How can I remove the old vulnerable Apache commons collection version dependency from my project's maven dependency tree?

Question

My Java app project is being managed by Maven.

My project has a few library dependencies depending again on Apache commons collection 3.2.1 which is vulnerable - e.g. Apache commons configuration, velocity, etc.

(I can see it is being used by running mvn dependency:tree command.)

I did neither write any line of codes using Apache commons collection directly nor defined the dependency of it, but it's being used.

What could I do to remove its dependency and to force to use safe version - 3.2.2, 4.1.

For your information: JIRA Bug - Arbitrary remote code execution with InvokerTransformer

Here is the part of my pom.xml, and I guess there's nothing remarkable.

...
<dependency>
    <groupId>commons-configuration</groupId>
    <artifactId>commons-configuration</artifactId>
    <version>1.6</version>
</dependency>
<dependency>
    <groupId>org.apache.velocity</groupId>
    <artifactId>velocity</artifactId>
    <version>1.7</version>
</dependency>
...

so you wish to change your dependency version from **3.2.1** to either **3.2.2** or **4.1** ? post your dependency snippet to question. — Sabir Khan, Jan 08 '16 at 07:18

score 4 · Accepted Answer · edited Jun 04 '23 at 09:09

Unless I am missing something obvious, just specifying dependency in your POM ought to be sufficient:

<dependencies>
  <dependency>
    <groupId>commons-collections</groupId>
    <artifactId>commons-collections</artifactId>
    <version>3.2.2</version>
  </dependency>
  ...
</dependencies>

If you specify it a the top of your <dependencies> section, it will override any other transitive inclusion of commons-collections.

Of course, you may wind up with incompatibilities where other dependencies depend on the other version, but that's what unit tests are for, right? ;-)

score 1 · Answer 2 · answered Jan 08 '16 at 07:30

What you need to do is exclude commons-collections from the affected dependencies and include the desired version in your dependencies directly.

Example pom.xml excerpt assuming commons-configuration uses the vulnerable commons-collections

    <dependency>
        <groupId>commons-configuration</groupId>
        <artifactId>commons-configuration</artifactId>
        <version>1.10</version>
        <exclusions>
            <exclusion>
                <artifactId>commons-collections</artifactId>
                <groupId>commons-collections</groupId>
            </exclusion>
        </exclusions>
    </dependency>
    <dependency>
        <groupId>commons-collections</groupId>
        <artifactId>commons-collections</artifactId>
        <version>3.2.2</version>
        <scope>runtime</scope>
    </dependency>

For simplicity I didn't show configuring this in a root pom.xml in the dependency-management section.

The <scope> should be set to runtime since you mentioned not using the library directly.

I am not sure that will work as intended. If you do a `mvn dependency:build-classpath` or `mvn dependency:tree`, you'll see that the dependency chain includes `commons-collections:1.10` **before** the version you really want. For your approach to work, the `` section should be attached to _each_ dependency that transitively includes the `commons-collections:1.10`. — Daniel, Jan 08 '16 at 07:36
It does work as intended, but as you mention correctly, you need to exclude it from every dependency which transitively includes `commons-collections`. Your approach is much shorter, but I prefer the explicity of mine. — rudolfson, Jan 08 '16 at 10:34

score 0 · Answer 3 · edited Feb 17 '16 at 05:45

I've added these lines in my pom.xml, but still commons-collections3.2 is getting downloaded..

 <dependencies>
    <dependency>
    <groupId>org.apache.commons</groupId>
    <artifactId>commons-collections4</artifactId>
    <version>4.1</version>
    </dependency>
    <dependency>
    <groupId>org.apache.commons</groupId>
    <artifactId>commons-lang3</artifactId>
    <version>${apachecommonslang.version}</version>
    <exclusions>
    <exclusion>
    <artifactId>commons-collections</artifactId>
    <groupId>commons-collections</groupId>
    </exclusion>
    </exclusions>
    </dependency>
    <dependency>
    <groupId>commons-dbcp</groupId>
    <artifactId>commons-dbcp</artifactId>
    <version>${dbcp.version}</version>
    <exclusions>
    <exclusion>
    <artifactId>commons-collections</artifactId>
    <groupId>commons-collections</groupId>
    </exclusion>
    </exclusions>
    </dependency>

I guess it's because `commons-collections4` is a different artifact as for `maven` dependency checker. — hotohoto, Feb 17 '16 at 03:38
I have this issue, too. But maven says 3.2.2 has been moved to v4. There is no more version 3.x out there. Having v4 in dependencyManagement tag doesn't solve the complaint. So what to do now? — Arthur Eirich, Aug 09 '23 at 13:23

How can I remove the old vulnerable Apache commons collection version dependency from my project's maven dependency tree?

3 Answers3