnerabilities (2)
OSSINDEX-d093-0e6b-3210
Possible XML Injection
>
org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int)
does not check if the comment includes a"-->"
sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- git.luolix.topCVSS Score: 0
OSSINDEX-d89d-15b4-33be
Directory traversal in org.codehaus.plexus.util.Expand
> org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com
CVSS Score: 0
pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
CRITICAL Vulnerabilities (1)
[CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
UNKNOWN Vulnerabilities (2)
OSSINDEX-d093-0e6b-3210
Possible XML Injection
>
org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int)
does not check if the comment includes a"-->"
sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- git.luolix.topCVSS Score: 0
OSSINDEX-d89d-15b4-33be
Directory traversal in org.codehaus.plexus.util.Expand
> org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com
CVSS Score: 0
pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
CRITICAL Vulnerabilities (1)
[CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
UNKNOWN Vulnerabilities (2)
OSSINDEX-d093-0e6b-3210
Possible XML Injection
>
org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int)
does not check if the comment includes a"-->"
sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- git.luolix.topCVSS Score: 0
OSSINDEX-d89d-15b4-33be
Directory traversal in org.codehaus.plexus.util.Expand
> org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com
CVSS Score: 0
pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
CRITICAL Vulnerabilities (1)
[CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
UNKNOWN Vulnerabilities (2)
OSSINDEX-d093-0e6b-3210
Possible XML Injection
>
org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int)
does not check if the comment includes a"-->"
sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- git.luolix.topCVSS Score: 0
OSSINDEX-d89d-15b4-33be
Directory traversal in org.codehaus.plexus.util.Expand
> org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com
CVSS Score: 0
pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
CRITICAL Vulnerabilities (1)
[CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
UNKNOWN Vulnerabilities (2)
OSSINDEX-d093-0e6b-3210
Possible XML Injection
>
org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int)
does not check if the comment includes a"-->"
sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- git.luolix.topCVSS Score: 0
OSSINDEX-d89d-15b4-33be
Directory traversal in org.codehaus.plexus.util.Expand
> org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com
CVSS Score: 0
pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
CRITICAL Vulnerabilities (1)
[CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
UNKNOWN Vulnerabilities (2)
OSSINDEX-d093-0e6b-3210
Possible XML Injection
>
org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int)
does not check if the comment includes a"-->"
sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- git.luolix.topCVSS Score: 0
OSSINDEX-d89d-15b4-33be
Directory traversal in org.codehaus.plexus.util.Expand
> org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com
CVSS Score: 0
pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
CRITICAL Vulnerabilities (1)
[CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
UNKNOWN Vulnerabilities (2)
OSSINDEX-d093-0e6b-3210
Possible XML Injection
>
org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int)
does not check if the comment includes a"-->"
sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- git.luolix.topCVSS Score: 0
OSSINDEX-d89d-15b4-33be
Directory traversal in org.codehaus.plexus.util.Expand
> org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com
CVSS Score: 0
pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
CRITICAL Vulnerabilities (1)
[CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
UNKNOWN Vulnerabilities (2)
OSSINDEX-d093-0e6b-3210
Possible XML Injection
>
org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int)
does not check if the comment includes a"-->"
sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- git.luolix.topCVSS Score: 0
OSSINDEX-d89d-15b4-33be
Directory traversal in org.codehaus.plexus.util.Expand
> org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com
CVSS Score: 0
pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
CRITICAL Vulnerabilities (1)
[CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
UNKNOWN Vulnerabilities (2)
OSSINDEX-d093-0e6b-3210
Possible XML Injection
>
org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int)
does not check if the comment includes a"-->"
sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- git.luolix.topCVSS Score: 0
OSSINDEX-d89d-15b4-33be
Directory traversal in org.codehaus.plexus.util.Expand
> org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com
CVSS Score: 0
pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
CRITICAL Vulnerabilities (1)
[CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
UNKNOWN Vulnerabilities (2)
OSSINDEX-d093-0e6b-3210
Possible XML Injection
>
org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int)
does not check if the comment includes a"-->"
sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- git.luolix.topCVSS Score: 0
OSSINDEX-d89d-15b4-33be
Directory traversal in org.codehaus.plexus.util.Expand
> org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com
CVSS Score: 0
pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
CRITICAL Vulnerabilities (1)
[CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
UNKNOWN Vulnerabilities (2)
OSSINDEX-d093-0e6b-3210
Possible XML Injection
>
org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int)
does not check if the comment includes a"-->"
sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- git.luolix.topCVSS Score: 0
OSSINDEX-d89d-15b4-33be
Directory traversal in org.codehaus.plexus.util.Expand
> org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com
CVSS Score: 0
pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
CRITICAL Vulnerabilities (1)
[CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
UNKNOWN Vulnerabilities (2)
OSSINDEX-d093-0e6b-3210
Possible XML Injection
>
org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int)
does not check if the comment includes a"-->"
sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- git.luolix.topCVSS Score: 0
OSSINDEX-d89d-15b4-33be
Directory traversal in org.codehaus.plexus.util.Expand
> org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com
CVSS Score: 0
pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
CRITICAL Vulnerabilities (1)
[CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
UNKNOWN Vulnerabilities (2)
OSSINDEX-d093-0e6b-3210
Possible XML Injection
>
org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int)
does not check if the comment includes a"-->"
sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- git.luolix.topCVSS Score: 0
OSSINDEX-d89d-15b4-33be
Directory traversal in org.codehaus.plexus.util.Expand
> org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com
CVSS Score: 0
pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
CRITICAL Vulnerabilities (1)
[CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
UNKNOWN Vulnerabilities (2)
OSSINDEX-d093-0e6b-3210
Possible XML Injection
>
org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int)
does not check if the comment includes a"-->"
sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- git.luolix.topCVSS Score: 0
OSSINDEX-d89d-15b4-33be
Directory traversal in org.codehaus.plexus.util.Expand
> org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com
CVSS Score: 0
pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
CRITICAL Vulnerabilities (1)
[CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
UNKNOWN Vulnerabilities (2)
OSSINDEX-d093-0e6b-3210
Possible XML Injection
>
org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int)
does not check if the comment includes a"-->"
sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- git.luolix.topCVSS Score: 0
OSSINDEX-d89d-15b4-33be
Directory traversal in org.codehaus.plexus.util.Expand
> org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com
CVSS Score: 0
pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
CRITICAL Vulnerabilities (1)
[CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
UNKNOWN Vulnerabilities (2)
OSSINDEX-d093-0e6b-3210
Possible XML Injection
>
org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int)
does not check if the comment includes a"-->"
sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- git.luolix.topCVSS Score: 0
OSSINDEX-d89d-15b4-33be
Directory traversal in org.codehaus.plexus.util.Expand
> org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com
CVSS Score: 0
pkg:maven/org.codehaus.plexus/plexus-utils@2.0.4
CRITICAL Vulnerabilities (1)
[CVE-2017-1000487] Improper Neutralization of Special Elements used in a Command (Command Injection)
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
UNKNOWN Vulnerabilities (2)
OSSINDEX-d093-0e6b-3210
Possible XML Injection
>
org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment(XMLWriter, String, int, int, int)
does not check if the comment includes a"-->"
sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.> > -- git.luolix.topCVSS Score: 0
OSSINDEX-d89d-15b4-33be
Directory traversal in org.codehaus.plexus.util.Expand
> org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.> > -- github.com
CVSS Score: 0
* Upgrades vulnerable transitive dependency plexus-utils from 2.0.4 to version 3.0.24
I updated the Maven dependencies and @jdillon, should I added the above commit to this pull request too? |
@bkrahl-nli I wouldn't mind if you did so! |
Is there anything I can do to help here? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bkrahl-nli Sorry for the delay, and thank you for your contribution! I've tested these changes locally, and they look good.
Previously the output for building the test project was:
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.516 s
[INFO] Finished at: 2022-01-26T15:09:06-05:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0:enforce (vulnerability-checks) on project demo: Execution vulnerability-checks of goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0:enforce failed: An API incompatibility was encountered while executing org.apache.maven.plugins:maven-enforcer-plugin:3.0.0:enforce: java.lang.NoSuchMethodError: 'org.apache.maven.shared.dependency.graph.DependencyNode org.apache.maven.shared.dependency.graph.DependencyGraphBuilder.buildDependencyGraph(org.apache.maven.project.MavenProject, org.apache.maven.artifact.resolver.filter.ArtifactFilter)'
With these changes, the output for building the test project is (as expected):
[WARNING] Rule 0: org.sonatype.ossindex.maven.enforcer.BanVulnerableDependencies failed with message:
Detected 1 vulnerable components:
org.apache.logging.log4j:log4j-core:jar:2.15.0:compile; https://ossindex.sonatype.org/component/pkg:maven/org.apache.logging.log4j/log4j-core@2.15.0?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
* [CVE-2021-45105] Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not prot... (7.5); https://ossindex.sonatype.org/vulnerability/7cc258a5-d3ab-451f-bd27-415ae0e3b457?component-type=maven&component-name=org.apache.logging.log4j.log4j-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
* [CVE-2021-45046] It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was i... (3.7); https://ossindex.sonatype.org/vulnerability/edaf092e-e7f3-4c69-8f01-a5c6fc44890a?component-type=maven&component-name=org.apache.logging.log4j.log4j-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
Is there somewhere we can track the next release this will be included in? |
Normally a release would be created soon after such a change is merged. However, the project needed some attention to get the release out, as this project hadn't been released in a few years. The 3.2.0 release, which includes the changes in this PR, is out now: |
Breaks Java 1.7 compatibility. Is this still a hard requirement?
Closes #56
Inspired by changes in mojohaus/extra-enforcer-rules@d380fe5