About amps verison of jira-maven-plugin

Hi All,

I’m using the jira-maven-plugin to build our own plugin. But I found the latest amps version of jira-maven-plugin uses 3.1.1 maven-core jar which has vulnerabilities. Is there any amps version that use higher than 3.8.1 version which fixes those vulnerabilities.

Regards,
Yaoqi

Hi @YaoqiHuang

The latest version of jira-maven-plugin: Jira Maven Plugin 9.0.6 released on August 29, 2024.

All versions founded of AMPS are more recent than yours:

Are you sure you’re using the latest version of AMPS, which was released on August 29, 2024?

Hi @FabienPenchenat,

Thanks for your reply. I’ve tried Jira Maven Plugin 9.0.6, but when the build is in the jira-maven-plugin:9.0.6:generate-rest-docs phase, it still trying to read the maven-core 3.1.1, could you please tell me why is that? Thanks in advance.

Blockquote
[INFO] — jira-maven-plugin:9.0.6:generate-rest-docs (default-generate-rest-docs) @ jira-workflow-migrator —
[INFO] Scanning all of C:\Users\yaoqih\Projects\jira-workflow-migrator\src\main\java for REST resources
Downloading from ms-artifactory: ***/org/apache/maven/maven-core/3.1.1/maven-core-3.1.1.pom
Downloaded from ms-artifactory: ***/org/apache/maven/maven-core/3.1.1/maven-core-3.1.1.pom (7.3 kB at 7.3 kB/s)
Downloading from ms-artifactory: ***/org/apache/maven/maven-core/3.1.1/maven-core-3.1.1.jar
Downloaded from ms-artifactory: ***/org/apache/maven/maven-core/3.1.1/maven-core-3.1.1.jar (557 kB at 324 kB/s)

The above is the build log. *** means the endpoint of maven repositores in our company.

Regards,
Yaoqi

Hum… very strange :thinking:

May be check for transitive dependencies.
It’s possible that jira-maven-plugin is pulling in maven-core 3.1.1 as a transitive dependency from another library. You can use the Maven Dependency Plugin to identify where the old version is coming from:

mvn dependency:tree

Look for maven-core in the output and see which dependencies are pulling in the old version. You may need to override those dependencies as well.

Potential workaround, customizing the plugin configuration:

<build>
    <plugins>
        <plugin>
            <groupId>com.atlassian.maven.plugins</groupId>
            <artifactId>jira-maven-plugin</artifactId>
            <version>9.0.6</version>
            <dependencies>
                <dependency>
                    <groupId>org.apache.maven</groupId>
                    <artifactId>maven-core</artifactId>
                    <version>3.8.1</version>
                </dependency>
            </dependencies>
        </plugin>
    </plugins>
</build>

This can sometimes help in forcing the plugin to use the newer version of maven-core.

Hi @FabienPenchenat,

Thanks for your response, but I’ve run the dependency:tree and dependency:resolve-plugins and they all not output the maven-core 3.1.1 package. So I suspect the atlassian-plugin-sdk uses this version when running atlas-package. But the newest version I can download uses apache-maven-3.5.4, is there any update on the sdk?

Regards,
Yaoqi