Apache Maven 3.9.9 (8e8579a9e76f7d015ee5ec7bfcdc97d260186937)
Maven home: C:\Tools\apache-maven-3.9.9-bin
Java version: 1.8.0_431, vendor: Oracle Corporation, runtime: C:\Tools\Java\jre
Default locale: en_US, platform encoding: Cp1252
OS name: "windows 10", version: "10.0", arch: "amd64", family: "windows"
java version "1.8.0_431"
Java(TM) SE Runtime Environment (build 1.8.0_431-b10)
Java HotSpot(TM) 64-Bit Server VM (build 25.431-b10, mixed mode)
C:\Users\user\projectX>mvn validate
[INFO] Scanning for projects...
[INFO]
[INFO] -------------------------< projectX:projectX >--------------------------
[INFO] Building ProjectX 1.0-SNAPSHOT
[INFO] from pom.xml
[INFO] --------------------------------[ pom ]---------------------------------
Downloading ...
[INFO]
[INFO] --- enforcer:3.4.1:enforce (enforce-versions) @ projectX ---
Downloading ...
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 13.259 s
[INFO] Finished at: 2024-12-04T10:37:41-05:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.4.1:enforce (enforce-versions) on project projectX: Execution enforce-versions of goal org.apache.maven.plugins:maven-enforcer-plugin:3.4.1:enforce failed: Plugin org.apache.maven.plugins:maven-enforcer-plugin:3.4.1 or one of its dependencies could not be resolved:
[ERROR] Could not transfer artifact commons-io:commons-io:jar:2.13.0 from/to nexus (https://nexus.xyz.com/repository/maven): status code: 403, reason phrase: -------------------->>> REQUESTED ITEM IS QUARANTINED -------------------->>> FOR DETAILS SEE ------>>> https://nexus-iq-server.xyz.com:8070/ui/links/repositories/quarantinedComponent/MzBlNmE1NmVjY2MyNDc5ZWI1MGZiNzAyMTkyZjVkODI <<<------ (403)
[ERROR]
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/PluginResolutionException
commons-io : commons-io : 2.13.0
9 Security-High High risk CVSS score
Found security vulnerability CVE-2024-47554 with severity >= 7 (severity = 8.7)
Found security vulnerability CVE-2024-47554 with severity < 9 (severity = 8.7)
Nexus 表示要升级到 2.16.0。comomns.io 的最新版本是 2.18.0。
pom.xml
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://nexus.xyz.com/repository/raw/schemas/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>projectX</groupId>
<artifactId>projectX</artifactId>
<version>1.0-SNAPSHOT</version>
<packaging>pom</packaging>
<name>ProjectX</name>
<description>An example of Nexus blocking vulnerable dependencies in Maven Plugins</description>
<url></url>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.16.0</version>
<optional>false</optional>
</dependency>
</dependencies>
</dependencyManagement>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>3.4.1</version>
<executions>
<execution>
<id>enforce-versions</id>
<goals>
<goal>enforce</goal>
</goals>
<configuration>
<fail>true</fail>
<rules>
<requireMavenVersion>
<version>3.2.5</version>
</requireMavenVersion>
<requireJavaVersion>
<version>[1.8,)</version>
</requireJavaVersion>
</rules>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
我通过 Nexus 访问 Maven 存储库。我尝试使用的许多插件都有一个或多个易受攻击的依赖项。Nexus 阻止了易受攻击的依赖项,构建失败。我创建了上述示例以尽可能简单地演示该问题。我将依赖项放在我的 pom 文件中,试图覆盖插件依赖项,但它不起作用。我的假设是,如果您在 pom 中的 dependencyManagement 中定义了依赖项,它将覆盖所有子依赖项版本,但这似乎是不正确的。有人知道纠正此问题的方法吗?任何帮助都将不胜感激。