Java CVE-2021-26291 on maven-core-3.0.jar maven-core-3.1.0.jar
Question
Small question regarding CVE-2021-26291 on maven-core-3.0.jar maven-core-3.1.0.jar please.
On a very simple project, which pom file below (please feel free to copy paste)
Maven versin is: Apache Maven 3.6.3
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.6.5</version>
<relativePath/>
</parent>
<groupId>org.example</groupId>
<artifactId>cvequestion</artifactId>
<version>1.0-SNAPSHOT</version>
<packaging>pom</packaging>
<properties>
<java.version>11</java.version>
<maven.compiler.source>11</maven.compiler.source>
<maven.compiler.target>11</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<project.type>application</project.type>
<sonar.java.coveragePlugin>jacoco</sonar.java.coveragePlugin>
<sonar.java.libraries>target/</sonar.java.libraries>
<sonar.junit.reportsPaths>target/reports/junit</sonar.junit.reportsPaths>
<sonar.language>java</sonar.language>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>2021.0.1</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-webflux</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-cassandra-reactive</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-kubernetes-fabric8</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-config-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-sleuth</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-sleuth-zipkin</artifactId>
</dependency>
<dependency>
<groupId>io.projectreactor.netty</groupId>
<artifactId>reactor-netty-http-brave</artifactId>
</dependency>
<dependency>
<groupId>io.micrometer</groupId>
<artifactId>micrometer-registry-prometheus</artifactId>
</dependency>
<dependency>
<groupId>io.github.resilience4j</groupId>
<artifactId>resilience4j-micrometer</artifactId>
</dependency>
<dependency>
<groupId>io.github.resilience4j</groupId>
<artifactId>resilience4j-reactor</artifactId>
</dependency>
<dependency>
<groupId>io.github.resilience4j</groupId>
<artifactId>resilience4j-spring-boot2</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-contract-verifier</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.lmax</groupId>
<artifactId>disruptor</artifactId>
<version>3.4.4</version>
</dependency>
<dependency>
<groupId>org.springframework.statemachine</groupId>
<artifactId>spring-statemachine-core</artifactId>
<version>3.0.1</version>
</dependency>
<dependency>
<groupId>net.logstash.logback</groupId>
<artifactId>logstash-logback-encoder</artifactId>
<version>7.0.1</version>
</dependency>
<dependency>
<groupId>de.codecentric</groupId>
<artifactId>spring-boot-admin-starter-client</artifactId>
<version>2.6.2</version>
</dependency>
<dependency>
<groupId>org.springdoc</groupId>
<artifactId>springdoc-openapi-webflux-ui</artifactId>
<version>1.6.6</version>
</dependency>
<dependency>
<groupId>io.github.hakky54</groupId>
<artifactId>sslcontext-kickstart-for-netty</artifactId>
<version>7.3.0</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<testFailureIgnore>true</testFailureIgnore>
<reportsDirectory>target/reports/junit</reportsDirectory>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<configuration>
<outputDirectory>target/javadoc</outputDirectory>
<reportOutputDirectory>target/javadoc</reportOutputDirectory>
<javadocExecutable>${java.home}/bin/javadoc</javadocExecutable>
</configuration>
<executions>
<execution>
<goals>
<goal>javadoc</goal>
</goals>
<phase>site</phase>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.sonarsource.scanner.maven</groupId>
<artifactId>sonar-maven-plugin</artifactId>
<version>3.9.1.2184</version>
<dependencies>
<dependency>
<groupId>org.codehaus.woodstox</groupId>
<artifactId>woodstox-core-asl</artifactId>
<version>4.4.1</version>
</dependency>
</dependencies>
</plugin>
<plugin>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
<version>4.5.3.0</version>
<configuration>
<outputDirectory>target/reports/findbugs</outputDirectory>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.16.0</version>
<configuration>
<targetDirectory>.out/reports/pmd</targetDirectory>
<outputDirectory>target/reports/pmd</outputDirectory>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>3.1.2</version>
<configuration>
<outputFile>.out/reports/checkstyle/checkstyle-result.xml</outputFile>
<outputDirectory>target/reports/checkstyle</outputDirectory>
<outputFileFormat>xml</outputFileFormat>
</configuration>
<dependencies>
<dependency>
<groupId>com.puppycrawl.tools</groupId>
<artifactId>checkstyle</artifactId>
<version>10.0</version>
</dependency>
</dependencies>
</plugin>
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
<version>0.8.7</version>
<configuration>
<append>true</append>
</configuration>
<executions>
<execution>
<goals>
<goal>prepare-agent</goal>
</goals>
</execution>
<execution>
<id>report</id>
<phase>verify</phase>
<goals>
<goal>report</goal>
<goal>report-aggregate</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.pitest</groupId>
<artifactId>pitest-maven</artifactId>
<version>1.7.5</version>
<configuration>
<withHistory>true</withHistory>
<threads>16</threads>
<outputFormats>
<param>XML</param>
<param>HTML</param>
</outputFormats>
<mutators>
<mutator>CONDITIONALS_BOUNDARY</mutator>
<mutator>INCREMENTS</mutator>
<mutator>INVERT_NEGS</mutator>
<mutator>MATH</mutator>
<mutator>NEGATE_CONDITIONALS</mutator>
<mutator>EMPTY_RETURNS</mutator>
<mutator>FALSE_RETURNS</mutator>
<mutator>TRUE_RETURNS</mutator>
<mutator>PRIMITIVE_RETURNS</mutator>
<mutator>REMOVE_INCREMENTS</mutator>
<mutator>EXPERIMENTAL_BIG_INTEGER</mutator>
<mutator>EXPERIMENTAL_MEMBER_VARIABLE</mutator>
<mutator>EXPERIMENTAL_SWITCH</mutator>
</mutators>
</configuration>
<dependencies>
<dependency>
<groupId>org.pitest</groupId>
<artifactId>pitest-junit5-plugin</artifactId>
<version>0.15</version>
</dependency>
</dependencies>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId>
<version>3.11.0</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>3.2.2</version>
</plugin>
</plugins>
</build>
<reporting>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>3.2.0</version>
</plugin>
</plugins>
</reporting>
</project>
I am running a static analysis which will find CVEs.
In my case, the CVE-2021-26291 on maven-core-3.0.jar maven-core-3.1.0.jar was found.
Quite surprised about the result, because I am not using any of those maven core jars.
I then run the command mvn clean install dependency:tree -X in order to troubleshoot the issue. (Please feel free to run the same, issue is 100% reproducible)
It seems from the three:
[INFO] --- jacoco-maven-plugin:0.8.7:prepare-agent (default) @ cvequestion ---
[DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=146555, ConflictMarker.markTime=114395, ConflictMarker.nodeCount=94, ConflictIdSorter.graphTime=72340, ConflictIdSorter.topsortTime=57819, ConflictIdSorter.conflictIdCount=40, ConflictIdSorter.conflictIdCycleCount=0, ConflictResolver.totalTime=852861, ConflictResolver.conflictItemCount=87, DefaultDependencyCollector.collectTime=267858813, DefaultDependencyCollector.transformTime=1327133}
[DEBUG] org.jacoco:jacoco-maven-plugin:jar:0.8.7
[DEBUG] org.apache.maven:maven-plugin-api:jar:3.0:compile
[DEBUG] org.apache.maven:maven-model:jar:3.0:compile
[DEBUG] org.apache.maven:maven-artifact:jar:3.0:compile
[DEBUG] org.sonatype.sisu:sisu-inject-plexus:jar:1.4.2:compile
[DEBUG] org.sonatype.sisu:sisu-inject-bean:jar:1.4.2:compile
[DEBUG] org.sonatype.sisu:sisu-guice:jar:noaop:2.1.7:compile
[DEBUG] org.apache.maven:maven-core:jar:3.0:compile
What I tried to do, is even to add the latest maven core 3.8.5 (latest as of this writing March 2022), in both the plugin and dependency block of the pom, but still seeing those two particular versions, as well as the CVEs.
May I ask, why are they in my dependency please?
Most of all, how do I fix this technical issue please?
Thank you
1 answers
solution1
1 ACCPTED 2022-03-28 17:00:31
The real problem in this case is that those scanning tools analysing the plugins as well which is simply wrong, because they become not part of the resulting artifacts. Also does the usage (defining as a dependency of plugin) of an artifact maven-core has not the same consequence as using Maven (3.0.5) on command line.
The reported issue is releated to org.apache.maven:maven-core:jar:3.0:compile which is needed as a dependency by a plugin to define the api (more accurate: org.apache.maven:maven-plugin-api:jar:3.0:compile ) which defines the lowest version of Maven the plugin will support.
The reported CVE is related to the problem that if a pom file contains a repository which has http instead of https which can be used to introduce some malicious artifacts. This has been fixed by Maven 3.8.2+ but it is unrelated to the usage of maven-core/maven-plugin-api as artifacts for plugin development.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
unresolved dependency: io.swagger:swagger-core:jar in maven
Maven : Distributing maven jar
Jar in a jar build with maven
Maven: Java jar dependencies not copied
Execute jar in Java Eclipse Maven before goals
java build tool maven and jar file
Java Maven Package Excel Files in Jar
JavaFX with Maven works with exec:java but not in the jar at runtime
Maven exec works, but java -jar does not
Java classes missing from jar built with maven
Related Tags