Skip to content

Latest commit

 

History

History
45 lines (35 loc) · 2.81 KB

README.md

File metadata and controls

45 lines (35 loc) · 2.81 KB

Introduction

This is a demo project for pull request sonatype/ossindex-maven#57

It was created by using https://start.spring.io/.

POM is modified to use maven-enforcer-plugin in version 3.0.0 and ossindex-maven-enforcer-rules in version 3.1.1-SNAPSHOT. Version 3.1.0 is not compatible with maven-enforcer-plugin in version 3.0.0.

Build will fail because there is a log4j dependency in version 2.15.0 with incomplete fix for CVE-2021-44228 here for testing (low vulnerability).

Usage

One should try to build this first. Expected error

[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  7.352 s
[INFO] Finished at: 2021-12-17T08:46:06+01:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0:enforce (vulnerability-checks) on project demo: Execution vulnerability-checks of goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0:enforce failed: Plugin org.apache.maven.plugins:maven-enforcer-plugin:3.0.0 or one of its dependencies could not be resolved: Could not find artifact org.sonatype.ossindex.maven:ossindex-maven-enforcer-rules:jar:3.1.1-SNAPSHOT in nexus (...) -> [Help 1]

Then checkout ossindex-maven with maven-enforcer-plugin bump to version 3.0.0.

git clone https://github.com/bkrahl-nli/ossindex-maven.git
cd ossindex-maven
mvn clean install

Afterwards try to build this demo project again. Expected error is

[WARNING] Rule 0: org.sonatype.ossindex.maven.enforcer.BanVulnerableDependencies failed with message:
Detected 1 vulnerable components:
  org.apache.logging.log4j:log4j-core:jar:2.15.0:compile; https://ossindex.sonatype.org/component/pkg:maven/org.apache.logging.log4j/log4j-core@2.15.0?utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
    * [CVE-2021-45046] It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was i... (3.7); https://ossindex.sonatype.org/vulnerability/edaf092e-e7f3-4c69-8f01-a5c6fc44890a?component-type=maven&component-name=org.apache.logging.log4j.log4j-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1

[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  1.203 s
[INFO] Finished at: 2021-12-17T08:46:57+01:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0:enforce (vulnerability-checks) on project demo: Some Enforcer rules have failed. Look above for specific messages explaining why the rule failed. -> [Help 1]