Uploaded image for project: 'Sling'
  1. Sling
  2. SLING-12331

Update sling maven plugins to maven 3.8.x

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • None

    Description

      We recently got some security vulnerability reported related to maven-core, which is a transitive dependency used in many / some of the sling maven plugins. 

      While maven-core is always take from the maven installation in the current version, the vulnerable jars are downloaded when using the plugins, and hence found and reported by security scanners.

      We should update our maven plugins to use the 3.8.x version of maven at least.

      Attachments

        Issue Links

          Activity

            The proper fix is to change the Maven dependencies provided by the Maven distribution to scope provided. That way they are no longer downloaded (for no reason). Compare with https://issues.apache.org/jira/browse/MPLUGIN-370.

            kwin Konrad Windszus added a comment - The proper fix is to change the Maven dependencies provided by the Maven distribution to scope provided . That way they are no longer downloaded (for no reason). Compare with https://issues.apache.org/jira/browse/MPLUGIN-370 .

            People

              Unassigned Unassigned
              diru Dirk Rudolph
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated: