Small question regarding Java and maven please.
With a very simple project, reproducible 100%, with just this code snippet (please feel free to copy paste)
JavaScript
x
<?xml version="1.0" encoding="UTF-8"?><project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.6.6</version> <relativePath/> </parent> <groupId>org.example</groupId> <artifactId>cvequestion</artifactId> <version>1.0-SNAPSHOT</version> <packaging>pom</packaging> <properties> <java.version>11</java.version> <maven.compiler.source>11</maven.compiler.source> <maven.compiler.target>11</maven.compiler.target> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding> <project.type>application</project.type> <sonar.java.coveragePlugin>jacoco</sonar.java.coveragePlugin> <sonar.java.libraries>target/</sonar.java.libraries> <sonar.junit.reportsPaths>target/reports/junit</sonar.junit.reportsPaths> <sonar.language>java</sonar.language> </properties> <dependencyManagement> <dependencies> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-dependencies</artifactId> <version>2021.0.1</version> <type>pom</type> <scope>import</scope> </dependency> </dependencies> </dependencyManagement> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-webflux</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-data-cassandra-reactive</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-actuator</artifactId> </dependency> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-kubernetes-fabric8</artifactId> </dependency> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-config-client</artifactId> </dependency> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-sleuth</artifactId> </dependency> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-sleuth-zipkin</artifactId> </dependency> <dependency> <groupId>io.projectreactor.netty</groupId> <artifactId>reactor-netty-http-brave</artifactId> </dependency> <dependency> <groupId>io.micrometer</groupId> <artifactId>micrometer-registry-prometheus</artifactId> </dependency> <dependency> <groupId>io.github.resilience4j</groupId> <artifactId>resilience4j-micrometer</artifactId> </dependency> <dependency> <groupId>io.github.resilience4j</groupId> <artifactId>resilience4j-reactor</artifactId> </dependency> <dependency> <groupId>io.github.resilience4j</groupId> <artifactId>resilience4j-spring-boot2</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-test</artifactId> <scope>test</scope> </dependency> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-contract-verifier</artifactId> <scope>test</scope> </dependency> <dependency> <groupId>org.junit.jupiter</groupId> <artifactId>junit-jupiter</artifactId> <scope>test</scope> </dependency> <dependency> <groupId>org.mockito</groupId> <artifactId>mockito-core</artifactId> <scope>test</scope> </dependency> <dependency> <groupId>com.lmax</groupId> <artifactId>disruptor</artifactId> <version>3.4.4</version> </dependency> <dependency> <groupId>org.springframework.statemachine</groupId> <artifactId>spring-statemachine-core</artifactId> <version>3.0.1</version> </dependency> <dependency> <groupId>net.logstash.logback</groupId> <artifactId>logstash-logback-encoder</artifactId> <version>7.0.1</version> </dependency> <dependency> <groupId>de.codecentric</groupId> <artifactId>spring-boot-admin-starter-client</artifactId> <version>2.6.2</version> </dependency> <dependency> <groupId>org.springdoc</groupId> <artifactId>springdoc-openapi-webflux-ui</artifactId> <version>1.6.6</version> </dependency> <dependency> <groupId>io.github.hakky54</groupId> <artifactId>sslcontext-kickstart-for-netty</artifactId> <version>7.3.0</version> </dependency> </dependencies> <build> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-compiler-plugin</artifactId> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-surefire-plugin</artifactId> <configuration> <testFailureIgnore>true</testFailureIgnore> <reportsDirectory>target/reports/junit</reportsDirectory> </configuration> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-javadoc-plugin</artifactId> <configuration> <outputDirectory>target/javadoc</outputDirectory> <reportOutputDirectory>target/javadoc</reportOutputDirectory> <javadocExecutable>${java.home}/bin/javadoc</javadocExecutable> </configuration> <executions> <execution> <goals> <goal>javadoc</goal> </goals> <phase>site</phase> </execution> </executions> </plugin> <plugin> <groupId>org.sonarsource.scanner.maven</groupId> <artifactId>sonar-maven-plugin</artifactId> <version>3.9.1.2184</version> <dependencies> <dependency> <groupId>org.codehaus.woodstox</groupId> <artifactId>woodstox-core-asl</artifactId> <version>4.4.1</version> </dependency> </dependencies> </plugin> <plugin> <groupId>com.github.spotbugs</groupId> <artifactId>spotbugs-maven-plugin</artifactId> <version>4.5.3.0</version> <configuration> <outputDirectory>target/reports/findbugs</outputDirectory> </configuration> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-pmd-plugin</artifactId> <version>3.16.0</version> <configuration> <targetDirectory>.out/reports/pmd</targetDirectory> <outputDirectory>target/reports/pmd</outputDirectory> </configuration> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-checkstyle-plugin</artifactId> <version>3.1.2</version> <configuration> <outputFile>.out/reports/checkstyle/checkstyle-result.xml</outputFile> <outputDirectory>target/reports/checkstyle</outputDirectory> <outputFileFormat>xml</outputFileFormat> </configuration> <dependencies> <dependency> <groupId>com.puppycrawl.tools</groupId> <artifactId>checkstyle</artifactId> <version>10.0</version> </dependency> </dependencies> </plugin> <plugin> <groupId>org.jacoco</groupId> <artifactId>jacoco-maven-plugin</artifactId> <version>0.8.7</version> <configuration> <append>true</append> </configuration> <executions> <execution> <goals> <goal>prepare-agent</goal> </goals> </execution> <execution> <id>report</id> <phase>verify</phase> <goals> <goal>report</goal> <goal>report-aggregate</goal> </goals> </execution> </executions> </plugin> <plugin> <groupId>org.pitest</groupId> <artifactId>pitest-maven</artifactId> <version>1.7.5</version> <configuration> <withHistory>true</withHistory> <threads>16</threads> <outputFormats> <param>XML</param> <param>HTML</param> </outputFormats> <mutators> <mutator>CONDITIONALS_BOUNDARY</mutator> <mutator>INCREMENTS</mutator> <mutator>INVERT_NEGS</mutator> <mutator>MATH</mutator> <mutator>NEGATE_CONDITIONALS</mutator> <mutator>EMPTY_RETURNS</mutator> <mutator>FALSE_RETURNS</mutator> <mutator>TRUE_RETURNS</mutator> <mutator>PRIMITIVE_RETURNS</mutator> <mutator>REMOVE_INCREMENTS</mutator> <mutator>EXPERIMENTAL_BIG_INTEGER</mutator> <mutator>EXPERIMENTAL_MEMBER_VARIABLE</mutator> <mutator>EXPERIMENTAL_SWITCH</mutator> </mutators> </configuration> <dependencies> <dependency> <groupId>org.pitest</groupId> <artifactId>pitest-junit5-plugin</artifactId> <version>0.15</version> </dependency> </dependencies> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-site-plugin</artifactId> <version>3.11.0</version> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-project-info-reports-plugin</artifactId> <version>3.2.2</version> </plugin> </plugins> </build> <reporting> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-jxr-plugin</artifactId> <version>3.2.0</version> </plugin> </plugins> </reporting></project>and running this simple command: (please feel free to run)
JavaScript
mvn clean install dependency:tree -XAfter feeding this to some static analysis (Black Duck, SonarQube, Dependency-check, etc…)
I am being flagged with this CVE:
CVE-2017-1000487 on two jars : plexus-utils-2.0.4.jar plexus-utils-3.0.10.jar
I am having a hard time understanding, since the output so far is:
JavaScript
INFO] --- maven-clean-plugin:3.1.0:clean (default-clean) @ cvequestion ---[DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=53001, ConflictMarker.markTime=16625, ConflictMarker.nodeCount=14, ConflictIdSorter.graphTime=30625, ConflictIdSorter.topsortTime=11493, ConflictIdSorter.conflictIdCount=12, ConflictIdSorter.conflictIdCycleCount=0, ConflictResolver.totalTime=215510, ConflictResolver.conflictItemCount=14, DefaultDependencyCollector.collectTime=75144505, DefaultDependencyCollector.transformTime=399107}[DEBUG] org.apache.maven.plugins:maven-clean-plugin:jar:3.1.0[DEBUG] org.apache.maven:maven-plugin-api:jar:3.0:compile[DEBUG] org.apache.maven:maven-model:jar:3.0:compile[DEBUG] org.codehaus.plexus:plexus-utils:jar:2.0.4:compileAnd I do not see plexus-utils-3.0.10.jar in the dependency tree at all.
Question 1: Where is this plexus-utils-3.0.10.jar coming from? I do not have this dependency, and no one from the tree is pulling this dependency.
Question 2: May I ask how do I fix this CVE please? I am interesting in the process and steps of fixing this.
Thank you
Advertisement
Answer
Credits to khmarbaise, upgrading to the latest Maven clean plugin 3.2.0 does fix this issue.