Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE-2022-4244] Remove maven-model as dependency #62

Merged
merged 1 commit into from
Apr 4, 2024
Merged

[CVE-2022-4244] Remove maven-model as dependency #62

merged 1 commit into from
Apr 4, 2024

Conversation

asloobq
Copy link
Contributor

@asloobq asloobq commented Mar 29, 2024
edited
Loading

Trivy has flagged a vulnerability in package org.codehaus.plexus:plexus-utils:jar:3.0.22


┌──────────────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────┐
│             Library              │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                   Title                   │
├──────────────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────┤
│ org.codehaus.plexus:plexus-utils │ CVE-2022-4244 │ HIGH     │ fixed  │ 3.0.22            │ 3.0.24        │ codehaus-plexus: Directory Traversal      │
│                                  │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-4244 │
└──────────────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────┘

https://github.com/IABTechLab/uid2-client-java/actions/runs/8475000264/job/23222348106
The dependency is brought in by org.apache.maven:maven-model:jar:3.3.9: upgrading it to latest version fixes the issue but I don't think its needed in our project

[INFO] --- dependency:3.6.0:tree (default-cli) @ uid2-client ---
[INFO] com.uid2:uid2-client:jar:4.3.2-479d2cb58f
[INFO] +- com.google.code.gson:gson:jar:2.10:compile
[INFO] +- org.junit.jupiter:junit-jupiter-engine:jar:5.9.2:test
[INFO] |  +- org.junit.platform:junit-platform-engine:jar:1.9.2:test
[INFO] |  |  +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO] |  |  \- org.junit.platform:junit-platform-commons:jar:1.9.2:test
[INFO] |  +- org.junit.jupiter:junit-jupiter-api:jar:5.9.2:test
[INFO] |  \- org.apiguardian:apiguardian-api:jar:1.1.2:test
[INFO] +- com.squareup.okhttp3:okhttp:jar:4.10.0:compile
[INFO] |  +- com.squareup.okio:okio-jvm:jar:3.0.0:compile
[INFO] |  |  +- org.jetbrains.kotlin:kotlin-stdlib-jdk8:jar:1.5.31:compile
[INFO] |  |  |  \- org.jetbrains.kotlin:kotlin-stdlib-jdk7:jar:1.5.31:compile
[INFO] |  |  \- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.5.31:compile
[INFO] |  \- org.jetbrains.kotlin:kotlin-stdlib:jar:1.6.20:compile
[INFO] |     \- org.jetbrains:annotations:jar:13.0:compile
[INFO] \- org.apache.maven:maven-model:jar:3.3.9:compile
[INFO]    +- org.codehaus.plexus:plexus-utils:jar:3.0.22:compile
[INFO]    \- org.apache.commons:commons-lang3:jar:3.4:compile

@asloobq asloobq requested a review from jon8787 March 29, 2024 18:10
@asloobq asloobq marked this pull request as ready for review April 2, 2024 22:59
@asloobq asloobq changed the title remove maven-model as dependency [CVE-2022-4244] Remove maven-model as dependency Apr 4, 2024
@asloobq asloobq merged commit 7ed7891 into main Apr 4, 2024
3 checks passed
@asloobq asloobq deleted the asloobq-patch-2 branch April 4, 2024 17:54
@asloobq asloobq mentioned this pull request Apr 20, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jon8787 jon8787 jon8787 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@asloobq @jon8787