Fixing vulnerability of maven-core-CodePudding

I am receiving critical vulnerability on maven-core package

Here ${spring.version} is 2.5.5.

From dependency tree found that spring-boot-maven-plugin(2.5.5) -> maven-common-artifact-filters(3.2.0 latest version) -> maven-core(3.1.1)

So already we have maven-common-artifact-filters(3.2.0 latest version) which uses maven-core(3.1.1). SO how can we solve this? Whether we need to wait for any further release maven-common-artifact-filters which uses maven-core to 3.8.4? Please share your thoughts.

EDIT:

EDIT

We are using our internal repository manager to govern our repos, so then this vulnerability wont have impact right? we can suppress this?

CodePudding user response：

Why do you use the spring-boot-maven-plugin as a dependency in maven?

It's a plugin and, as such, it is used only during the building process - to prepare the artifact. The dependency itself is not a part of the artifact (at least usually, that's why I've asked why are you actually using it like that).

Usually this plugin is used like this (as a part of a build section):

<project>
    <modelVersion>4.0.0</modelVersion>
    <artifactId>the-app</artifactId>
    <!-- ... -->
    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>
</project>

See documentation of the plugin

If it's not a dependency but a plugin, then there is no vulnerability to your application, at least the tools that have discovered the vulnerability probably analyze only the jars that are part of the final artifact...

CodePudding user response：

We are using our internal repository manager to govern our repos, so then this vulnerability wont have impact right? we can suppress this?

That is the wrong solution.

You are missing the point. The cause of the report is that your POM file is incorrect. You have an incorrect code dependency on a Maven plugin that is used at build time. The dependency should be removed from the POM file, as explained in https://stackoverflow.com/a/71919577/139985.

When you fix the POM file (alleged) vulnerability should just go away. The reported vulnerability is probably due to the checker thinking that your application uses the plugin and its dependencies ... including the vulnerable Maven component ... because you incorrectly told it that in the POM file.

The correct solution is to fix the POM file. Get rid of the bogus dependency.