Plugins use dependencies that trigger CVEs #2166
Description
If you are submitting a bug, please include the following:
- summary of problem
- Gradle or Maven version
- spotless version
- operating system and version
- copy-paste your full Spotless configuration block(s), and a link to a public git repo that reproduces the problem if possible
- copy-paste the full content of any console errors emitted by
gradlew spotless[Apply/Check] --stacktrace
If you're just submitting a feature request or question, no need for the above.
Summary
An accidental discovery: making Spotless a dependency instead of a plugin (yes, it was a mistake) turned up multiple CVEs from DependencyCheck. This tells me 2 things:
- DependencyCheck is not checking plugins
- Spotless has outdated dependencies for the plugins
Obviously, this is a user goof, however, it tells me that Spotless may need to refresh/update dependencies for the plugins.
On the other hand, some of these may be build-only dependencies for the plugin? Either way, there are some outdated dependencies in the plugin.
CVEs with 2.43.0:
- org.eclipse.jgit-6.7.0.202309050840-r.jar: CVE-2023-4759(8.8)
- org.eclipse.osgi-3.18.300.jar: CVE-2021-41033(8.1), CVE-2020-27225(7.8), CVE-2023-4218(5.0)
- plexus-resources-1.2.0.jar: CVE-2022-4245(4.3), CVE-2022-4244(7.5)
My issue post focuses on the Maven plugin. I haven't tried doing the same with the Gradle plugin.
Maven version
3.9.6
Spotless version
2.43.0
OS version
Not relevant, however "Linux Hobbiton 5.15.146.1-microsoft-standard-WSL2 #1 SMP Thu Jan 11 04:09:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux" running Ubuntu under WSL2 on Windows 11.
Spotless configuration block
No configuration block provided.
Console output
I wanted to paste the full ./mvnw -X verify output, however two problems:
- Lots of useless stuff non-specific to the problem at hand
- Posting the full output gave GitHub a heartburn, and it complained that this issue exceeded the character limit