Java CVE-2021-26291 on maven-core-3.0.jar maven-core-3.1.0.jar
[英]Java CVE-2021-26291 on maven-core-3.0.jar maven-core-3.1.0.jar
问题描述
Small question regarding CVE-2021-26291 on maven-core-3.0.jar maven-core-3.1.0.jar please.
关于 maven-core-3.0.jar maven-core-3.1.0.jar 上的 CVE-2021-26291 的小问题。
On a very simple project, which pom file below (please feel free to copy paste)一个很简单的项目,下面是哪个pom文件(请随意复制粘贴)
Maven versin is: Apache Maven 3.6.3 Maven versin 是:Apache Maven 3.6.3
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.6.5</version>
<relativePath/>
</parent>
<groupId>org.example</groupId>
<artifactId>cvequestion</artifactId>
<version>1.0-SNAPSHOT</version>
<packaging>pom</packaging>
<properties>
<java.version>11</java.version>
<maven.compiler.source>11</maven.compiler.source>
<maven.compiler.target>11</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<project.type>application</project.type>
<sonar.java.coveragePlugin>jacoco</sonar.java.coveragePlugin>
<sonar.java.libraries>target/</sonar.java.libraries>
<sonar.junit.reportsPaths>target/reports/junit</sonar.junit.reportsPaths>
<sonar.language>java</sonar.language>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>2021.0.1</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-webflux</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-cassandra-reactive</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-kubernetes-fabric8</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-config-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-sleuth</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-sleuth-zipkin</artifactId>
</dependency>
<dependency>
<groupId>io.projectreactor.netty</groupId>
<artifactId>reactor-netty-http-brave</artifactId>
</dependency>
<dependency>
<groupId>io.micrometer</groupId>
<artifactId>micrometer-registry-prometheus</artifactId>
</dependency>
<dependency>
<groupId>io.github.resilience4j</groupId>
<artifactId>resilience4j-micrometer</artifactId>
</dependency>
<dependency>
<groupId>io.github.resilience4j</groupId>
<artifactId>resilience4j-reactor</artifactId>
</dependency>
<dependency>
<groupId>io.github.resilience4j</groupId>
<artifactId>resilience4j-spring-boot2</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-contract-verifier</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.lmax</groupId>
<artifactId>disruptor</artifactId>
<version>3.4.4</version>
</dependency>
<dependency>
<groupId>org.springframework.statemachine</groupId>
<artifactId>spring-statemachine-core</artifactId>
<version>3.0.1</version>
</dependency>
<dependency>
<groupId>net.logstash.logback</groupId>
<artifactId>logstash-logback-encoder</artifactId>
<version>7.0.1</version>
</dependency>
<dependency>
<groupId>de.codecentric</groupId>
<artifactId>spring-boot-admin-starter-client</artifactId>
<version>2.6.2</version>
</dependency>
<dependency>
<groupId>org.springdoc</groupId>
<artifactId>springdoc-openapi-webflux-ui</artifactId>
<version>1.6.6</version>
</dependency>
<dependency>
<groupId>io.github.hakky54</groupId>
<artifactId>sslcontext-kickstart-for-netty</artifactId>
<version>7.3.0</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<testFailureIgnore>true</testFailureIgnore>
<reportsDirectory>target/reports/junit</reportsDirectory>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<configuration>
<outputDirectory>target/javadoc</outputDirectory>
<reportOutputDirectory>target/javadoc</reportOutputDirectory>
<javadocExecutable>${java.home}/bin/javadoc</javadocExecutable>
</configuration>
<executions>
<execution>
<goals>
<goal>javadoc</goal>
</goals>
<phase>site</phase>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.sonarsource.scanner.maven</groupId>
<artifactId>sonar-maven-plugin</artifactId>
<version>3.9.1.2184</version>
<dependencies>
<dependency>
<groupId>org.codehaus.woodstox</groupId>
<artifactId>woodstox-core-asl</artifactId>
<version>4.4.1</version>
</dependency>
</dependencies>
</plugin>
<plugin>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
<version>4.5.3.0</version>
<configuration>
<outputDirectory>target/reports/findbugs</outputDirectory>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.16.0</version>
<configuration>
<targetDirectory>.out/reports/pmd</targetDirectory>
<outputDirectory>target/reports/pmd</outputDirectory>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>3.1.2</version>
<configuration>
<outputFile>.out/reports/checkstyle/checkstyle-result.xml</outputFile>
<outputDirectory>target/reports/checkstyle</outputDirectory>
<outputFileFormat>xml</outputFileFormat>
</configuration>
<dependencies>
<dependency>
<groupId>com.puppycrawl.tools</groupId>
<artifactId>checkstyle</artifactId>
<version>10.0</version>
</dependency>
</dependencies>
</plugin>
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
<version>0.8.7</version>
<configuration>
<append>true</append>
</configuration>
<executions>
<execution>
<goals>
<goal>prepare-agent</goal>
</goals>
</execution>
<execution>
<id>report</id>
<phase>verify</phase>
<goals>
<goal>report</goal>
<goal>report-aggregate</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.pitest</groupId>
<artifactId>pitest-maven</artifactId>
<version>1.7.5</version>
<configuration>
<withHistory>true</withHistory>
<threads>16</threads>
<outputFormats>
<param>XML</param>
<param>HTML</param>
</outputFormats>
<mutators>
<mutator>CONDITIONALS_BOUNDARY</mutator>
<mutator>INCREMENTS</mutator>
<mutator>INVERT_NEGS</mutator>
<mutator>MATH</mutator>
<mutator>NEGATE_CONDITIONALS</mutator>
<mutator>EMPTY_RETURNS</mutator>
<mutator>FALSE_RETURNS</mutator>
<mutator>TRUE_RETURNS</mutator>
<mutator>PRIMITIVE_RETURNS</mutator>
<mutator>REMOVE_INCREMENTS</mutator>
<mutator>EXPERIMENTAL_BIG_INTEGER</mutator>
<mutator>EXPERIMENTAL_MEMBER_VARIABLE</mutator>
<mutator>EXPERIMENTAL_SWITCH</mutator>
</mutators>
</configuration>
<dependencies>
<dependency>
<groupId>org.pitest</groupId>
<artifactId>pitest-junit5-plugin</artifactId>
<version>0.15</version>
</dependency>
</dependencies>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId>
<version>3.11.0</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>3.2.2</version>
</plugin>
</plugins>
</build>
<reporting>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>3.2.0</version>
</plugin>
</plugins>
</reporting>
</project>
I am running a static analysis which will find CVEs.我正在运行 static 分析,它将找到 CVE。
In my case, the CVE-2021-26291 on maven-core-3.0.jar maven-core-3.1.0.jar was found.就我而言,在 maven-core-3.0.jar maven-core-3.1.0.jar 上找到了 CVE-2021-26291。
Quite surprised about the result, because I am not using any of those maven core jars.对结果感到非常惊讶,因为我没有使用任何 maven 核心 jars。
I then run the command mvn clean install dependency:tree -X in order to troubleshoot the issue.然后我运行命令mvn clean install dependency:tree -X以解决问题。 (Please feel free to run the same, issue is 100% reproducible) (请随意运行相同的问题,问题是 100% 可重现的)
It seems from the three:从三者看来:
[INFO] --- jacoco-maven-plugin:0.8.7:prepare-agent (default) @ cvequestion ---
[DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=146555, ConflictMarker.markTime=114395, ConflictMarker.nodeCount=94, ConflictIdSorter.graphTime=72340, ConflictIdSorter.topsortTime=57819, ConflictIdSorter.conflictIdCount=40, ConflictIdSorter.conflictIdCycleCount=0, ConflictResolver.totalTime=852861, ConflictResolver.conflictItemCount=87, DefaultDependencyCollector.collectTime=267858813, DefaultDependencyCollector.transformTime=1327133}
[DEBUG] org.jacoco:jacoco-maven-plugin:jar:0.8.7
[DEBUG] org.apache.maven:maven-plugin-api:jar:3.0:compile
[DEBUG] org.apache.maven:maven-model:jar:3.0:compile
[DEBUG] org.apache.maven:maven-artifact:jar:3.0:compile
[DEBUG] org.sonatype.sisu:sisu-inject-plexus:jar:1.4.2:compile
[DEBUG] org.sonatype.sisu:sisu-inject-bean:jar:1.4.2:compile
[DEBUG] org.sonatype.sisu:sisu-guice:jar:noaop:2.1.7:compile
[DEBUG] org.apache.maven:maven-core:jar:3.0:compile
What I tried to do, is even to add the latest maven core 3.8.5 (latest as of this writing March 2022), in both the plugin and dependency block of the pom, but still seeing those two particular versions, as well as the CVEs.我试图做的,甚至是在 pom 的插件和依赖块中添加最新的 maven 核心 3.8.5(截至撰写本文时为 2022 年 3 月的最新版本),但仍然看到这两个特定版本,以及CVE。
May I ask, why are they in my dependency please?请问,为什么他们在我的依赖下?
Most of all, how do I fix this technical issue please?最重要的是,我该如何解决这个技术问题?
Thank you谢谢
1 个解决方案
解决方案1
1 已采纳 2022-03-28 17:00:31
The real problem in this case is that those scanning tools analysing the plugins as well which is simply wrong, because they become not part of the resulting artifacts.在这种情况下,真正的问题是那些分析插件的扫描工具是完全错误的,因为它们不是结果工件的一部分。 Also does the usage (defining as a dependency of plugin) of an artifact maven-core has not the same consequence as using Maven (3.0.5) on command line.工件 maven-core 的使用(定义为插件的依赖项)也与在命令行上使用 Maven (3.0.5) 的结果不同。
The reported issue is releated to org.apache.maven:maven-core:jar:3.0:compile which is needed as a dependency by a plugin to define the api (more accurate: org.apache.maven:maven-plugin-api:jar:3.0:compile ) which defines the lowest version of Maven the plugin will support. The reported issue is releated to org.apache.maven:maven-core:jar:3.0:compile which is needed as a dependency by a plugin to define the api (more accurate: org.apache.maven:maven-plugin-api:jar:3.0:compile ) 定义插件将支持的最低版本 Maven。
The reported CVE is related to the problem that if a pom file contains a repository which has http instead of https which can be used to introduce some malicious artifacts.报告的 CVE与以下问题有关,即如果 pom 文件包含具有http而不是https的存储库,可用于引入一些恶意工件。 This has been fixed by Maven 3.8.2+ but it is unrelated to the usage of maven-core/maven-plugin-api as artifacts for plugin development.这已由 Maven 3.8.2+ 修复,但它与使用 maven-core/maven-plugin-api 作为插件开发的工件无关。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.