Hi All,
I’m using the jira-maven-plugin to build our own plugin. But I found the latest jira-maven-plugin 9.1.1 uses 3.1.1 maven-core jar which has vulnerabilities when generating rest docs. But when I see the dependency in pom files, there are no dependency is using maven-core 3.1.1 but when compiling the plugin, it still uses the maven-core 3.1.1. Could you please tell what is the reason for this? Thanks!
[INFO] — jira:9.1.1:generate-rest-docs (default-generate-rest-docs) @ jira-workflow-migrator —
[INFO] Scanning all of C:\Users\yaoqih\Projects\jira-workflow-migrator\src\main\java for REST resources
Downloading from ms-artifactory: ****/org/apache/maven/maven-core/3.1.1/maven-core-3.1.1.pom
Downloaded from ms-artifactory: ****/org/apache/maven/maven-core/3.1.1/maven-core-3.1.1.pom (7.3 kB at 28 kB/s)
Downloading from ms-artifactory: ****/org/apache/maven/maven-core/3.1.1/maven-core-3.1.1.jar
Downloaded from ms-artifactory: ****/org/apache/maven/maven-core/3.1.1/maven-core-3.1.1.jar (557 kB at 293 kB/s)
Regards,
Yaoqi
Hi @YaoqiHuang,
i encountered this problem a view times. What u can do is to check where maven-core 3.1.1 is being pulled from.
-
Check Dependency Tree: Use the Maven command mvn dependency:tree to see the full dependency tree of your project. This will help you identify where maven-core 3.1.1 is being pulled from.
You can also save the dependency tree inside a file: mvn dependency:tree -DoutputFile=dependency-tree.txt
-
Update Dependencies: Ensure that all your dependencies are up-to-date and check if there’s a newer version of the jira-maven-plugin that doesn’t include the vulnerable maven-core version.
-
Check for Plugin Updates: Sometimes, plugin updates can resolve dependency conflicts. Check if there’s an update available for the jira-maven-plugin that addresses this issue.
If you dont need the dependency u can try to exclude it:
<groupId>com.atlassian.maven.plugins</groupId>
<artifactId>jira-maven-plugin</artifactId>
<version>9.1.1</version>
<exclusions>
<exclusion>
<groupId>org.apache.maven</groupId>
<artifactId>maven-core</artifactId>
</exclusion>
</exclusions>
</dependency>
Maybe it helps 
Chears Daniel
Hi @DanielGrabke,
Thanks for your response. I’ve also done some research, I found that the package was referenced in the plugins tag under build tag in pom instead of dependencies tag so maven-core cannot be excluded from it and I think that’s why it isn’t listed in full dependency tree . And some tests are also been run that maven-core cannot be overided with a newer version (jira-maven-plugin is newest). Could you please advise me on this more? Thanks in advance.
Regards,
Yaoqi
@YaoqiHuang,
if adding the dependency directly doesn’t work, you can try using the pluginManagement section to manage the dependencies of the plugin.
This may help override the version used by the plugin.
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-core</artifactId>
<version>3.6.3</version> <!-- Update to the required version -->
</dependency>
</dependencies>
</dependencyManagement>
Another approach you can try, is to define the plugin execution and specify the dependencies for the plugin within the build section.
<build>
<plugins>
<plugin>
<groupId>com.atlassian.maven.plugins</groupId>
<artifactId>jira-maven-plugin</artifactId>
<version>9.1.1</version>
<executions>
<execution>
<id>generate-rest-docs</id>
<goals>
<goal>generate-rest-docs</goal>
</goals>
<configuration>
<includeDependencies>
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-core</artifactId>
<version>3.6.3</version> <!-- Override the version -->
</dependency>
</includeDependencies>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
Daniel
Hi @DanielGrabke,
Thanks for your response.
For the first solution, adding dependencyManagement in pom doesn’t work.
For the second solution, I’ve tried to add the executions part, but it seems that the plugin doesn’t support includeDependencies. And the doc https://developer.atlassian.com/server/framework/atlassian-sdk/amps-build-configuration-reference/ I found seems too old for the new jira-maven-plugin executions and configurations, could you please advise me more on this? Thanks in advance.
Regards,
Yaoqi Huang