Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
We recently got some security vulnerability reported related to maven-core, which is a transitive dependency used in many / some of the sling maven plugins.
While maven-core is always take from the maven installation in the current version, the vulnerable jars are downloaded when using the plugins, and hence found and reported by security scanners.
We should update our maven plugins to use the 3.8.x version of maven at least.
Attachments
Issue Links
- relates to
-
MPLUGIN-370 check that plugin dependencies that are already exported by Maven are scope provided
- Closed
- links to
1.
|
Update sling-slingfeature-maven-plugin to maven 3.8.1 | Open | Unassigned | |
2.
|
Update sling-slingstart-maven-plugin to maven 3.8.x | Open | Unassigned | |
3.
|
Update sling-maven-launchpad-plugin to maven 3.8.x | Open | Unassigned | |
4.
|
Update sling-kickstart-maven-plugin to maven 3.8.x | Open | Unassigned | |
5.
|
Update sling-jspc-maven-plugin to maven 3.8.x | Open | Unassigned | |
6.
|
Update sling-feature-converter-maven-plugin to maven 3.8.x | Open | Unassigned | |
7.
|
Update sling-htl-maven-plugin to maven 3.8.x | Open | Unassigned | |
8.
|
Update sling-feature-launcher-maven-plugin to maven 3.8.x | Open | Unassigned | |
9.
|
Update sling-maven-plugin to maven 3.8.x | Open | Unassigned | |
10.
|
Update sling-scriptingbundle-maven-plugin to maven 3.8.x | In Progress | Dirk Rudolph |
The proper fix is to change the Maven dependencies provided by the Maven distribution to scope provided. That way they are no longer downloaded (for no reason). Compare with https://issues.apache.org/jira/browse/MPLUGIN-370.