On Tue, Feb 14, 2023 at 5:23 AM Mark Derricutt <m...@talios.com> wrote: > > Hey all, > > I was alerted the other day about a security issue with my > clojure-maven-plugin apparently pulling in log4j 1.2, but using the > dependency:tree plugin showed nothing.
Interesting discovery. It sounds like the security tool doesn't properly analyze Maven classpaths, whereas the dependency:tree plugin does. If that's so, file a bug against the security analyzer. These sorts of false positives really reduce its functionality and make all of us less secure. > [ERROR] org.apache.maven:maven-compat:jar:3.0-alpha-2:compile; > https://ossindex.sonatype.org/component/pkg:maven/org.apache.maven/maven-compat@3.0-alpha-2?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1 > [ERROR] * [CVE-2021-26291] CWE-346: Origin Validation Error (9.1); > https://ossindex.sonatype.org/vulnerability/CVE-2021-26291?component-type=maven&component-name=org.apache.maven%2Fmaven-compat&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1 > ``` That's extremely old and seems unmaintained and never released. You probably want the maven-toolchains-plugin instead. -- Elliotte Rusty Harold elh...@ibiblio.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
