From dev-return-128361-archive-asf-public=cust-asf.ponee.io@maven.apache.org Tue Jun 4 10:43:01 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 2441418064D for ; Tue, 4 Jun 2019 12:43:01 +0200 (CEST) Received: (qmail 49962 invoked by uid 500); 4 Jun 2019 10:43:00 -0000 Mailing-List: contact dev-help@maven.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Maven Developers List" Reply-To: "Maven Developers List" Delivered-To: mailing list dev@maven.apache.org Received: (qmail 49942 invoked by uid 99); 4 Jun 2019 10:42:59 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Jun 2019 10:42:59 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 61073C0253 for ; Tue, 4 Jun 2019 10:42:59 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.664 X-Spam-Level: X-Spam-Status: No, score=-0.664 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.665, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=ibiblio-org.20150623.gappssmtp.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id Ks7FbFqeuyNA for ; Tue, 4 Jun 2019 10:42:56 +0000 (UTC) Received: from mail-qk1-f177.google.com (mail-qk1-f177.google.com [209.85.222.177]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 797E45F3AE for ; Tue, 4 Jun 2019 10:42:56 +0000 (UTC) Received: by mail-qk1-f177.google.com with SMTP id s22so2448060qkj.12 for ; Tue, 04 Jun 2019 03:42:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibiblio-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-transfer-encoding; bh=dmd5XdcmVcDX49eeqgIieRJ744RBkbcaeIWLxkmFxmQ=; b=Od36oTKyZFp3UWUiGYlxYFskW9pMt0F/oGnJk/ZmbMXNu2Wsd8GwJuJCccRrytXd51 IWX3Fj2RyFAEB+cO/c8SlbB+coNahba78n2Tg1BYDxKdM9ZgueucFKP80oexzu25Czwg putTWSghOyN2LdPDgnJWiTn91JfUBT1NBeVqb5+zAxSCUVymcNAmRrUROFwvB1piqLJJ WEbovnqmFRtxJvzsXAaeGI2GPIedRu4DhDOcNJiTd95PhJCcqfEHOsf4eolUk9zakK7b 9vkSIO5s0qlOo4ZfX6uTr1NjzxQbcif6XC6sPZs9YHHNbmvI8LeEKN9DT7ntbTb8YsKR sGZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-transfer-encoding; bh=dmd5XdcmVcDX49eeqgIieRJ744RBkbcaeIWLxkmFxmQ=; b=jKcMh6lNxwApRlbOF7rXvcrhty8KZk4iEAacyQ3C5aXf1omTqNfwnFEFNnxHcW9rsw ut2RXn0vCDF7jz+bInPh4s6XE2UuKlZuvHn8h4KdVVlXSWbQ28GoQ3ukUCH81+wAvnGq 1JWGgUrugEv1vL2N1puqy5qsSPwHijS86zXBze3pCW2h1YezS0BZoeeSHFhPDH2qLC0k kDYs60mgt50E0pA31ZGCyOtKb9nEPBtk5O8RYNOkmr/+utdBk2Ed0Go40fU4FRtJqlYU MSCtSvFaxR3vOZrWKWDSJYeNcqftvk5N6+6I5efVx5DSTqfkneRNkDqhgUrnfqBEJ1P0 OSsQ== X-Gm-Message-State: APjAAAX25LKEqJM7NVOlycm/TXlZ3hN0169LlKVtSy/wQ2/Eb2NRyrJR fLriaWqxbK6hSR4xiL30Adh5Qceqx7DPGAEUr4roqzOZlMta3g== X-Google-Smtp-Source: APXvYqxbnw4NaT2gR9oVnO/AkHtwABS7MXvxAvLNwPzzzyRv9tt75uts28vrpCpPebC7ZwPUsW6f64t3dj1CNVZ1A5k= X-Received: by 2002:a37:502:: with SMTP id 2mr24725651qkf.93.1559644975363; Tue, 04 Jun 2019 03:42:55 -0700 (PDT) MIME-Version: 1.0 References: <3A71AB88-B47D-4D4E-A235-4A49289E4178@intel.com> <2853707E-8E52-4427-8419-6E8EF0DE399F@intel.com> In-Reply-To: From: Elliotte Rusty Harold Date: Tue, 4 Jun 2019 06:42:22 -0400 Message-ID: Subject: Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8) To: Maven Developers List Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable FYI, I took a look at the code and found it is already using both dom4j AND JDOM, even in the same class: https://github.com/apache/maven-archetype/blob/0fd806f773354ec62c8eb40f624d= 78a218815506/archetype-common/src/main/java/org/apache/maven/archetype/comm= on/DefaultPomManager.java This is dependency bloat. Even if security issues weren't in play, I'd recommend ripping out dom4j and using JDOM exclusively. On Tue, Jun 4, 2019 at 5:49 AM Tibor Digana wrote: > > Sylwester, removing dom4j and substituting by Java XML API would be the > best choice. > Pls then inform the guys in > https://github.com/apache/maven-archetype/pull/28 because I think they ar= e > handling it in parallel with you. > Cheers > Tibor > > On Tue, Jun 4, 2019 at 8:46 AM Sylwester Lachiewicz > wrote: > > > Hi, > > if dom4j is problematic I can try to remove that old dependency. We use= it > > internally in 2 placea (in fact almost only one simple method) - to man= age > > element in pom.xml > > > > Sylwester > > > > W dniu wt., 4.06.2019 o 09:36 Homer, Tony > > napisa=C5=82(a): > > > > > >>But there is one thing I do not understand why such upgrade is so > > > important for the users even if overriding the dependency in user's P= OM > > is > > > so simple. > > > >>Do you inherit from this project and you need dom4j as transitive > > > dependency? > > > > > > I suppose you did not ask me, but I thought I'd share the background = on > > > why I proposed this change. > > > My team maintains an eclipse product which depends on m2e which in tu= rn > > > depends on maven-archetype to provide dom4j. > > > I originally proposed that m2e update to dom4j 2.1.1 [1], but because= m2e > > > gets dom4j from maven-archetype, Mickael asked me to instead request = that > > > maven-archetype update to 2.1.1. > > > As for why I need this update, our company policy does not allow us t= o > > > release software containing CVEs with CVSS v2 > 4.0. I believe that = the > > > thinking is that even if the CVE is not actionable in the specific ca= se > > (as > > > you suggested is the case here), some customers will refuse to use th= e > > > software because retaining the CVE version shows poor security hygien= e. > > In > > > any case, I have no control over this policy. > > > I have been working around this issue by forking m2e and updating it = to > > > use dom4j 2.1.1 myself, but I'd like to stop doing this and use the > > > upstream version instead. > > > In order to achieve this, I logged the issue with m2e-core and opened= a > > PR > > > (as mentioned above), then logged an issue with maven-archetype and > > opened > > > a PR (which is essentially what we are discussing here). > > > > > > Tony > > > > > > [1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=3D547337 > > > > > > =EF=BB=BFOn 6/3/19 , 2:45 PM, "Tibor Digana" = wrote: > > > > > > @Mickael Istria > > > @Eric Lilja > > > @Elliotte Rusty Harold > > > > > > We are the maintainers. > > > > > > But there is one thing I do not understand why such upgrade is so > > > important > > > for the users even if overriding the dependency in user's POM is = so > > > simple. > > > Do you inherit from this project and you need dom4j as transitive > > > dependency? > > > > > > Having a look in the CVE-2018-1000632 ( > > > https://www.cvedetails.com/cve/CVE-2018-1000632/), the root of > > > security fix > > > in DOM4J 2.1.1 is called "XML Injection on element and attribute"= . > > The > > > issue talks about names of element where you pass character like = "<". > > > Do we > > > use such element name in this project? No! Because it is hard cod= ed > > > string > > > in our code: > > > > > > .addElement( "modules" ) > > > .addElement( "module" ) > > > > > > The classes of DOM4J is used in method stack and not exposed outs= ide. > > > The security fix simply throws an exception in case of using "<" = in > > > qname. > > > > > > The question is why the pressure is made high in maven-archetype, > > even > > > if > > > we see that the base of the security fix cannot improve our life. > > > > > > Resources: > > > https://www.cvedetails.com/cve/CVE-2018-1000632/ > > > https://ihacktoprotect.com/post/dom4j-xml-injection/ > > > https://github.com/dom4j/dom4j/issues/48 > > > > > > Cheers > > > Tibor > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Mon, Jun 3, 2019 at 7:47 PM Eric Lilja > > > wrote: > > > > > > > +1, people on old versions of Java can remain on the old versio= n of > > > the > > > > plugin. No one who is in a project where an old version of Java= is > > > still in > > > > use (< 8) expect to have everything else in their eco-system (3= PPs, > > > maven > > > > plugins etc) at bleeding edge versions. I guess many such proje= cts > > > are many > > > > versions behind on even supported releases...particularly regar= ding > > > Maven > > > > plugins. > > > > > > > > - Eric L > > > > > > > > On Mon, Jun 3, 2019 at 7:23 PM Mickael Istria > > > wrote: > > > > > > > > > People who don't want to update are the ones who have to pay = the > > > effort, > > > > > not the project that tries to ship a security fix. > > > > > The simplest past forward is the one provided by Tony. Custom= ers > > > who > > > > don't > > > > > want to use it can remain on previous version of the archetyp= e > > > plugins. > > > > > Other proposals to fix it are just more time-consuming withou= t > > > providing > > > > > value to Maven project. > > > > > > > > > > > > > > > > > > > > --=20 Elliotte Rusty Harold elharo@ibiblio.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org For additional commands, e-mail: dev-help@maven.apache.org