[
https://issues.apache.org/jira/browse/MWAR-456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17615374#comment-17615374
]
Brent Shikoski commented on MWAR-456:
-------------------------------------
I believe it is fixed on master, the version of maven-shared-utils was upgraded
to 3.3.4, which is the latest.
> Latest maven-war-plugin causing vulnerable .jars to be downloaded
> -----------------------------------------------------------------
>
> Key: MWAR-456
> URL: https://issues.apache.org/jira/browse/MWAR-456
> Project: Maven WAR Plugin
> Issue Type: Bug
> Affects Versions: 3.3.2
> Environment: Linux, Windows
> Reporter: Joseph Angotti
> Priority: Blocker
> Fix For: waiting-for-feedback
>
> Attachments: Console-Log-Edit.JPG
>
> Original Estimate: 60h
> Remaining Estimate: 60h
>
> We are planning to upgrade our project's parent pom.xml file to use
> maven-war-plugin 3.3.2, which is the latest version, but somehow it is
> causing 2 vulnerable .jar files, plexus-utils-2.0.5.jar, and
> maven-shared-utils-3.2.1.jar, to download from our JFrog Artifactory
> repository when it shouldn't be. Other versions of the maven-war-plugin seem
> to result in the same issue.
> Is there someone available who can assist with this issue as soon as
> possible? Our development efforts are currently blocked because of this
> issue. We need to be able to upgrade to the latest version of the
> maven-war-plugin and prevent vulnerable .jar files from being downloaded as
> soon as possible before our remediation deadline in a few weeks. Thank you
> (see the maven console logs attached for more details).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
