Update Maven resources plugin & Apache Commons CLI to address CVE-2024-47554 #1183
Assignees
Labels
good first issue
Good for newcomers
help wanted
Extra attention is needed
kind/bug
Something isn't working
Comments
|
As mentioned here, the CVE comes as part of the org.apache.maven.plugins:maven-resources-plugin:maven-plugin:3.3.1 artifact. This maven plugin is used to filter resources to build and construct the SDK packages, but not as part of the SDK itself. |
|
Ok, after more investigation we are doing this -> https://github.com/dapr/java-sdk/blob/master/sdk/pom.xml#L35C7-L35C32 |
|
I couldn't make it fail by removing that dependency locally so testing with integration tests: #1193 |
cicoyle
added
help wanted
|
@artursouza @cicoyle this should be closed as we did this already |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected Behavior
Security scans pass when including dapr 1.13.1 SDK in Java CI builds.
Actual Behavior
CVE-2024-47554 vulnerability is reported due to inclusion of commons-io version 2.11.0 in the maven-resources-plugin 3.3.0 and commons-cli 1.4 libraries.
Steps to Reproduce the Problem
Build with dapr 1.13.1 and scan for CVE vulnerabilities.
Required update
Update maven-resources-plugin to version 3.3.1 and commons-cli to 1.9.0. I found the issue in sdk/pom.xml but the plugin and commons-cli reference could be in other pom.xml files as well. I did not perform an exhaustive search.
Release Note
RELEASE NOTE: UPDATE Resolves CVE-2024-47554 in Apache dependencies
The text was updated successfully, but these errors were encountered: