On Mon, 25 Mar 2019 11:35:04 +0100, Bradley Atkins
<[email protected]> wrote:
All,
When looking at forking and updating maven-source-plugin to get rid of
it's dependency on the vulnerable package - org.codehaus.plexus :
plexus-utils
What's the vulnerability?
I found that these packages are also using vulnerable version of it. As
fixing this issue would require multiple releases, can I prevail upon
you guys to do a fix?
org.apache.maven : maven-core 3.0
org.apache.maven : maven-model 3.0
org.apache.maven : maven-compat 3.0
org.apache.maven.plugin-testing : maven-plugin-testing-harness 2.1
org.apache.maven : maven-plugin-api 3.0
Not sure what you expect from us here. Do you expect us to patch these and
re-upload them to Maven Central?
Incidentally, this vulnerability was found using the IntelliJ plugin for
Snyk. These guys offer the plugin for free to open source projects.
Given that you are providing a core service to half the industry, can I
ask you to evaluate using it across all Apache packages as standard?
Their vulnerability database is very well maintained.
I have contacts with Snyk, however we've never talked about this yet. I'll
inform.
thanks,
Robert
Regards
Bradley Atkins
Synk site - https://snyk.io
The information included in this email and any files transmitted with it
may contain information that is confidential and it must not be used by,
or its contents or attachments copied or disclosed to, persons other
than the intended addressee. If you have received this email in error,
please notify BJSS. In the absence of written agreement to the contrary
BJSS' relevant standard terms of contract for any work to be undertaken
will apply. Please carry out virus or such other checks as you consider
appropriate in respect of this email. BJSS does not accept
responsibility for any adverse effect upon your system or data in
relation to this email or any files transmitted with it. BJSS Limited, a
company registered in England and Wales (Company Number 2777575), VAT
Registration Number 613295452, Registered Office Address, First Floor,
Coronet House, Queen Street, Leeds, LS1 2TW.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
