0

Small question regarding CVE-2021-26291 on maven-core-3.0.jar maven-core-3.1.0.jar please.

On a very simple project, which pom file below (please feel free to copy paste)

Maven versin is: Apache Maven 3.6.3

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.6.5</version>
        <relativePath/>
    </parent>

    <groupId>org.example</groupId>
    <artifactId>cvequestion</artifactId>
    <version>1.0-SNAPSHOT</version>
    <packaging>pom</packaging>

    <properties>
        <java.version>11</java.version>
        <maven.compiler.source>11</maven.compiler.source>
        <maven.compiler.target>11</maven.compiler.target>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
        <project.type>application</project.type>
        <sonar.java.coveragePlugin>jacoco</sonar.java.coveragePlugin>
        <sonar.java.libraries>target/</sonar.java.libraries>
        <sonar.junit.reportsPaths>target/reports/junit</sonar.junit.reportsPaths>
        <sonar.language>java</sonar.language>
    </properties>

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>2021.0.1</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-webflux</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-cassandra-reactive</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-kubernetes-fabric8</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-config-client</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-sleuth</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-sleuth-zipkin</artifactId>
        </dependency>
        <dependency>
            <groupId>io.projectreactor.netty</groupId>
            <artifactId>reactor-netty-http-brave</artifactId>
        </dependency>
        <dependency>
            <groupId>io.micrometer</groupId>
            <artifactId>micrometer-registry-prometheus</artifactId>
        </dependency>
        <dependency>
            <groupId>io.github.resilience4j</groupId>
            <artifactId>resilience4j-micrometer</artifactId>
        </dependency>
        <dependency>
            <groupId>io.github.resilience4j</groupId>
            <artifactId>resilience4j-reactor</artifactId>
        </dependency>
        <dependency>
            <groupId>io.github.resilience4j</groupId>
            <artifactId>resilience4j-spring-boot2</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-contract-verifier</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.junit.jupiter</groupId>
            <artifactId>junit-jupiter</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.mockito</groupId>
            <artifactId>mockito-core</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>com.lmax</groupId>
            <artifactId>disruptor</artifactId>
            <version>3.4.4</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.statemachine</groupId>
            <artifactId>spring-statemachine-core</artifactId>
            <version>3.0.1</version>
        </dependency>
        <dependency>
            <groupId>net.logstash.logback</groupId>
            <artifactId>logstash-logback-encoder</artifactId>
            <version>7.0.1</version>
        </dependency>
        <dependency>
            <groupId>de.codecentric</groupId>
            <artifactId>spring-boot-admin-starter-client</artifactId>
            <version>2.6.2</version>
        </dependency>
        <dependency>
            <groupId>org.springdoc</groupId>
            <artifactId>springdoc-openapi-webflux-ui</artifactId>
            <version>1.6.6</version>
        </dependency>
        <dependency>
            <groupId>io.github.hakky54</groupId>
            <artifactId>sslcontext-kickstart-for-netty</artifactId>
            <version>7.3.0</version>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-compiler-plugin</artifactId>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-surefire-plugin</artifactId>
                <configuration>
                    <testFailureIgnore>true</testFailureIgnore>
                    <reportsDirectory>target/reports/junit</reportsDirectory>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-javadoc-plugin</artifactId>
                <configuration>
                    <outputDirectory>target/javadoc</outputDirectory>
                    <reportOutputDirectory>target/javadoc</reportOutputDirectory>
                    <javadocExecutable>${java.home}/bin/javadoc</javadocExecutable>
                </configuration>
                <executions>
                    <execution>
                        <goals>
                            <goal>javadoc</goal>
                        </goals>
                        <phase>site</phase>
                    </execution>
                </executions>
            </plugin>
            <plugin>
                <groupId>org.sonarsource.scanner.maven</groupId>
                <artifactId>sonar-maven-plugin</artifactId>
                <version>3.9.1.2184</version>
                <dependencies>
                    <dependency>
                        <groupId>org.codehaus.woodstox</groupId>
                        <artifactId>woodstox-core-asl</artifactId>
                        <version>4.4.1</version>
                    </dependency>
                </dependencies>
            </plugin>
            <plugin>
                <groupId>com.github.spotbugs</groupId>
                <artifactId>spotbugs-maven-plugin</artifactId>
                <version>4.5.3.0</version>
                <configuration>
                    <outputDirectory>target/reports/findbugs</outputDirectory>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-pmd-plugin</artifactId>
                <version>3.16.0</version>
                <configuration>
                    <targetDirectory>.out/reports/pmd</targetDirectory>
                    <outputDirectory>target/reports/pmd</outputDirectory>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-checkstyle-plugin</artifactId>
                <version>3.1.2</version>
                <configuration>
                    <outputFile>.out/reports/checkstyle/checkstyle-result.xml</outputFile>
                    <outputDirectory>target/reports/checkstyle</outputDirectory>
                    <outputFileFormat>xml</outputFileFormat>
                </configuration>
                <dependencies>
                    <dependency>
                        <groupId>com.puppycrawl.tools</groupId>
                        <artifactId>checkstyle</artifactId>
                        <version>10.0</version>
                    </dependency>
                </dependencies>
            </plugin>
            <plugin>
                <groupId>org.jacoco</groupId>
                <artifactId>jacoco-maven-plugin</artifactId>
                <version>0.8.7</version>
                <configuration>
                    <append>true</append>
                </configuration>
                <executions>
                    <execution>
                        <goals>
                            <goal>prepare-agent</goal>
                        </goals>
                    </execution>
                    <execution>
                        <id>report</id>
                        <phase>verify</phase>
                        <goals>
                            <goal>report</goal>
                            <goal>report-aggregate</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
            <plugin>
                <groupId>org.pitest</groupId>
                <artifactId>pitest-maven</artifactId>
                <version>1.7.5</version>
                <configuration>
                    <withHistory>true</withHistory>
                    <threads>16</threads>
                    <outputFormats>
                        <param>XML</param>
                        <param>HTML</param>
                    </outputFormats>
                    <mutators>
                        <mutator>CONDITIONALS_BOUNDARY</mutator>
                        <mutator>INCREMENTS</mutator>
                        <mutator>INVERT_NEGS</mutator>
                        <mutator>MATH</mutator>
                        <mutator>NEGATE_CONDITIONALS</mutator>
                        <mutator>EMPTY_RETURNS</mutator>
                        <mutator>FALSE_RETURNS</mutator>
                        <mutator>TRUE_RETURNS</mutator>
                        <mutator>PRIMITIVE_RETURNS</mutator>
                        <mutator>REMOVE_INCREMENTS</mutator>
                        <mutator>EXPERIMENTAL_BIG_INTEGER</mutator>
                        <mutator>EXPERIMENTAL_MEMBER_VARIABLE</mutator>
                        <mutator>EXPERIMENTAL_SWITCH</mutator>
                    </mutators>
                </configuration>
                <dependencies>
                    <dependency>
                        <groupId>org.pitest</groupId>
                        <artifactId>pitest-junit5-plugin</artifactId>
                        <version>0.15</version>
                    </dependency>
                </dependencies>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-site-plugin</artifactId>
                <version>3.11.0</version>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-project-info-reports-plugin</artifactId>
                <version>3.2.2</version>
            </plugin>
        </plugins>
    </build>

    <reporting>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-jxr-plugin</artifactId>
                <version>3.2.0</version>
            </plugin>
        </plugins>
    </reporting>

</project>

I am running a static analysis which will find CVEs.

In my case, the CVE-2021-26291 on maven-core-3.0.jar maven-core-3.1.0.jar was found.

Quite surprised about the result, because I am not using any of those maven core jars.

I then run the command mvn clean install dependency:tree -X in order to troubleshoot the issue. (Please feel free to run the same, issue is 100% reproducible)

It seems from the three:

[INFO] --- jacoco-maven-plugin:0.8.7:prepare-agent (default) @ cvequestion ---
[DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=146555, ConflictMarker.markTime=114395, ConflictMarker.nodeCount=94, ConflictIdSorter.graphTime=72340, ConflictIdSorter.topsortTime=57819, ConflictIdSorter.conflictIdCount=40, ConflictIdSorter.conflictIdCycleCount=0, ConflictResolver.totalTime=852861, ConflictResolver.conflictItemCount=87, DefaultDependencyCollector.collectTime=267858813, DefaultDependencyCollector.transformTime=1327133}
[DEBUG] org.jacoco:jacoco-maven-plugin:jar:0.8.7
[DEBUG]    org.apache.maven:maven-plugin-api:jar:3.0:compile
[DEBUG]       org.apache.maven:maven-model:jar:3.0:compile
[DEBUG]       org.apache.maven:maven-artifact:jar:3.0:compile
[DEBUG]       org.sonatype.sisu:sisu-inject-plexus:jar:1.4.2:compile
[DEBUG]          org.sonatype.sisu:sisu-inject-bean:jar:1.4.2:compile
[DEBUG]             org.sonatype.sisu:sisu-guice:jar:noaop:2.1.7:compile
[DEBUG]    org.apache.maven:maven-core:jar:3.0:compile

What I tried to do, is even to add the latest maven core 3.8.5 (latest as of this writing March 2022), in both the plugin and dependency block of the pom, but still seeing those two particular versions, as well as the CVEs.

May I ask, why are they in my dependency please?

Most of all, how do I fix this technical issue please?

Thank you

PatPanda
  • 3,644
  • 9
  • 58
  • 154
  • What does `mnv --version` say? – Stephen C Mar 28 '22 at 07:29
  • Apache Maven 3.6.3, version added, I should have added in the first place! Thanks! – PatPanda Mar 28 '22 at 07:30
  • The thing is that the jacoco-maven-plugin defined dependencies to the maven-plugin-api etc. which is 3.0 which means it is compatible downto Maven 3.0...which is fine ...The problem here is that the CVE describes the problem using http instead of https which is only related to use a Maven version less than 3.8.1 which is unrelated to the usage of a dependency for Maven plugins... – khmarbaise Mar 28 '22 at 07:42
  • Thanks @khmarbaise for the clear answer. Is there a way to remove this dependency? Or to use a higher version of the dependency? Or to prevent it from being flagged? – PatPanda Mar 28 '22 at 07:45
  • First you can not remove the dependency because they are using by the jacoco-maven-plugin. Using higher versions could result in failures (I strongly recommend **NOT** to do that)... Prevent flagging can only being configured in your securing scanning software...I would recommend to open an issue at the plugins site and maybe offer an PR to solve the problem... – khmarbaise Mar 28 '22 at 07:49
  • I will definitely take on your advices. Just for my own knowledge, how to force the higher version please? I would like to give it a try – PatPanda Mar 28 '22 at 07:53

1 Answers1

3

The real problem in this case is that those scanning tools analysing the plugins as well which is simply wrong, because they become not part of the resulting artifacts. Also does the usage (defining as a dependency of plugin) of an artifact maven-core has not the same consequence as using Maven (3.0.5) on command line.

The reported issue is releated to org.apache.maven:maven-core:jar:3.0:compile which is needed as a dependency by a plugin to define the api (more accurate: org.apache.maven:maven-plugin-api:jar:3.0:compile) which defines the lowest version of Maven the plugin will support.

The reported CVE is related to the problem that if a pom file contains a repository which has http instead of https which can be used to introduce some malicious artifacts. This has been fixed by Maven 3.8.2+ but it is unrelated to the usage of maven-core/maven-plugin-api as artifacts for plugin development.

khmarbaise
  • 92,914
  • 28
  • 189
  • 235
  • Understood, thank you! Is there really no way to fix it on my end, and not to rely on the implementer of the plugin? – PatPanda Mar 29 '22 at 04:29
  • Technically you can try to upgrade those dependency of the plugin but I bet that it will fail because there had several internal changes in the API etc. The author of the plugin has defined it's compatibility that way and finally it's an issue of the scanning software which does not handle that correctly. – khmarbaise Mar 29 '22 at 07:36