1

Maven plugins (maven-compiler-plugin:3.8.1 and maven-surefire-plugin:3.0.0-M3) seem to be downloading multiple versions of the same dependency (plexus-utils) when running mvn clean package, even if I specify the latest version of plexus-utils in the dependencies. This doesn't cause any errors, but any version of plexus-utils prior to 3.0.16 is vulnerable to command injection. Is there a way that I can stop this from happening?

EDIT: As per the suggestion below I tried including an exclusion, but I think this is only supported for dependencies and not plugins.

             <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-compiler-plugin</artifactId>
                <version>3.8.1</version>
                <exclusions>
                    <exclusion>
                        <groupId>org.codehaus.plexus</groupId>
                        <artifactId>plexus-utils</artifactId>
                    </exclusion>
                </exclusions>
            </plugin>
smert
  • 23
  • 4
  • You can exclude dependencies from maven, take a look at this post. https://stackoverflow.com/questions/9119055/excluding-maven-dependencies – Willem Jan 03 '20 at 17:26
  • Are you able to specify the exact version you want using the `version` tag? – JonathanDavidArndt Jan 03 '20 at 17:26
  • @JonathanDavidArndt I am doing this, but the plugins are downloading about 10 other versions – smert Jan 03 '20 at 17:35
  • Right... this could be tricky. Especially if you have a parent POM, or other such stuff... – JonathanDavidArndt Jan 03 '20 at 17:47
  • 1
    I would just stop worrying about this ... even if a Maven plugin has a vulnerability, I would not really bother because Maven is just a build tool. – J Fabian Meier Jan 03 '20 at 19:03
  • If you found a plugin which is using an older version please file a ticket for the appropriate plugin so the Apache Maven Team can upgrade it and make a new release .... – khmarbaise Jan 04 '20 at 10:41

2 Answers2

0

While you cannot exclude dependencies for plugins (as you can with other dependencies), you can specify the exact version that will be used for a particular plugin.

If you have a parent POM, or any other linked POMs, you may need to add this to each plugin or dependency where this is used:

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-compiler-plugin</artifactId>
    <version>3.8.1</version>
    <dependencies>
        <dependency>
            <groupId>org.codehaus.plexus</groupId>
            <artifactId>plexus-utils</artifactId>
            <version>3.0.16</version>
        </dependency>
    </dependencies>
</plugin>
JonathanDavidArndt
  • 2,518
  • 13
  • 37
  • 49
  • Even after specifying a version for the dependency within the plugin, it seems to still download the old versions to my machine and ignore the version I gave it... – smert Jan 03 '20 at 18:04
  • Correction: it was ignoring it because the version I specified was already downloaded. It will download the version I specify along with the versions the plugin was previously downloading – smert Jan 03 '20 at 18:15
  • You may need to run `mvn dependency:tree` (or similar) to find all the places these dependencies are being loaded from. If you have a parent POM, it will be tricky, and you will need to comb through it carefully. – JonathanDavidArndt Jan 03 '20 at 18:21
  • I ran `mvn dependency:resolve-plugins` and can see the tree here. Does this work for nested dependencies because plexus-utils seems to be a part of another dependency within the plugin's dependencies? – smert Jan 03 '20 at 18:40
  • I'm asking this because even after specifying the version for just one plugin, I get `[INFO] --- maven-compiler-plugin:3.8.1:compile (default-compile) --- Downloading: https://repo.spring.io/libs-release/org/codehaus/plexus/plexus-utils/1.5.15/plexus-utils-1.5.15.pom` in the logs – smert Jan 03 '20 at 18:42
  • I strongly discourage to change the versions of dependencies for plugins cause you don't know which versions has been used (except you take a look into the code) . Also you might cause several issues based on changing the dependency versions – khmarbaise Jan 03 '20 at 20:25
  • And I agree completely with @khmarbaise If you really have a requirement to upgrade this library, you will also need to upgrade ALL of the other plugins/dependencies/whatnot that use the "old" version -- in some cases, this may not be feasible, as some packages may not have upgraded yet. – JonathanDavidArndt Jan 04 '20 at 01:43
  • One more thing is: You do not control the updates/release of the plugins... – khmarbaise Jan 04 '20 at 19:40
0

For me i have just specified below maven build plugin,

spring-boot-maven-plugin

and i forced my version

<plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
                <configuration>
                    <includeSystemScope>true</includeSystemScope>
                </configuration>
                <dependencies>
                    <dependency>
                        <groupId>commons-codec</groupId>
                        <artifactId>commons-codec</artifactId>
                        <version>1.14</version>
                    </dependency>
                </dependencies>
            </plugin>

But still it was showing the older library version for "plexus-utils" and "commons-codec".

Then looking at jenkins logs, it was actually running other plugin like

  1. maven-surefire-plugin

  2. maven-install-plugin

  3. maven-compiler-plugin

So i need to add these plugin and forced my dependency in each.

<plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-compiler-plugin</artifactId>
                <dependencies>
                    <dependency>
                        <groupId>org.codehaus.plexus</groupId>
                        <artifactId>plexus-utils</artifactId>
                        <version>3.3.0</version>
                    </dependency>
                    <dependency>
                        <groupId>commons-codec</groupId>
                        <artifactId>commons-codec</artifactId>
                        <version>1.14</version>
                    </dependency>
                </dependencies>
            </plugin>
Ankur Singhal
  • 26,012
  • 16
  • 82
  • 116