Hi All,
I’m using the jira-maven-plugin to build our own plugin. But I found the latest amps version of jira-maven-plugin uses 3.1.1 maven-core jar which has vulnerabilities. Is there any amps version that use higher than 3.8.1 version which fixes those vulnerabilities.
Regards,
Yaoqi
Hi @YaoqiHuang
The latest version of jira-maven-plugin: Jira Maven Plugin 9.0.6 released on August 29, 2024.
All versions founded of AMPS are more recent than yours:
Are you sure you’re using the latest version of AMPS, which was released on August 29, 2024?
Hi @FabienPenchenat,
Thanks for your reply. I’ve tried Jira Maven Plugin 9.0.6, but when the build is in the jira-maven-plugin:9.0.6:generate-rest-docs phase, it still trying to read the maven-core 3.1.1, could you please tell me why is that? Thanks in advance.
Blockquote
[INFO] — jira-maven-plugin:9.0.6:generate-rest-docs (default-generate-rest-docs) @ jira-workflow-migrator —
[INFO] Scanning all of C:\Users\yaoqih\Projects\jira-workflow-migrator\src\main\java for REST resources
Downloading from ms-artifactory: ***/org/apache/maven/maven-core/3.1.1/maven-core-3.1.1.pom
Downloaded from ms-artifactory: ***/org/apache/maven/maven-core/3.1.1/maven-core-3.1.1.pom (7.3 kB at 7.3 kB/s)
Downloading from ms-artifactory: ***/org/apache/maven/maven-core/3.1.1/maven-core-3.1.1.jar
Downloaded from ms-artifactory: ***/org/apache/maven/maven-core/3.1.1/maven-core-3.1.1.jar (557 kB at 324 kB/s)
The above is the build log. *** means the endpoint of maven repositores in our company.
Regards,
Yaoqi
Hum… very strange
May be check for transitive dependencies.
It’s possible that jira-maven-plugin is pulling in maven-core 3.1.1 as a transitive dependency from another library. You can use the Maven Dependency Plugin to identify where the old version is coming from:
mvn dependency:tree
Look for maven-core in the output and see which dependencies are pulling in the old version. You may need to override those dependencies as well.
Potential workaround, customizing the plugin configuration:
<build>
<plugins>
<plugin>
<groupId>com.atlassian.maven.plugins</groupId>
<artifactId>jira-maven-plugin</artifactId>
<version>9.0.6</version>
<dependencies>
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-core</artifactId>
<version>3.8.1</version>
</dependency>
</dependencies>
</plugin>
</plugins>
</build>
This can sometimes help in forcing the plugin to use the newer version of maven-core.
Hi @FabienPenchenat,
Thanks for your response, but I’ve run the dependency:tree and dependency:resolve-plugins and they all not output the maven-core 3.1.1 package. So I suspect the atlassian-plugin-sdk uses this version when running atlas-package. But the newest version I can download uses apache-maven-3.5.4, is there any update on the sdk?
Regards,
Yaoqi