0

I have a spring boot project with maven. The POM.XML for a certaun service looks like this:

    [...]
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-maven-plugin</artifactId>
    </dependency>
    <dependency>
      <groupId>org.codehaus.mojo</groupId>
      <artifactId>exec-maven-plugin</artifactId>
    </dependency>
 
   [...]

  <build>
    <plugins>
      <plugin>V
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-maven-plugin</artifactId>
        <version>${version.spring-boot-maven-plugin}</version>
        <executions>
          <execution>
            <goals>
              <goal>repackage</goal>
            </goals>
          </execution>
        </executions>
      </plugin>

     [...]

      <plugin>
        <groupId>org.codehaus.mojo</groupId>
        <artifactId>exec-maven-plugin</artifactId>
        <version>${version.org.codehaus.mojo}</version>
        <executions>
          <execution>
            <id>Run-SQL-create</id>
            <phase>process-classes</phase>
            <goals>
              <goal>java</goal>
            </goals>
          </execution>
        </executions>
        <configuration>
          <mainClass>[...].CreateSQLSeedingFile</mainClass>
          <arguments></arguments>
        </configuration>
      </plugin>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-compiler-plugin</artifactId>
        <version>${version.maven-compiler-plugin}</version>
        <configuration>
          <source>11</source>
          <target>11</target>
          <annotationProcessorPaths>
            <path>
              <groupId>org.projectlombok</groupId>
              <artifactId>lombok-mapstruct-binding</artifactId>
              <version>${version.lombok-mapstruct-binding}</version>
            </path>
            <path>
              <groupId>org.mapstruct</groupId>
              <artifactId>mapstruct-processor</artifactId>
              <version>${version.mapstruct-processor}</version>
            </path>
            <path>
              <groupId>org.projectlombok</groupId>
              <artifactId>lombok</artifactId>
              <version>${version.org.projectlombok}</version>
            </path>
          </annotationProcessorPaths>
        </configuration>
      </plugin>
    </plugins>
  </build>
  [...] 

</project>

I ran [dependency-check-maven] to scan for vulnerabilities. It found CVE-2021-26291 Using mvn dependency:tree I found that it is inside the exec-maven-plugin In the details it mentions:

If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior

However we do not have a repository manager (it's just a small project). And I can not upgrade the version, since the dependency exec-maven-plugin is already at the latest version 3.0.0

Now when I remove the dependency completely (not even sure what I'd have to solve then!) it finds the same vulnerability in maven-core-3.1.1 inside spring-boot-maven-plugin Here the same goes: it is already at the latest version 2.6.2

Is there a way this vulnerability, without using a repository manager ?

Chai
  • 1,796
  • 2
  • 18
  • 31
  • You seemed to misunderstand the CVE...it's related to Maven itself. You should use Maven in a version higher than 3.8.1 (I recommend to use the most recent one) to prevent automatic resolution from repositories which do not use https. This is not related to the dependencies (maven-core for example) which are related to the compatibility of a Maven plugins in such case... – khmarbaise Dec 28 '21 at 14:03
  • Ahh okay thanks! I am using 3.8.2 So then this should be a non issue? Why then does the dependency-check-maven plugin list it as a high vulnerability ? – Chai Dec 28 '21 at 14:05
  • First use more recent version 3.8.4...I also recommend to use a repository manager. Apart from that I can't tell you. You should ask the maintainers/authors of dependency-check-maven (From my perspective this is not correct).. – khmarbaise Dec 28 '21 at 14:09

0 Answers0