主页 / coding / 问题 / 79254953
Accepted
TStevens
Asked: 2024-12-05 21:50:03 +0800 CST

覆盖具有易受攻击的依赖项的 Maven 插件 - Nexus Quarantine

  • 772
Apache Maven 3.9.9 (8e8579a9e76f7d015ee5ec7bfcdc97d260186937)
Maven home: C:\Tools\apache-maven-3.9.9-bin
Java version: 1.8.0_431, vendor: Oracle Corporation, runtime: C:\Tools\Java\jre
Default locale: en_US, platform encoding: Cp1252
OS name: "windows 10", version: "10.0", arch: "amd64", family: "windows"

java version "1.8.0_431"
Java(TM) SE Runtime Environment (build 1.8.0_431-b10)
Java HotSpot(TM) 64-Bit Server VM (build 25.431-b10, mixed mode)

C:\Users\user\projectX>mvn validate
[INFO] Scanning for projects...
[INFO]
[INFO] -------------------------< projectX:projectX >--------------------------
[INFO] Building ProjectX 1.0-SNAPSHOT
[INFO]   from pom.xml
[INFO] --------------------------------[ pom ]---------------------------------
Downloading ...
[INFO]
[INFO] --- enforcer:3.4.1:enforce (enforce-versions) @ projectX ---
Downloading ...
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  13.259 s
[INFO] Finished at: 2024-12-04T10:37:41-05:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.4.1:enforce (enforce-versions) on project projectX: Execution enforce-versions of goal org.apache.maven.plugins:maven-enforcer-plugin:3.4.1:enforce failed: Plugin org.apache.maven.plugins:maven-enforcer-plugin:3.4.1 or one of its dependencies could not be resolved:
[ERROR]         Could not transfer artifact commons-io:commons-io:jar:2.13.0 from/to nexus (https://nexus.xyz.com/repository/maven): status code: 403, reason phrase: -------------------->>> REQUESTED ITEM IS QUARANTINED -------------------->>> FOR DETAILS SEE ------>>> https://nexus-iq-server.xyz.com:8070/ui/links/repositories/quarantinedComponent/MzBlNmE1NmVjY2MyNDc5ZWI1MGZiNzAyMTkyZjVkODI <<<------ (403)
[ERROR]
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/PluginResolutionException

commons-io : commons-io : 2.13.0
9   Security-High   High risk CVSS score    
Found security vulnerability CVE-2024-47554 with severity >= 7 (severity = 8.7)
Found security vulnerability CVE-2024-47554 with severity < 9 (severity = 8.7)

Nexus 表示要升级到 2.16.0。comomns.io 的最新版本是 2.18.0。

pom.xml

    <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://nexus.xyz.com/repository/raw/schemas/maven-4.0.0.xsd">
        <modelVersion>4.0.0</modelVersion>
        <groupId>projectX</groupId>
        <artifactId>projectX</artifactId>
        <version>1.0-SNAPSHOT</version>
        <packaging>pom</packaging>

        <name>ProjectX</name>
        <description>An example of Nexus blocking vulnerable dependencies in Maven Plugins</description>
        <url></url>

        <dependencyManagement>
            <dependencies>
                <dependency>
                    <groupId>commons-io</groupId>
                    <artifactId>commons-io</artifactId>
                    <version>2.16.0</version>
                    <optional>false</optional>
                </dependency>
            </dependencies>
        </dependencyManagement>

        <build>
            <plugins>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-enforcer-plugin</artifactId>
                    <version>3.4.1</version>
                    <executions>
                        <execution>
                            <id>enforce-versions</id>
                            <goals>
                                <goal>enforce</goal>
                            </goals>
                            <configuration>
                                <fail>true</fail>
                                <rules>
                                    <requireMavenVersion>
                                        <version>3.2.5</version>
                                    </requireMavenVersion>
                                    <requireJavaVersion>
                                        <version>[1.8,)</version>
                                    </requireJavaVersion>
                                </rules>
                            </configuration>
                        </execution>
                    </executions>
                </plugin>
            </plugins>
        </build>
    </project>

我通过 Nexus 访问 Maven 存储库。我尝试使用的许多插件都有一个或多个易受攻击的依赖项。Nexus 阻止了易受攻击的依赖项,构建失败。我创建了上述示例以尽可能简单地演示该问题。我将依赖项放在我的 pom 文件中,试图覆盖插件依赖项,但它不起作用。我的假设是,如果您在 pom 中的 dependencyManagement 中定义了依赖项,它将覆盖所有子依赖项版本,但这似乎是不正确的。有人知道纠正此问题的方法吗?任何帮助都将不胜感激。

maven

1 个回答

  1. Best Answer

    1. 确保使用所有 Maven 插件的最新版本

    2. 查看漏洞,看看在 Maven 运行中使用它是否真的“危险”。在这种情况下,许多漏洞实际上并不成问题。如果它看起来不危险,您可以要求公司的安全团队允许它。

    3. 尝试在插件定义中覆盖依赖项(而不是在dependenciesPOM 部分中)。这可能会或可能不会起作用。

    • 0

相关问题