Sonatype OSS Index - Maven Integrations
Home Page: https://sonatype.github.io/ossindex-maven/
License: Apache License 2.0
Sonatype OSS Index integrations for Apache Maven.
For information on how to use the integrations see the project documentation:
mvnw)./build rebuild
./build site_build
./build site_deploy
Using config similar to below (obfuscated) - the excluded artefact is still included in the network request to query the index.
The excluded artefact is one of our internal dependencies. We do not wish for this information to be transmitted outside of our networks.
<exclude>
<groupId>uk.xxx.yyy.zzz</groupId>
<artifactId>aaaa-bbb</artifactId>
<version>0.0.14-SNAPSHOT</version>
</exclude>
POST https://ossindex.sonatype.org/api/v3/component-report;
payload: {"coordinates":["pkg:maven/org.yaml/[email protected]","pkg:maven/uk.xxx.yyy.zzz/[email protected]", ... etc..]} (application/vnd.ossindex.component-report-request.v1+json); accept: application/vnd.ossindex.component-report.v1+json
Hello
The vulnerability CVE-2022-22965 is not detected by ossindex-maven, I did my tests and I found other CVEs are not reported by the plugin.
for example CVE-2021-22060 is not detect in Spring Core 5.3.13
How to update the CVE database?
Thank you
Hey
I'm depending on 5.6.15 and when running my build, I'm getting:
[ERROR] Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.0.1:audit (audit-dependencies) on project fscrawler-elasticsearch-client-v5: Detected 1 vulnerable components:
[ERROR] org.elasticsearch:elasticsearch:jar:5.6.15:compile; https://ossindex.sonatype.org/component/pkg:maven/org.elasticsearch/[email protected]
[ERROR] * [CVE-2018-3831] Information Exposure (8.8); https://ossindex.sonatype.org/vuln/500a2f34-8408-419e-9f1f-9243ee04c163
Link to CVE: https://ossindex.sonatype.org/vuln/500a2f34-8408-419e-9f1f-9243ee04c163
Versions before 5.6.12 are affected but I'm using 5.6.15.
https://sonatype.github.io/ossindex-maven/maven-plugin/ is still at 3.1.0
Can't see any comparison on the website, and it's not obvious. Perhaps some people prefer to just have everything ~like this in one plugin...
just read your email announce on maven list and just tried your awesome plugin.
As you asked for feedback, here is mine.
It would be IMHO very useful to have information on the possibility or not to resolve the vulnerability i.e. if it exists or not an upper version of the culprit library/plugin that resolves the vulnerability.
As this could take more time for the plugin to answer, perhaps an activation behind a flag/parameter could be foreseen.
As an example I tried it on , jgitver, one of my maven plugin, it reports the following:
[ERROR] org.codehaus.plexus:plexus-utils:jar:3.0.8:compile; https://ossindex.sonatype.org/component/maven:org.codehaus.plexus/[email protected]
[ERROR] * Possible XML Injection (0.0); https://ossindex.sonatype.org/vuln/53d58c08-d32b-4d21-92f4-d0930e6b3210
[ERROR] * Directory traversal in org.codehaus.plexus.util.Expand (0.0); https://ossindex.sonatype.org/vuln/a2f46413-d41e-46e3-9864-d89d15b433be
but from there, I do not know if I need to spend time in trying to find a newer version of plexus-utils that could resolve the vulnerability or if no newer version resolving the issues exist.
So additionally to the reported vulnerabilities you could probably also report something like:
[INFO] update to org.codehaus.plexus:plexus-utils:jar:3.1.0 to resolve 2 vulnerabilities
You could also imagine to report that no newer version resolve the vulnerabilities or if you were numbering/labeling the reported vulnerabilities the message could be for partial fixes:
[ERROR] * Possible XML Injection (0.0) [1]; https://ossindex.sonatype.org/vuln/53d58c08-d32b-4d21-92f4-d0930e6b3210
...
[INFO] org.codehaus.plexus:plexus-utils:jar:3.1.0 resolves 1 vulnerability on 2: [1]
Vulnerabilities
DepShield reports that this application's usage of com.google.guava:guava:20.0 results in the following vulnerability(s):
Occurrences
com.google.guava:guava:20.0 is a transitive dependency introduced by the following direct dependency(s):
• org.sonatype.ossindex.maven:ossindex-maven-common:3.0.5-SNAPSHOT
└─ com.google.guava:guava:20.0
• org.sonatype.ossindex.maven:ossindex-maven-common:3.0.5-SNAPSHOT
└─ com.google.guava:guava:20.0
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
ossindex is citing CVE-2018-18928 for:
com.ibm.icu
icu4j
62.2
That CVE seems to point to a bug in the c/c++ code, not the Java port. Is this a misattribution to the icu4j artifact? Or is this user error on my part. Thank you.
I've added server id to settings.xml with OSSIndex registration info and added -Dossindex.authId to parameters when run maven command.
I've enabled debug for maven build, but had no luck in finding any info about whether this option was applied or not.
Can you help me please?
This happens more often when I build my multi-module project in parallel threads, but it also happens (less often) with mvn -T 1:
The fact that it doesn't fail the build could be a problem too (may deserve an option).
eg
[INFO] --- ossindex-maven-plugin:3.0.0:audit (audit-dependencies) @ zanata-war ---
[INFO] Checking for vulnerabilities; [net.jcip:jcip-annotations:jar:1.0:provided, org.jboss.arquillian.core:arquillian-core-api:jar:1.1.13.Final:test, ognl:ognl:jar:2.6.9:test, org.apache.deltaspike.modules:deltaspike-jpa-module-api:jar:1.7.0:compile, org.jboss.invocation:jboss-invocation:jar:1.4.1.Final:test, org.jboss.shrinkwrap.descriptors:shrinkwrap-descriptors-impl-base:jar:2.0.0:test, org.jboss.arquillian.junit:arquillian-junit-container:jar:1.1.13.Final:test, org.apache.maven.wagon:wagon-http-shared:jar:2.6:test, net.bytebuddy:byte-buddy:jar:1.6.14:test, org.quartz-scheduler:quartz:jar:2.2.1:compile, commons-beanutils:commons-beanutils:jar:1.9.3:compile, org.richfaces:richfaces:jar:4.5.17.Final:compile, com.google.gwt:gwt-servlet:jar:2.8.0:runtime, org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-api-maven:jar:2.2.4:test, org.apache.lucene:lucene-backward-codecs:jar:5.3.1:compile, com.googlecode.log4jdbc:log4jdbc:jar:1.2:test, joda-time:joda-time:jar:2.8.1:compile, org.jboss.resteasy:resteasy-cdi:jar:3.0.26.Final:compile, org.jboss.arquillian.container:arquillian-container-impl-base:jar:1.1.11.Final:test, org.jboss.resteasy:jaxrs-api:jar:3.0.12.Final:compile, org.wildfly.arquillian:wildfly-arquillian-common:jar:2.0.0.Final:test, org.jboss.arquillian.testenricher:arquillian-testenricher-ejb:jar:1.1.11.Final:test, org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-spi-maven:jar:2.2.0:test, org.apache.deltaspike.modules:deltaspike-security-module-api:jar:1.7.0:compile, org.jboss.arquillian.testenricher:arquillian-testenricher-resource:jar:1.1.11.Final:test, com.fasterxml.jackson.core:jackson-databind:jar:sources:2.9.5:compile, org.codehaus.plexus:plexus-container-default:jar:1.0-alpha-9:test, org.openid4java:openid4java:jar:1.0.0:compile, org.infinispan:infinispan-directory-provider:jar:8.1.0.Final:provided, com.lowagie:itext:jar:2.1.7:runtime, org.jboss.arquillian.junit:arquillian-junit-core:jar:1.1.13.Final:test, org.wildfly.core:wildfly-deployment-repository:jar:2.0.10.Final:test, net.sf.okapi:okapi-core:jar:0.29:compile, org.apache.deltaspike.modules:deltaspike-servlet-module-api:jar:1.7.0:compile, org.codehaus.jackson:jackson-jaxrs:jar:1.9.13:compile, com.ibm.icu:icu4j:jar:56.1:compile, org.apache.maven:maven-profile:jar:2.0.5:test, org.jboss.resteasy:resteasy-jaxb-provider:jar:3.0.26.Final:compile, org.jetbrains.kotlin:kotlin-stdlib-jdk7:jar:1.2.50:compile, org.eclipse.aether:aether-connector-basic:jar:1.1.0:test, org.apache.lucene:lucene-core:jar:5.3.1:compile, dom4j:dom4j:jar:1.6.1:provided, io.javaslang:javaslang:jar:2.0.6:compile, org.codehaus.woodstox:woodstox-core-lgpl:jar:4.4.1:compile, org.zanata:gwt-shared:jar:4.7.0-SNAPSHOT:compile, net.sf.okapi.filters:okapi-filter-dtd:jar:0.29:compile, org.jboss.spec.javax.jms:jboss-jms-api_2.0_spec:jar:1.0.0.Final:provided, org.apache.lucene:lucene-misc:jar:5.3.1:compile, com.squareup:javapoet:jar:1.0.0:compile, com.google.jsinterop:jsinterop-annotations:jar:1.0.1:provided, org.apache.oltu.oauth2:org.apache.oltu.oauth2.common:jar:1.0.1:compile, c3p0:c3p0:jar:0.9.1.1:compile, com.google.gwt.inject:gin:jar:1.5.0:provided, org.jboss.modules:jboss-modules:jar:1.5.1.Final:test, org.fedorahosted.openprops:openprops:jar:0.8.5:compile, org.fedorahosted.tennera:jgettext:jar:0.15:compile, org.hibernate:hibernate-search-orm:jar:5.5.1.Final:compile, org.jboss.shrinkwrap.descriptors:shrinkwrap-descriptors-spi:jar:2.0.0:test, commons-lang:commons-lang:jar:2.6:compile, org.hibernate.javax.persistence:hibernate-jpa-2.1-api:jar:1.0.0.Final:provided, com.sun.faces:jsf-impl:jar:2.2.12:provided, org.jboss.spec.javax.ejb:jboss-ejb-api_3.2_spec:jar:1.0.0.Final:provided, org.jboss.arquillian.test:arquillian-test-api:jar:1.1.13.Final:test, org.apache.deltaspike.modules:deltaspike-proxy-module-api:jar:1.7.0:compile, org.apache.commons:commons-exec:jar:1.3:compile, javax.activation:activation:jar:1.1.1:provided, com.google.errorprone:error_prone_annotations:jar:2.0.18:provided, org.jboss.byteman:byteman-install:jar:2.1.2:test, org.jboss.weld.environment:weld-environment-common:jar:2.3.2.Final:provided, org.wildfly.core:wildfly-remoting:jar:2.0.10.Final:test, com.google.gwt:gwt-user:jar:2.8.0:provided, org.jboss.weld.se:weld-se-core:jar:2.3.2.Final:provided, org.apache.maven.wagon:wagon-provider-api:jar:2.6:test, org.ow2.asm:asm-commons:jar:6.0:compile, org.apache.deltaspike.modules:deltaspike-servlet-module-impl:jar:1.7.0:runtime, org.apache.deltaspike.modules:deltaspike-bean-validation-module-impl:jar:1.7.0:runtime, org.ocpsoft.prettytime:prettytime:jar:3.0.2.Final:compile, org.checkerframework:checker-qual:jar:2.0.0:compile, org.eclipse.aether:aether-util:jar:1.1.0:test, org.jboss.spec.javax.faces:jboss-jsf-api_2.2_spec:jar:2.2.11:provided, org.apache.deltaspike.modules:deltaspike-scheduler-module-impl:jar:1.7.0:runtime, org.dbunit:dbunit:jar:2.4.9:test, org.apache.lucene:lucene-analyzers-common:jar:5.3.1:compile, org.zanata:zanata-adapter-glossary:jar:4.7.0-SNAPSHOT:compile, org.apache.deltaspike.cdictrl:deltaspike-cdictrl-api:jar:1.7.0:compile, org.richfaces.cdk:annotations:jar:4.5.0.Final:provided, com.mattbertolini:liquibase-slf4j:jar:2.0.0:compile, com.google.code.findbugs:findbugs-annotations:jar:3.0.1:provided, org.jboss.marshalling:jboss-marshalling:jar:1.4.10.Final:test, se.jiderhamn:classloader-leak-prevention:jar:1.15.1:compile, com.googlecode.junit-toolbox:junit-toolbox:jar:2.3:test, org.webjars.bower:github-com-ccakes-jquery-typing:jar:0.3.3:compile, org.wildfly.core:wildfly-server:jar:2.0.10.Final:test, org.apache.lucene:lucene-queries:jar:5.3.1:compile, com.fasterxml.jackson.core:jackson-databind:jar:2.9.5:compile, commons-fileupload:commons-fileupload:jar:1.3.3:compile, org.zanata:zanata-liquibase:jar:4.7.0-SNAPSHOT:compile, org.hibernate:hibernate-search-engine:jar:tests:5.5.1.Final:provided, org.apache.maven:maven-repository-metadata:jar:3.5.0:test, log4j:log4j:jar:1.2.17:provided, org.apache.maven:maven-builder-support:jar:3.5.0:test, org.jetbrains.kotlin:kotlin-test:jar:1.2.50:test, org.apache.maven.wagon:wagon-file:jar:2.6:test, org.jboss.xnio:xnio-nio:jar:3.3.4.Final:provided, org.zanata:gwt-test:jar:4.7.0-SNAPSHOT:test, org.apache.commons:commons-lang3:jar:3.7:compile, org.apache.maven.wagon:wagon-http-lightweight:jar:2.6:test, net.htmlparser.jericho:jericho-html:jar:3.4:compile, com.jayway.awaitility:awaitility:jar:1.6.3:test, org.wildfly.core:wildfly-platform-mbean:jar:2.0.10.Final:test, org.omnifaces:omnifaces:jar:2.6.4:compile, net.sf.okapi.filters:okapi-filter-plaintext:jar:0.29:compile, antlr:antlr:jar:2.7.7:compile, org.jboss.marshalling:jboss-marshalling-river:jar:1.4.10.Final:test, org.apache.oltu.oauth2:org.apache.oltu.oauth2.authzserver:jar:1.0.1:compile, org.webjars.npm:diff:jar:3.5.0:compile, com.graphql-java:graphql-java:jar:8.0:compile, org.zanata:zanata-model-test:jar:4.7.0-SNAPSHOT:test, org.jboss.shrinkwrap:shrinkwrap-spi:jar:1.2.6:test, org.wildfly.arquillian:wildfly-arquillian-testenricher-msc:jar:2.0.0.Final:test, org.json:json:jar:20140107:compile, org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile, org.zanata:zanata-frontend:jar:4.7.0-SNAPSHOT:compile, org.apache.deltaspike.modules:deltaspike-security-module-impl:jar:1.7.0:runtime, org.wildfly.core:wildfly-core-security-api:jar:2.0.10.Final:test, org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-spi:jar:2.2.0:test, org.apache.commons:commons-csv:jar:1.2:compile, org.reactivestreams:reactive-streams:jar:1.0.2:compile, com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.8.11:compile, com.wutka:dtdparser:jar:1.21:compile, net.sf.okapi.filters:okapi-filter-openoffice:jar:0.29:compile, org.apache.james:apache-mime4j:jar:0.6:compile, net.sf.okapi.filters:okapi-filter-regex:jar:0.29:compile, org.jboss.arquillian.core:arquillian-core-impl-base:jar:1.1.11.Final:test, org.jgroups:jgroups:jar:3.6.4.Final:provided, com.google.jsinterop:jsinterop-annotations:jar:sources:1.0.1:provided, org.jboss.weld:weld-core-impl:jar:2.3.2.Final:provided, org.wildfly.core:wildfly-core-security:jar:2.0.10.Final:test, com.google.code.findbugs:jsr305:jar:3.0.2:provided, xmlunit:xmlunit:jar:1.4:compile, org.jboss:staxmapper:jar:1.2.0.Final:test, org.yaml:snakeyaml:jar:1.16:compile, org.scannotation:scannotation:jar:1.0.3:test, org.wildfly.arquillian:wildfly-arquillian-container-managed:jar:2.0.0.Final:test, org.jglue.cdi-unit:cdi-unit:jar:4.0.0:test, org.jboss.arquillian.protocol:arquillian-protocol-jmx:jar:1.1.11.Final:test, org.jboss.resteasy:resteasy-jackson-provider:jar:3.0.26.Final:compile, com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:jar:r239:compile, org.jetbrains.kotlin:kotlin-stdlib-jdk8:jar:1.2.50:compile, org.jboss.remotingjmx:remoting-jmx:jar:2.0.1.Final:test, org.ocpsoft.logging:logging-adapter-jboss:jar:1.0.3.Final:compile, org.wildfly.core:wildfly-domain-management:jar:2.0.10.Final:test, org.jboss.stdio:jboss-stdio:jar:1.0.2.GA:test, org.wildfly.security:wildfly-elytron:jar:1.1.0.Beta16:test, org.zanata:security-common:jar:4.7.0-SNAPSHOT:compile, org.eclipse.aether:aether-transport-wagon:jar:1.0.0.v20140518:test, io.github.microutils:kotlin-logging:jar:1.4.1:compile, org.glassfish.jaxb:txw2:jar:2.2.11:compile, net.dongliu:gson-java8-datatype:jar:1.1.0:compile, org.wildfly.core:wildfly-self-contained:jar:2.0.10.Final:test, org.zanata:zanata-common-api:jar:compat:3.9.1:test, com.sun.mail:javax.mail:jar:1.5.5:provided, org.jboss.resteasy:resteasy-client:jar:3.0.26.Final:compile, org.jetbrains.kotlin:kotlin-test-annotations-common:jar:1.2.50:test, org.apache.httpcomponents:httpcore:jar:4.4.3:compile, org.apache.deltaspike.modules:deltaspike-jpa-module-impl:jar:1.7.0:compile, org.infinispan:infinispan-commons:jar:8.1.0.Final:provided, org.webjars.bower:commonmark:jar:0.20.0:compile, org.wildfly.core:wildfly-io:jar:2.0.10.Final:test, org.codehaus.groovy:groovy-all:jar:2.4.15:compile, org.webjars.bower:blueimp-tmpl:jar:2.5.3:compile, org.jboss.arquillian.testenricher:arquillian-testenricher-cdi:jar:1.1.11.Final:test, org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.2.50:compile, org.apache.deltaspike.cdictrl:deltaspike-cdictrl-weld:jar:1.7.0:runtime, org.zanata:zanata-adapter-xliff:jar:4.7.0-SNAPSHOT:compile, org.jboss.spec.javax.xml.bind:jboss-jaxb-api_2.2_spec:jar:1.0.4.Final:provided, org.zanata:zanata-model:jar:4.7.0-SNAPSHOT:compile, com.beust:jcommander:jar:1.27:provided, org.jboss.arquillian.testenricher:arquillian-testenricher-initialcontext:jar:1.1.11.Final:test, mysql:mysql-connector-java:jar:5.1.26:test, commons-digester:commons-digester:jar:1.8.1:compile, commons-collections:commons-collections:jar:3.2.2:compile, org.fusesource.restygwt:restygwt:jar:2.2.0:compile, org.jboss.weld:weld-spi:jar:2.3.Final:provided, org.slf4j:slf4j-api:jar:1.7.25:provided, net.customware.gwt.dispatch:gwt-dispatch:jar:1.0.0:compile, org.jboss.remoting:jboss-remoting:jar:4.0.18.Final:test, net.sf.okapi.filters:okapi-filter-ts:jar:0.29:compile, org.jboss.arquillian.test:arquillian-test-impl-base:jar:1.1.11.Final:test, net.sf.okapi.filters:okapi-filter-abstractmarkup:jar:0.29:compile, javax.servlet.jsp:jsp-api:jar:2.2:provided, org.eclipse.aether:aether-spi:jar:1.1.0:test, com.jamonapi:jamon:jar:2.75:test, org.jboss.resteasy:resteasy-servlet-initializer:jar:3.0.26.Final:compile, bouncycastle:bcmail-jdk14:jar:138:runtime, com.graphql-java:java-dataloader:jar:2.0.2:compile, org.apache.deltaspike.core:deltaspike-core-api:jar:1.7.0:compile, org.apache.velocity:velocity:jar:1.7:compile, com.allen-sauer.gwt.log:gwt-log:jar:3.2.1:compile, org.zanata:zanata-adapter-po:jar:4.7.0-SNAPSHOT:compile, com.nhaarman:mockito-kotlin:jar:1.5.0:test, com.fasterxml.jackson.core:jackson-core:jar:2.9.5:compile, org.jboss.resteasy:resteasy-jaxrs:jar:3.0.26.Final:compile, org.jboss.spec.javax.el:jboss-el-api_3.0_spec:jar:1.0.4.Final:provided, org.w3c.css:sac:jar:1.3:compile, net.jodah:concurrentunit:jar:0.4.1:test, org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-impl-maven:jar:2.2.4:test, net.sf.okapi.filters:okapi-filter-idml:jar:0.29:compile, org.wildfly.core:wildfly-version:jar:2.0.10.Final:test, aopalliance:aopalliance:jar:1.0:compile, org.jetbrains.kotlin:kotlin-test-junit:jar:1.2.50:test, commons-validator:commons-validator:jar:1.6:compile, org.wildfly.core:wildfly-launcher:jar:2.0.10.Final:test, org.eclipse.aether:aether-api:jar:1.1.0:test, org.jboss.arquillian.test:arquillian-test-spi:jar:1.1.13.Final:test, org.jboss.arquillian.protocol:arquillian-protocol-servlet:jar:1.1.13.Final:test, org.hibernate.common:hibernate-commons-annotations:jar:5.0.1.Final:provided, org.hibernate:hibernate-search-engine:jar:5.5.1.Final:compile, org.liquibase:liquibase-core:jar:3.4.2:compile, net.wuerl.kotlin:assertj-core-kotlin:jar:0.2.1:test, org.apache.deltaspike.modules:deltaspike-jsf-module-impl:jar:1.7.0:runtime, org.webjars:crossroads.js:jar:0.12.0-1:compile, org.hibernate:hibernate-testing:jar:5.0.7.Final:test, org.wildfly.core:wildfly-process-controller:jar:2.0.10.Final:test, org.apache.oltu.oauth2:org.apache.oltu.oauth2.resourceserver:jar:1.0.1:compile, org.jboss.arquillian.container:arquillian-container-spi:jar:1.1.13.Final:test, org.jboss.resteasy:resteasy-multipart-provider:jar:3.0.26.Final:compile, org.hibernate:hibernate-entitymanager:jar:5.0.7.Final:provided, org.apache.maven:maven-artifact:jar:3.5.0:compile, org.javassist:javassist:jar:3.21.0-GA:provided, org.antlr:antlr4-runtime:jar:4.7.1:compile, org.wildfly.core:wildfly-protocol:jar:2.0.10.Final:test, org.jsoup:jsoup:jar:1.7.2:test, org.wildfly.core:wildfly-jmx:jar:2.0.10.Final:test, com.google.inject:guice:jar:3.0:compile, org.wildfly.core:wildfly-network:jar:2.0.10.Final:test, org.picketbox:picketbox-commons:jar:1.0.0.final:provided, org.jboss.weld:weld-api:jar:2.3.Final:provided, org.codehaus.plexus:plexus-utils:jar:3.0.24:test, com.nhaarman:mockito-kotlin-kt1.1:jar:1.5.0:test, com.experlog:xapool:jar:1.5.0:test, org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile, org.jboss.arquillian.core:arquillian-core-spi:jar:1.1.13.Final:test, javax.validation:validation-api:jar:1.1.0.Final:provided, org.jboss.arquillian.config:arquillian-config-impl-base:jar:1.1.11.Final:test, org.sonatype.plexus:plexus-cipher:jar:1.4:test, org.hibernate:hibernate-core:jar:5.0.7.Final:provided, org.jboss.byteman:byteman:jar:2.1.2:test, org.jboss.spec.javax.servlet:jboss-servlet-api_3.1_spec:jar:1.0.0.Final:provided, org.jetbrains.kotlin:kotlin-stdlib:jar:1.2.50:compile, com.webcohesion.enunciate:enunciate-core-annotations:jar:2.9.1:compile, org.wildfly.core:wildfly-domain-http-interface:jar:2.0.10.Final:test, org.jboss.xnio:xnio-api:jar:3.3.4.Final:provided, net.sf.okapi.filters:okapi-filter-html:jar:0.29:compile, net.sf.okapi.filters:okapi-filter-json:jar:0.29:compile, org.apache.deltaspike.modules:deltaspike-proxy-module-impl-asm5:jar:1.7.0:runtime, org.apache.maven.shared:maven-dependency-analyzer:jar:1.7:test, org.jboss:jboss-dmr:jar:1.3.0.Final:test, classworlds:classworlds:jar:1.1-alpha-2:test, org.jboss.shrinkwrap:shrinkwrap-impl-base:jar:1.2.6:test, xerces:xercesImpl:jar:2.11.0.SP5:compile, javax.enterprise:cdi-api:jar:1.2:provided, org.eclipse.aether:aether-impl:jar:1.1.0:test, commons-codec:commons-codec:jar:1.10:compile, org.jodah:typetools:jar:0.3.0:test, org.apache.deltaspike.modules:deltaspike-jsf-module-api:jar:1.7.0:compile, org.jboss.byteman:byteman-bmunit:jar:2.1.2:test, org.apache.maven:maven-settings-builder:jar:3.5.0:test, com.fasterxml.jackson.core:jackson-annotations:jar:2.9.5:compile, io.undertow:undertow-core:jar:1.3.33.Final:provided, org.objenesis:objenesis:jar:2.5:test, javax.inject:javax.inject:jar:1:provided, com.fasterxml.jackson.core:jackson-annotations:jar:sources:2.7.2:compile, de.novanic.gwteventservice:eventservice:jar:1.2.1:compile, de.novanic.gwteventservice:gwteventservice:jar:1.2.1:provided, org.picketbox:picketbox:jar:4.9.4.Final:provided, org.mockito:mockito-core:jar:2.8.9:test, javax.xml.stream:stax-api:jar:1.0-2:provided, org.apache.maven:maven-settings:jar:3.5.0:test, org.codehaus.jackson:jackson-xc:jar:1.9.13:compile, org.jboss:jboss-vfs:jar:3.2.11.Final:test, com.github.huangp:entityunit:jar:0.4:test, org.reflections:reflections:jar:0.9.11:compile, org.richfaces:richfaces-a4j:jar:4.5.17.Final:compile, com.github.nmorel.gwtjackson:gwt-jackson:jar:0.12.0:compile, org.slf4j:jul-to-slf4j:jar:1.7.25:provided, org.jboss.logging:jboss-logging:jar:3.3.0.Final:provided, org.jetbrains:annotations:jar:13.0:compile, com.io7m.xom:xom:jar:1.2.10:compile, org.ow2.asm:asm-tree:jar:6.0:compile, org.wildfly.core:wildfly-controller:jar:2.0.10.Final:test, org.jvnet.mock-javamail:mock-javamail:jar:1.9:test, org.jboss.arquillian.config:arquillian-config-api:jar:1.1.13.Final:test, org.jboss.spec.javax.interceptor:jboss-interceptors-api_1.2_spec:jar:1.0.0.Final:provided, net.customware.gwt.presenter:gwt-presenter:jar:1.1.1:provided, org.hibernate:hibernate-validator:jar:5.2.4.Final:provided, org.hamcrest:hamcrest-library:jar:1.3:test, org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile, org.zanata:gwt-editor:war:4.7.0-SNAPSHOT:provided, org.zanata:gwt-editor:jar:classes:4.7.0-SNAPSHOT:compile, com.google.gwt.gwtmockito:gwtmockito:jar:1.1.2:test, org.jboss.logmanager:jboss-logmanager:jar:2.0.3.Final:test, com.h2database:h2:jar:1.4.192:provided, org.codehaus.enunciate:enunciate-core-annotations:jar:1.27:test, org.jboss.classfilewriter:jboss-classfilewriter:jar:1.1.2.Final:provided, org.assertj:assertj-core:jar:3.8.0:test, com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.8.11:compile, org.codehaus.plexus:plexus-component-annotations:jar:1.7.1:test, net.bytebuddy:byte-buddy-agent:jar:1.6.14:test, org.slf4j:jcl-over-slf4j:jar:1.7.25:compile, org.jboss.jbossts:jbossjta:jar:4.16.4.Final:test, org.jboss.shrinkwrap.descriptors:shrinkwrap-descriptors-api-base:jar:2.0.0:test, com.tngtech.java:junit-dataprovider:jar:1.10.2:test, org.hamcrest:hamcrest-core:jar:1.3:test, org.apache.maven:maven-model-builder:jar:3.5.0:test, com.github.wnameless:json-flattener:jar:0.5.0:compile, org.wildfly.core:wildfly-controller-client:jar:2.0.10.Final:test, net.sf.okapi.lib:okapi-lib-extra:jar:0.29:compile, io.leangen.geantyref:geantyref:jar:1.3.4:compile, org.apache.lucene:lucene-sandbox:jar:5.3.1:compile, org.jboss.security:jboss-negotiation-common:jar:3.0.0.Final:provided, org.hibernate:hibernate-validator-cdi:jar:5.2.4.Final:provided, org.infinispan:infinispan-lucene-directory:jar:8.1.0.Final:provided, org.apache.maven:maven-model:jar:3.5.0:test, net.sourceforge.nekohtml:nekohtml:jar:1.9.10:compile, org.jboss.arquillian.container:arquillian-container-test-impl-base:jar:1.1.13.Final:test, org.apache.httpcomponents:httpclient:jar:4.5.1:compile, com.google.inject.extensions:guice-assistedinject:jar:3.0-rc2:provided, org.jboss.threads:jboss-threads:jar:2.2.1.Final:test, org.jboss:jandex:jar:2.0.1.Final:test, org.jboss.msc:jboss-msc:jar:1.2.6.Final:test, org.ow2.asm:asm:jar:6.0:compile, org.zanata:zanata-common-util:jar:4.7.0-SNAPSHOT:compile, org.apache.lucene:lucene-queryparser:jar:5.3.1:compile, com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.3:compile, org.jboss.weld.probe:weld-probe-core:jar:2.3.2.Final:provided, org.jboss.sasl:jboss-sasl:jar:1.0.5.Final:test, commons-io:commons-io:jar:2.5:compile, com.sun.jersey:jersey-core:jar:1.19:test, org.codehaus.plexus:plexus-interpolation:jar:1.24:test, org.jboss.arquillian.container:arquillian-container-test-spi:jar:1.1.11.Final:test, org.sonatype.plexus:plexus-sec-dispatcher:jar:1.4:test, com.google.j2objc:j2objc-annotations:jar:1.1:compile, org.infinispan:infinispan-core:jar:8.1.0.Final:provided, org.jboss.byteman:byteman-submit:jar:2.1.2:test, org.apache.deltaspike.modules:deltaspike-scheduler-module-api:jar:1.7.0:compile, org.jetbrains.kotlin:kotlin-test-common:jar:1.2.50:test, org.webjars:js-signals:jar:1.0.0:compile, net.bull.javamelody:javamelody-core:jar:1.72.0:compile, org.wildfly.common:wildfly-common:jar:1.1.0.Final:test, org.jrobin:jrobin:jar:1.5.9:compile, org.richfaces:richfaces-core:jar:4.5.17.Final:compile, net.sourceforge.cssparser:cssparser:jar:0.9.18:compile, org.apache.maven:maven-artifact-manager:jar:2.0.5:test, org.zanata:services:jar:4.7.0-SNAPSHOT:compile, org.ocpsoft.rewrite:rewrite-servlet:jar:3.4.2.Final:compile, org.apache.maven:maven-project:jar:2.0.5:test, net.sourceforge.openutils:openutils-log4j:jar:2.0.5:compile, de.novanic.gwteventservice:eventservice-rpc:jar:1.2.1:compile, org.concordion:concordion:jar:1.4.2:test, org.zanata:zanata-adapter-properties:jar:4.7.0-SNAPSHOT:compile, org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-api:jar:2.2.4:test, bouncycastle:bcprov-jdk14:jar:138:runtime, org.zanata:zanata-common-api:jar:4.7.0-SNAPSHOT:compile, net.sf.okapi.steps:okapi-step-tokenization:jar:0.29:compile, io.leangen.graphql:spqr:jar:0.9.7:compile, org.jetbrains.kotlin:kotlin-reflect:jar:1.2.50:compile, org.apache.deltaspike.core:deltaspike-core-impl:jar:1.7.0:runtime, org.codehaus.woodstox:stax2-api:jar:3.1.4:compile, org.apache.commons:commons-text:jar:1.4:compile, org.apache.maven:maven-aether-provider:jar:3.3.9:test, junit:junit:jar:4.12:test, org.jetbrains.kotlinx:kotlinx-html-jvm:jar:0.6.9:compile, io.javaslang:javaslang-match:jar:2.0.6:compile, com.google.guava:guava:jar:23.5-jre:compile, org.jboss.spec.javax.transaction:jboss-transaction-api_1.2_spec:jar:1.0.0.Final:provided, org.webjars.bower:google-caja:jar:5669.0.0:compile, com.eclipsesource.minimal-json:minimal-json:jar:0.9.5:compile, org.wildfly.arquillian:wildfly-arquillian-protocol-jmx:jar:2.0.0.Final:test, org.jboss.shrinkwrap:shrinkwrap-api:jar:1.2.6:test, com.fasterxml:classmate:jar:1.3.3:provided, net.sf.okapi.steps:okapi-step-common:jar:0.29:compile, org.apache.lucene:lucene-facet:jar:5.3.1:compile, org.jboss.arquillian.container:arquillian-container-test-api:jar:1.1.13.Final:test] artifacts
[INFO] Exclude coordinates: []
[INFO] Exclude vulnerability identifiers: [70e781a0-a997-496b-ac71-83fba7b70b3f, dc429308-45ef-47ae-b8f6-b6dd1eef150f, f5b16237-266e-453c-9104-47292a89c672, 1610dd6a-dffe-47a9-85b1-41ed61d2d678, 74cddd35-3e8e-4460-bb8f-03eef3b4d382, c2774909-55bf-4aac-b946-92f234227a25]
[INFO] CVSS-score threshold: 0.0
[WARNING] Failed to fetch component-reports
org.sonatype.ossindex.service.client.transport.Transport$TransportException: Unexpected response; status: HTTP/1.1 429 Too many requests
at org.sonatype.ossindex.service.client.transport.HttpClientTransport.post (HttpClientTransport.java:98)
at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.doRequestComponentReports (OssindexClientImpl.java:163)
at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.requestComponentReports (OssindexClientImpl.java:139)
at org.sonatype.ossindex.maven.common.ComponentReportAssistant.request (ComponentReportAssistant.java:80)
at org.sonatype.ossindex.maven.plugin.AuditMojo.execute (AuditMojo.java:232)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:208)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:154)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:146)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at io.takari.maven.builder.smart.SmartBuilderImpl.buildProject (SmartBuilderImpl.java:205)
at io.takari.maven.builder.smart.SmartBuilderImpl$ProjectBuildTask.run (SmartBuilderImpl.java:77)
at java.util.concurrent.Executors$RunnableAdapter.call (Executors.java:511)
at java.util.concurrent.FutureTask.run (FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:624)
at java.lang.Thread.run (Thread.java:748)
Is this a threadsafe issue with v3.2.0 of org.sonatype.ossindex.maven.enforcer.BanVulnerableDependencies
java.nio.channels.OverlappingFileLockException
at sun.nio.ch.SharedFileLockTable.checkList (FileLockTable.java:255) at sun.nio.ch.SharedFileLockTable.add (FileLockTable.java:152)
at sun.nio.ch.FileChannelImpl.lock (FileChannelImpl.java:1062)
at org.sonatype.ossindex.service.client.util.FileLocker.lock (FileLocker.java:59)
at org.sonatype.ossindex.service.client.util.FileLocker.writeLock (FileLocker.java:88) at org.sonatype.ossindex.service.client.cache.DirectoryCache.storeEntry (DirectoryCache.java:247)
at org.sonatype.ossindex.service.client.cache.DirectoryCache.putAll (DirectoryCache.java:136) at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.requestComponentReports (OssindexClientImpl.java:171)
at org.sonatype.ossindex.maven.common.ComponentReportAssistant.request (ComponentReportAssistant.java:86) at org.sonatype.ossindex.maven.enforcer.BanVulnerableDependencies$Task.run (BanVulnerableDependencies.java:222)
at org.sonatype.ossindex.maven.enforcer.BanVulnerableDependencies.execute (BanVulnerableDependencies.java:144) at org.apache.maven.plugins.enforcer.EnforceMojo.execute (EnforceMojo.java:200)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.builder.multithreaded.MultiThreadedBuilder$1.call (MultiThreadedBuilder.java:196)
at org.apache.maven.lifecycle.internal.builder.multithreaded.MultiThreadedBuilder$1.call (MultiThreadedBuilder.java:186)
at java.util.concurrent.FutureTask.run (FutureTask.java:266)
at java.util.concurrent.Executors$RunnableAdapter.call (Executors.java:511)
at java.util.concurrent.FutureTask.run (FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:624)
at java.lang.Thread.run (Thread.java:748)
then I got a lot of these
[WARNING] Failed to fetch component-reports
org.sonatype.ossindex.service.client.transport.Transport$TransportException: Unexpected response; status: HTTP/1.1 429 Too Many Requests
at org.sonatype.ossindex.service.client.transport.HttpClientTransport.post (HttpClientTransport.java:102)
at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.doRequestComponentReports (OssindexClientImpl.java:204)
at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.requestComponentReports (OssindexClientImpl.java:170)
at org.sonatype.ossindex.maven.common.ComponentReportAssistant.request (ComponentReportAssistant.java:86)
at org.sonatype.ossindex.maven.enforcer.BanVulnerableDependencies$Task.run (BanVulnerableDependencies.java:222)
at org.sonatype.ossindex.maven.enforcer.BanVulnerableDependencies.execute (BanVulnerableDependencies.java:144)
at org.apache.maven.plugins.enforcer.EnforceMojo.execute (EnforceMojo.java:200)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.builder.multithreaded.MultiThreadedBuilder$1.call (MultiThreadedBuilder.java:196)
at org.apache.maven.lifecycle.internal.builder.multithreaded.MultiThreadedBuilder$1.call (MultiThreadedBuilder.java:186)
at java.util.concurrent.FutureTask.run (FutureTask.java:266)
at java.util.concurrent.Executors$RunnableAdapter.call (Executors.java:511)
at java.util.concurrent.FutureTask.run (FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:624)
at java.lang.Thread.run (Thread.java:748)
On https://sonatype.github.io/ossindex-maven/maven-plugin/ossindex-audit/#clientConfiguration , link to "client configuration" is wrong:
Cf. issue #73
On JDK11, when the reportFile is set to an xml e.g. ossindex-audit.xml the JAXB classes are required and not found:
Execution default-cli of goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit-aggregate failed: A required class was missing while executing org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit-aggregate: javax/xml/bind/JAXBContext
The plugin breaks with
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0:enforce (verify-enforcer-rules) on project spring-recipes: Unable to parse configuration of mojo org.apache.maven.plugins:maven-enforcer-plugin:3.0.0:enforce for parameter banVulnerable: Cannot create instance of class org.sonatype.ossindex.maven.enforcer.BanVulnerableDependencies: com/google/common/cache/CacheBuilderSpec: com.google.common.cache.CacheBuilderSpec -> [Help 1]
when upgrading maven-enforcer-plugin to the latest version (3.0.0). Works fine again if you downgrade to the previous milestone release (3.0.0-M3).
POM contents to reproduce:
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.example</groupId>
<artifactId>spring-recipes</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>pom</packaging>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<!-- 3.0.0 currently breaks ossindex-maven-enforcer-rules -->
<version>3.0.0</version>
<dependencies>
<dependency>
<groupId>org.sonatype.ossindex.maven</groupId>
<artifactId>ossindex-maven-enforcer-rules</artifactId>
<version>3.0.0</version>
</dependency>
</dependencies>
<configuration>
<rules>
<banVulnerable
implementation="org.sonatype.ossindex.maven.enforcer.BanVulnerableDependencies" />
</rules>
<failFast>true</failFast>
</configuration>
<executions>
<execution>
<id>verify-enforcer-rules</id>
<goals>
<goal>enforce</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>Reproduce by putting the above into an XML file, and run:
$ mvn --file ossindex-breaks-with-enforcer-3.0.0.xml verifyMy Maven and Java versions are
$ mvn --version
Apache Maven 3.8.1 (05c21c65bdfed0f71a2f2ada8b84da59348c4c5d)
Maven home: C:\Users\svejk\programs\apache\apache-maven-3.8.1
Java version: 16, vendor: AdoptOpenJDK, runtime: C:\Users\svejk\programs\java\jdk-16+36
Default locale: en_US, platform encoding: Cp1252
OS name: "windows 10", version: "10.0", arch: "amd64", family: "windows"
$Goal is to go through all the modules, store in the maven session the dependencies, and when the last module is hit call the server to audit all the dependencies at once, then just report the found issues.
This should solve the HTTP 429 issue for large project and make the analyzis even faster.
Please install our new product, Sonatype Lift with advanced features
I tried
`
<groupId>org.sonatype.ossindex.maven</groupId>
<artifactId>ossindex-maven-plugin</artifactId>
<configuration>
<clientConfiguration>
<proxy>
<host>localhost</host>
<port>8080</port>
</proxy>
</clientConfiguration>
</configuration>
<executions>
<execution>
<id>audit-dependencies</id>
<phase>validate</phase>
<goals>
<goal>audit</goal>
</goals>
</execution>
</executions>
</plugin>
`
=>
Unable to parse configuration of mojo org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit for parameter proxy: Cannot find 'proxy' in class org.sonatype.ossindex.service.client.OssindexClientConfiguration
I faced a problem while using a test jar dependency which results in a failing of ossindex-maven-plugin like the following:
[INFO] [jenkins-event-spy] Generated /var/jenkins_home/workspace/XXXX-401@2@tmp/withMavene5eaed4f/maven-spy-20190508-144513-59315409483963051943433.log
[ERROR] Failed to execute goal on project module: Could not resolve dependencies for project de.xyz:jar:12.2.0.3-SNAPSHOT: Could not find artifact module-y:jar:tests:12.2.0.3-SNAPSHOT in nexus
I'm calling ossindex-maven-plugin like this:
mvn clean package ossindex:audit
It looks like the plugin is not correctly resolving the artifacts or not correctly being integrated into the life cycle. This build was run on JDK 11+ and Maven 3.6.1 and ossindex-maven-plugin version 3.0.4.
If you use
mvn clean deploy ossindex:audit
This issue does not occur. This is related to the installation of the artifacts during the build.
If you need more detailed information please ping me...
As stated in the title, there seems to be a conflict between the README.md and the pom.xml files.
Did you set the apache-maven.version property value to 3.5.2 on purpose in the pom.xml file?
Line 97 in 57b6ddd
It looks like it's preventing me from using ossindex-maven-plugin in a project with Maven 3.3.9 (which should be enough according to the readme).
Here's the kind of error I'm facing while using Maven 3.3.9:
1) Error injecting: private org.eclipse.aether.spi.log.Logger org.apache.maven.repository.internal.DefaultVersionRangeResolver.logger
while locating org.apache.maven.repository.internal.DefaultVersionRangeResolver
while locating java.lang.Object annotated with *
at org.eclipse.sisu.wire.LocatorWiring
while locating org.eclipse.aether.impl.VersionRangeResolver
for parameter 2 at org.eclipse.aether.internal.impl.DefaultDependencyCollector.<init>(Unknown Source)
while locating org.eclipse.aether.internal.impl.DefaultDependencyCollector
while locating java.lang.Object annotated with *
at org.eclipse.sisu.wire.LocatorWiring
while locating org.eclipse.aether.impl.DependencyCollector
for parameter 5 at org.eclipse.aether.internal.impl.DefaultRepositorySystem.<init>(Unknown Source)
while locating org.eclipse.aether.internal.impl.DefaultRepositorySystem
while locating java.lang.Object annotated with *
while locating org.apache.maven.artifact.installer.DefaultArtifactInstaller
Caused by: java.lang.IllegalArgumentException: Can not set org.eclipse.aether.spi.log.Logger field org.apache.maven.repository.internal.DefaultVersionRangeResolver.logger to org.eclipse.aether.internal.impl.slf4j.Slf4jLoggerFactory
at sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167)
at sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171)
at sun.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81)
at java.lang.reflect.Field.set(Field.java:764)
at org.eclipse.sisu.bean.BeanPropertyField.set(BeanPropertyField.java:72)
at org.eclipse.sisu.plexus.ProvidedPropertyBinding.injectProperty(ProvidedPropertyBinding.java:48)
at org.eclipse.sisu.bean.BeanInjector.injectMembers(BeanInjector.java:52)
at com.google.inject.internal.MembersInjectorImpl.injectMembers(MembersInjectorImpl.java:140)
at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114)
at com.google.inject.internal.ConstructorInjector.access$000(ConstructorInjector.java:32)
at com.google.inject.internal.ConstructorInjector$1.call(ConstructorInjector.java:89)
at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:115)
at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:133)
at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:68)
at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:87)
at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267)
at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:56)
at com.google.inject.internal.InjectorImpl$2$1.call(InjectorImpl.java:1016)
at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103)
at com.google.inject.internal.InjectorImpl$2.get(InjectorImpl.java:1012)
at org.eclipse.sisu.inject.Guice4$1.get(Guice4.java:162)
at org.eclipse.sisu.inject.LazyBeanEntry.getValue(LazyBeanEntry.java:81)
at org.eclipse.sisu.wire.BeanProviders.firstOf(BeanProviders.java:179)
at org.eclipse.sisu.wire.BeanProviders$7.get(BeanProviders.java:160)
at com.google.inject.internal.ProviderInternalFactory.provision(ProviderInternalFactory.java:81)
at com.google.inject.internal.InternalFactoryToInitializableAdapter.provision(InternalFactoryToInitializableAdapter.java:53)
at com.google.inject.internal.ProviderInternalFactory$1.call(ProviderInternalFactory.java:65)
at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:115)
at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:133)
at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:68)
at com.google.inject.internal.ProviderInternalFactory.circularGet(ProviderInternalFactory.java:63)
at com.google.inject.internal.InternalFactoryToInitializableAdapter.get(InternalFactoryToInitializableAdapter.java:45)
at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38)
at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62)
at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:104)
at com.google.inject.internal.ConstructorInjector.access$000(ConstructorInjector.java:32)
at com.google.inject.internal.ConstructorInjector$1.call(ConstructorInjector.java:89)
at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:115)
at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:133)
at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:68)
at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:87)
at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267)
at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:56)
at com.google.inject.internal.InjectorImpl$2$1.call(InjectorImpl.java:1016)
at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1092)
at com.google.inject.internal.InjectorImpl$2.get(InjectorImpl.java:1012)
at org.eclipse.sisu.inject.Guice4$1.get(Guice4.java:162)
at org.eclipse.sisu.inject.LazyBeanEntry.getValue(LazyBeanEntry.java:81)
at org.eclipse.sisu.wire.BeanProviders.firstOf(BeanProviders.java:179)
at org.eclipse.sisu.wire.BeanProviders$7.get(BeanProviders.java:160)
at com.google.inject.internal.ProviderInternalFactory.provision(ProviderInternalFactory.java:81)
at com.google.inject.internal.InternalFactoryToInitializableAdapter.provision(InternalFactoryToInitializableAdapter.java:53)
at com.google.inject.internal.ProviderInternalFactory$1.call(ProviderInternalFactory.java:65)
at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:115)
at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:133)
at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:68)
at com.google.inject.internal.ProviderInternalFactory.circularGet(ProviderInternalFactory.java:63)
at com.google.inject.internal.InternalFactoryToInitializableAdapter.get(InternalFactoryToInitializableAdapter.java:45)
at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38)
at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62)
at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:104)
at com.google.inject.internal.ConstructorInjector.access$000(ConstructorInjector.java:32)
at com.google.inject.internal.ConstructorInjector$1.call(ConstructorInjector.java:89)
at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:115)
at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:133)
at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:68)
at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:87)
at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267)
at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:56)
at com.google.inject.internal.InjectorImpl$2$1.call(InjectorImpl.java:1016)
at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103)
at com.google.inject.internal.InjectorImpl$2.get(InjectorImpl.java:1012)
at org.eclipse.sisu.inject.Guice4$1.get(Guice4.java:162)
at org.eclipse.sisu.inject.LazyBeanEntry.getValue(LazyBeanEntry.java:81)
at org.eclipse.sisu.plexus.LazyPlexusBean.getValue(LazyPlexusBean.java:51)
at org.eclipse.sisu.plexus.PlexusRequirements$RequirementProvider.get(PlexusRequirements.java:250)
at org.eclipse.sisu.plexus.ProvidedPropertyBinding.injectProperty(ProvidedPropertyBinding.java:48)
at org.eclipse.sisu.bean.BeanInjector.injectMembers(BeanInjector.java:52)
at com.google.inject.internal.MembersInjectorImpl.injectMembers(MembersInjectorImpl.java:140)
at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114)
at com.google.inject.internal.ConstructorInjector.access$000(ConstructorInjector.java:32)
at com.google.inject.internal.ConstructorInjector$1.call(ConstructorInjector.java:89)
at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:115)
at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:133)
at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:68)
at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:87)
at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267)
at com.google.inject.internal.InjectorImpl$2$1.call(InjectorImpl.java:1016)
at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103)
at com.google.inject.internal.InjectorImpl$2.get(InjectorImpl.java:1012)
at com.google.inject.internal.InjectorImpl.getInstance(InjectorImpl.java:1051)
at org.eclipse.sisu.space.AbstractDeferredClass.get(AbstractDeferredClass.java:48)
at com.google.inject.internal.ProviderInternalFactory.provision(ProviderInternalFactory.java:81)
at com.google.inject.internal.InternalFactoryToInitializableAdapter.provision(InternalFactoryToInitializableAdapter.java:53)
at com.google.inject.internal.ProviderInternalFactory$1.call(ProviderInternalFactory.java:65)
at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:115)
at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:133)
at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:68)
at com.google.inject.internal.ProviderInternalFactory.circularGet(ProviderInternalFactory.java:63)
at com.google.inject.internal.InternalFactoryToInitializableAdapter.get(InternalFactoryToInitializableAdapter.java:45)
at com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46)
at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103)
at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:145)
at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:41)
at com.google.inject.internal.InjectorImpl$2$1.call(InjectorImpl.java:1016)
at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1092)
at com.google.inject.internal.InjectorImpl$2.get(InjectorImpl.java:1012)
at org.eclipse.sisu.inject.LazyBeanEntry.getValue(LazyBeanEntry.java:81)
at org.eclipse.sisu.plexus.LazyPlexusBean.getValue(LazyPlexusBean.java:51)
at org.eclipse.sisu.plexus.PlexusRequirements$RequirementProvider.get(PlexusRequirements.java:250)
at org.eclipse.sisu.plexus.ProvidedPropertyBinding.injectProperty(ProvidedPropertyBinding.java:48)
at org.eclipse.sisu.bean.BeanInjector.injectMembers(BeanInjector.java:52)
at com.google.inject.internal.MembersInjectorImpl.injectMembers(MembersInjectorImpl.java:140)
at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114)
at com.google.inject.internal.ConstructorInjector.access$000(ConstructorInjector.java:32)
at com.google.inject.internal.ConstructorInjector$1.call(ConstructorInjector.java:89)
at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:115)
at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:133)
at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:68)
at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:87)
at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267)
at com.google.inject.internal.InjectorImpl$2$1.call(InjectorImpl.java:1016)
at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103)
at com.google.inject.internal.InjectorImpl$2.get(InjectorImpl.java:1012)
at com.google.inject.internal.InjectorImpl.getInstance(InjectorImpl.java:1051)
at org.eclipse.sisu.space.AbstractDeferredClass.get(AbstractDeferredClass.java:48)
at com.google.inject.internal.ProviderInternalFactory.provision(ProviderInternalFactory.java:81)
at com.google.inject.internal.InternalFactoryToInitializableAdapter.provision(InternalFactoryToInitializableAdapter.java:53)
at com.google.inject.internal.ProviderInternalFactory$1.call(ProviderInternalFactory.java:65)
at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:115)
at org.eclipse.sisu.bean.BeanScheduler$Activator.onProvision(BeanScheduler.java:176)
at com.google.inject.internal.ProvisionListenerStackCallback$Provision.provision(ProvisionListenerStackCallback.java:126)
at com.google.inject.internal.ProvisionListenerStackCallback.provision(ProvisionListenerStackCallback.java:68)
at com.google.inject.internal.ProviderInternalFactory.circularGet(ProviderInternalFactory.java:63)
at com.google.inject.internal.InternalFactoryToInitializableAdapter.get(InternalFactoryToInitializableAdapter.java:45)
at com.google.inject.internal.InjectorImpl$2$1.call(InjectorImpl.java:1016)
at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1092)
at com.google.inject.internal.InjectorImpl$2.get(InjectorImpl.java:1012)
at org.eclipse.sisu.inject.Guice4$1.get(Guice4.java:162)
at org.eclipse.sisu.inject.LazyBeanEntry.getValue(LazyBeanEntry.java:81)
at org.eclipse.sisu.plexus.LazyPlexusBean.getValue(LazyPlexusBean.java:51)
at org.codehaus.plexus.DefaultPlexusContainer.lookup(DefaultPlexusContainer.java:263)
at org.codehaus.plexus.DefaultPlexusContainer.lookup(DefaultPlexusContainer.java:255)
at org.apache.maven.plugin.internal.DefaultMavenPluginManager.getConfiguredMojo(DefaultMavenPluginManager.java:517)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:121)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:207)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:116)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:80)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:307)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:193)
at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:106)
at org.apache.maven.cli.MavenCli.execute(MavenCli.java:863)
at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main(MavenCli.java:199)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
Vulnerabilities
DepShield reports that this application's usage of com.fasterxml.jackson.core:jackson-databind:2.9.8 results in the following vulnerability(s):
Occurrences
com.fasterxml.jackson.core:jackson-databind:2.9.8 is a transitive dependency introduced by the following direct dependency(s):
• com.fasterxml.jackson.core:jackson-databind:2.9.8
• org.sonatype.ossindex.maven:ossindex-maven-plugin:3.0.5-SNAPSHOT
└─ com.fasterxml.jackson.core:jackson-databind:2.9.8
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
I see the API was updated to match the latest enforcer API but a release has not been made.
Even the current artifact released on Maven Central is not reflected in https://github.com/sonatype/ossindex-maven/releases
Hi,
It seems that HTTP proxies are not properly supported when authentication scheme is set (due to httpclient impl -> org.apache.http.impl.client.ProxyClient#tunnel).
Long story short, it starts a CONNECT request UNCHALLENGED and expects a challenge but if the proxy only expects authenticated request it then fails and does not get any new chance to get authenticated.
Is it possible to at least force a basic Proxy-Authentication if it fails once (often a PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target cause http proxy didn't play well its role cause authentication was missing)
This plugin has the same name, and same apparent purpose, as https://github.com/OSSIndex/ossindex-maven-plugin. At first glance, they look to be completely independent projects, though I don't know that for sure.
This is doubly confusing because this one looks to be newer, but has version 1.0.0, whereas the other one is at 2.3.8. When googling, it is very easy to land on the other project on Maven Central (https://mvnrepository.com/artifact/net.ossindex/ossindex-maven-plugin/2.3.8)
Please document the relationship between the two projects -- which one people should be using and why, and clarify the name conflict.
Hello,
I would like to be able to exclude all the artifacts from a groupId (or a set of groupId).
This feature is intersting because I would like to exclude all private packages from scanning. All the artifacts of my company.
So for example this could something like :
<excludeGroupIds>com.mycompany</excludeGroupIds>
We're using 3.2 and getting this fail:
[ERROR] Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit (audit-dependencies) on project tika-core: Detected 1 vulnerable components:
[ERROR] com.google.guava:guava:jar:31.1-jre:test; https://ossindex.sonatype.org/component/pkg:maven/com.google.guava/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[ERROR] * 1 vulnerability found (6.2); null
There is no known CVE for guava 31.1-jre . The website above mentions a MEDIUM vulnerability and tries to nudge me on subscribing, and that "There are some breaking changes" with even more confusion.
When I specify the scope of the audit through cvssScoreThreshold/scope/transitive I don't want to hear about anything out-of-scope, but the enforcer rule logs a warning for each.
Please add a quiet property in the config to silence these.
Hey team,
I got a CVE report recently:
https://travis-ci.org/dadoonet/fscrawler/builds/509178482#L570
[ERROR] Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.0.1:audit (audit-dependencies) on project fscrawler-test-framework: Detected 1 vulnerable components:
[ERROR] org.slf4j:slf4j-api:jar:1.7.25:compile; https://ossindex.sonatype.org/component/pkg:maven/org.slf4j/[email protected]
[ERROR] * [CVE-2018-8088] Deserialization of Untrusted Data (9.8); https://ossindex.sonatype.org/vuln/d33d3123-eac8-43d1-a5b1-4ebb82c88b77
The thing is that this CVE is coming from a transitive dependency (slf4j-ext) which I don't have in my dependency tree and not from slf4j-api.
I'm not sure if this is the right place to report this though (aka is it a bug or a misdeclaration in you database of the CVE-2018-8088)?
Thanks!
Hi, I am trying to use -Dossindex.scope to filter the output, but I found the function behavior unexpected. So I made an example project which includes all scopes (except system and import).
com.sca.example:scope:jar:1.0
+- org.springframework:spring-web:jar:5.3.7:compile
| +- org.springframework:spring-beans:jar:5.3.7:compile
| \- org.springframework:spring-core:jar:5.3.7:compile
+- javax.servlet.jsp:jsp-api:jar:2.1:runtime
+- org.apache.servicemix.bundles:org.apache.servicemix.bundles.spring-core:jar:5.3.9_1:provided
| \- org.springframework:spring-jcl:jar:5.3.9:compile
\- junit:junit:jar:3.8.1:test
I found that when I type the following command: mvn org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -Dossindex.fail=false -Dossindex.reportFile=target/audit-report.json -Dossindex.scope=test
None of the components are filtered from the report. This is unexpected, because I think only "test" scope components should left.
I did one more test, when I change the command to mvn org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -Dossindex.fail=false -Dossindex.reportFile=target/audit-report.json -Dossindex.scope=compile
only the following components are included
"org.springframework:spring-beans:jar:5.3.7:compile"
"org.springframework:spring-web:jar:5.3.7:compile"
"org.springframework:spring-core:jar:5.3.7:compile"
"org.apache.servicemix.bundles:org.apache.servicemix.bundles.spring-core:jar:5.3.9_1:provided"
"org.springframework:spring-jcl:jar:5.3.9:compile"
This is also not expected, because "provided" component is inside. Why is that? How does this function work? Did I do it wrong?
I added the enforcer rule to my bom project, since that's where all the dependencies are set, but the rule is skipped. Can it rather not skip, or have an option to skip?
[DEBUG] Executing rule: org.sonatype.ossindex.maven.enforcer.BanVulnerableDependencies
[DEBUG] Skipping BanVulnerableDependencies; POM module
Would be good to include the config in the report file itself, i.e. the scope, CVSS threshold, whether transitives were included, etc.
Any chance you could bring over the audit.quiet option from the old plugin, or better still just suppress the list of dependencies under "Checking for vulnerabilities"?
[INFO] --- ossindex-maven-plugin:1.0.0:audit (default-cli) @ zanata-common-api ---
[INFO] Checking for vulnerabilities:
[INFO] com.google.code.findbugs:jsr305:jar:3.0.2:provided
[INFO] org.slf4j:slf4j-api:jar:1.7.22:compile
[INFO] commons-io:commons-io:jar:2.5:compile
[INFO] net.jcip:jcip-annotations:jar:1.0:provided
[INFO] com.webcohesion.enunciate:enunciate-core-annotations:jar:2.9.1:compile
[INFO] org.apache.httpcomponents:httpcore:jar:4.3.3:compile
[INFO] org.hamcrest:hamcrest-library:jar:1.3:test
[INFO] javax.xml.bind:jaxb-api:jar:2.2.12:compile
[INFO] org.slf4j:jcl-over-slf4j:jar:1.7.22:compile
[INFO] org.jboss.resteasy:resteasy-client:jar:3.0.19.Final:compile
[INFO] org.apache.httpcomponents:httpclient:jar:4.3.6:compile
[INFO] org.codehaus.groovy:groovy-all:jar:2.4.4:test
[INFO] org.hibernate:hibernate-validator:jar:5.2.3.Final:compile
[INFO] com.sun.mail:javax.mail:jar:1.5.5:compile
[INFO] org.spockframework:spock-core:jar:1.0-groovy-2.4:test
[INFO] javax.activation:activation:jar:1.1.1:compile
[INFO] org.jboss.spec.javax.ws.rs:jboss-jaxrs-api_2.0_spec:jar:1.0.0.Final:compile
[INFO] javax.xml.stream:stax-api:jar:1.0:compile
[INFO] commons-codec:commons-codec:jar:1.10:compile
[INFO] com.fasterxml:classmate:jar:1.1.0:compile
[INFO] org.jboss.resteasy:resteasy-jaxb-provider:jar:3.0.19.Final:compile
[INFO] org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
[INFO] junit:junit:jar:4.12:test
[INFO] org.codehaus.jackson:jackson-xc:jar:1.9.13:test
[INFO] com.google.guava:guava:jar:18.0:compile
[INFO] org.apache.james:apache-mime4j:jar:0.6:compile
[INFO] com.google.code.findbugs:findbugs-annotations:jar:3.0.1:provided
[INFO] org.jboss.resteasy:resteasy-multipart-provider:jar:3.0.19.Final:compile
[INFO] org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] org.jboss.resteasy:resteasy-jaxrs:jar:3.0.19.Final:compile
[INFO] javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] org.jboss.spec.javax.annotation:jboss-annotations-api_1.2_spec:jar:1.0.0.Final:provided
[INFO] org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
[INFO] CVSS-score threshold: 0.0
A suggestion from @vveider from a different thread.
And how about JUnit reports? Without it using such plugin on CI/CD services is most impracticable.
Using a local cache with ossindex-maven-plugin would help me fixing rate limiting issues.
The ossindex-gradle-plugin doc mentions a local cache which is not documented in the ossindex-maven-plugin doc. Does it exist?
When building with mvn -T1.0C, I get this warning (when executing audit):
[WARNING] *****************************************************************
[WARNING] * Your build is requesting parallel execution, but project *
[WARNING] * contains the following plugin(s) that have goals not marked *
[WARNING] * as @threadSafe to support parallel building. *
[WARNING] * While this /may/ work fine, please look for plugin updates *
[WARNING] * and/or request plugins be made thread-safe. *
[WARNING] * If reporting an issue, report it against the plugin in *
[WARNING] * question, not against maven-core *
[WARNING] *****************************************************************
[WARNING] The following plugins are not marked @threadSafe in Zanata Common API:
[WARNING] org.sonatype.ossindex.maven:ossindex-maven-plugin:3.0.0
[WARNING] Enable debug to see more precisely which goals are not marked @threadSafe.
[WARNING] *****************************************************************
Related: #17 (triggers 429 more often when building modules in parallel)
It seems these rules don't work with the Maven Enforcer Plugin 3.0.0. I have a reproducer project available. When I build it using Maven 3.8.2 with mvn verify -e, this stacktrace appears:
Caused by: java.lang.NoSuchMethodError: 'org.apache.maven.shared.dependency.graph.DependencyNode org.apache.maven.shared.dependency.graph.DependencyGraphBuilder.buildDependencyGraph(org.apache.maven.project.MavenProject, org.apache.maven.artifact.resolver.filter.ArtifactFilter)'
at org.sonatype.ossindex.maven.enforcer.BanVulnerableDependencies$Task.resolveDependencies (BanVulnerableDependencies.java:315)
at org.sonatype.ossindex.maven.enforcer.BanVulnerableDependencies$Task.run (BanVulnerableDependencies.java:190)
at org.sonatype.ossindex.maven.enforcer.BanVulnerableDependencies.execute (BanVulnerableDependencies.java:142)
at org.apache.maven.plugins.enforcer.EnforceMojo.execute (EnforceMojo.java:200)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:972)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:293)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:196)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:78)
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:567)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)We are using OSS Index with Maven Enforcer. However, there are lot of CVEs nowadays which causes us to have to rebuild a lot of Maven POMs to update excludes (excludeCoordinates and excludeVulnerabilityIds).
It would be very useful if the excludes could be configured so that they are external, e.g. using a file and/or url.
I am using an encrypted password for proxy authentication in my settings.xml file, which is not working with the ossindex-maven-plugin (See https://maven.apache.org/guides/mini/guide-encryption.html#how-to-encrypt-server-passwords).
It seems like the plugin does not decrypt my password and just uses the encrypted password when providing the "Proxy-Authorization" header. This causes our proxy to deny the request with a 407 Proxy Authentication Required response.
I observe this error with ossindex-maven-plugin:3.0.3:audit goal:
[WARNING] Failed to fetch component-reports
java.lang.NullPointerException
at org.sonatype.ossindex.maven.common.ComponentReportAssistant.match (ComponentReportAssistant.java:180)
at org.sonatype.ossindex.maven.common.ComponentReportAssistant.request (ComponentReportAssistant.java:95)
at org.sonatype.ossindex.maven.plugin.AuditMojo.execute (AuditMojo.java:246)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:498)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:289)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:229)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:415)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:356)
My environment:
Apache Maven 3.6.0 (97c98ec64a1fdfee7767ce5ffb20918da4f719f3; 2018-10-24T20:41:47+02:00)
Maven home: C:\Program Files\Apache Software Foundation\apache-maven-3.6.0\bin..
Java version: 1.8.0_192, vendor: Oracle Corporation, runtime: C:\Program Files\Java\jdk1.8.0_192\jre
Default locale: de_DE, platform encoding: Cp1252
OS name: "windows 7", version: "6.1", arch: "amd64", family: "windows"
The error does not occur with 3.0.0
Vulnerabilities
DepShield reports that this application's usage of org.codehaus.plexus:plexus-utils:2.0.4 results in the following vulnerability(s):
Occurrences
org.codehaus.plexus:plexus-utils:2.0.4 is a transitive dependency introduced by the following direct dependency(s):
• org.apache.maven:maven-artifact:3.0
└─ org.codehaus.plexus:plexus-utils:2.0.4
• org.apache.maven:maven-core:3.0
└─ org.codehaus.plexus:plexus-utils:2.0.4
• org.apache.maven:maven-core:3.0
└─ org.codehaus.plexus:plexus-utils:2.0.4
• org.sonatype.ossindex.maven:ossindex-maven-enforcer-rules:3.0.5-SNAPSHOT
└─ org.apache.maven:maven-core:3.0
└─ org.codehaus.plexus:plexus-utils:2.0.4
This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.
ossindex-maven-plugin does not define a project URL in the pom file. In that case, maven inherits the value of the parent pom and appends the artifact id (see maven documentation).
By that maven resolves the URL to https://sonatype.github.io/ossindex-maven/ossindex-maven-plugin/, which does not exist.
Add an URL tag to maven-plugin/pom.xml
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.