maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Richard Cross (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (MDEP-626) Cannot use in environment with Nexus IQ (or similar)
Date Fri, 31 Aug 2018 13:18:00 GMT

     [ https://issues.apache.org/jira/browse/MDEP-626?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Richard Cross updated MDEP-626:
-------------------------------
    Description: 
If running behind a proxy (e.g. Nexus, with a security vulnerability scanner (e.g. Nexus
IQ), the get command (and possibly others) fails due to a dependency on libraries deemed
"vulnerable".

 
{code:java}
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-dependency-plugin:3.1.1:get
(default-cli) on project project1-sample: Execution default-cli of goal org.apache.maven.plugins:maven-dependency-plugin:3.1.1:get
failed: Plugin org.apache.maven.plugins:maven-dependency-plugin:LATEST or one of its dependencies
could not be resolved: The following artifacts could not be resolved: xerces:xercesImpl:jar:2.9.1,
org.apache.struts:struts-core:jar:1.3.8: Could not transfer artifact xerces:xercesImpl:jar:2.9.1
from/to efx.nexus (https://mynexusserver/nexus/repository/maven-public/): Access denied to:
https://mynexusserver/nexus/repository/maven-public/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar
, ReasonPhrase:Requested item is quarantined. -> [Help 1]
{code}
struts2-core 1.3.8 has 4 CVEs against it - "safe" versions are 2.3.35 or 2.5.17

xercesImpl 2.9.1 has 2 CVEs and a Sonatype security warning - 2.12.0 is better, although
still problematic.

 

  was:
If running behind a proxy such as Nexus, the get command (and possibly others) fails due
to a dependency on libraries deemed "vulnerable".

 
{code:java}
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-dependency-plugin:3.1.1:get
(default-cli) on project project1-sample: Execution default-cli of goal org.apache.maven.plugins:maven-dependency-plugin:3.1.1:get
failed: Plugin org.apache.maven.plugins:maven-dependency-plugin:LATEST or one of its dependencies
could not be resolved: The following artifacts could not be resolved: xerces:xercesImpl:jar:2.9.1,
org.apache.struts:struts-core:jar:1.3.8: Could not transfer artifact xerces:xercesImpl:jar:2.9.1
from/to efx.nexus (https://mynexusserver/nexus/repository/maven-public/): Access denied to:
https://mynexusserver/nexus/repository/maven-public/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar
, ReasonPhrase:Requested item is quarantined. -> [Help 1]
{code}
struts2-core 1.3.8 has 4 CVEs against it - "safe" versions are 2.3.35 or 2.5.17

xercesImpl 2.9.1 has 2 CVEs and a Sonatype security warning - 2.12.0 is better, although
still problematic.

 


> Cannot use in environment with Nexus IQ (or similar)
> ----------------------------------------------------
>
>                 Key: MDEP-626
>                 URL: https://issues.apache.org/jira/browse/MDEP-626
>             Project: Maven Dependency Plugin
>          Issue Type: Dependency upgrade
>          Components: get
>    Affects Versions: 3.1.1
>            Reporter: Richard Cross
>            Priority: Major
>
> If running behind a proxy (e.g. Nexus, with a security vulnerability scanner (e.g. Nexus
IQ), the get command (and possibly others) fails due to a dependency on libraries deemed
"vulnerable".
>  
> {code:java}
> [ERROR] Failed to execute goal org.apache.maven.plugins:maven-dependency-plugin:3.1.1:get
(default-cli) on project project1-sample: Execution default-cli of goal org.apache.maven.plugins:maven-dependency-plugin:3.1.1:get
failed: Plugin org.apache.maven.plugins:maven-dependency-plugin:LATEST or one of its dependencies
could not be resolved: The following artifacts could not be resolved: xerces:xercesImpl:jar:2.9.1,
org.apache.struts:struts-core:jar:1.3.8: Could not transfer artifact xerces:xercesImpl:jar:2.9.1
from/to efx.nexus (https://mynexusserver/nexus/repository/maven-public/): Access denied to:
https://mynexusserver/nexus/repository/maven-public/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar
, ReasonPhrase:Requested item is quarantined. -> [Help 1]
> {code}
> struts2-core 1.3.8 has 4 CVEs against it - "safe" versions are 2.3.35 or 2.5.17
> xercesImpl 2.9.1 has 2 CVEs and a Sonatype security warning - 2.12.0 is better, although
still problematic.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message