Mysterious dependency on struts-core:1.3.8

When using the Atlassian Plugin SDK 8.2.8, running the atlas-run or atlas-package commands in a range of different projects (JIRA plugins, Confluence plugins etc.) results in ~/.m2/repository/org/apache/struts/struts-core/1.3.8 being added to my maven repository cache.

This particular version of Struts has some known CVEs, and its presence on my local machine is being flagged by some of our internal security scanners. If I delete the ~/.m2/repository/org/apache/struts/struts-core/1.3.8 directory and re-run atlas-run or atlas-package, the offending version returns.

There is nothing in the console output of these atlas-* commands that mentions downloading this version of struts-core, as far as I can tell.

I’m not a maven expert, so I’m trying to understand what is transiently depending on this vulnerable version of Struts, with the hope that I can upgrade something to permanently keep it off my machine. But I’m not sure how best to do this.

If I run mvn dependency:tree -Dverbose | grep -C20 struts, I don’t see any mention of it in my project; so I suspect it could be the Atlassian Plugin SDK itself that has this dependency?

Any tips for how I might figure out what is causing this version of struts to be downloaded?

For what its worth, this happens with both AMPS 8.10.1 and AMPS 8.12.3.
I should also note that I’m using the SDK with Maven 3.9.4, via the ATLAS_MVN environment variable.

Any help would be greatly appreciated.

For what its worth (and I’m certain there must be an easier way than this), after a lot of grepping around in my ~/.m2/repository cache, I found a number of things that seemingly depend on struts-core:1.3.8.

The main culprit appears to be org.apache.velocity.velocity-tools, which on my machine exists as both:

  • velocity-tools:2.0
  • velocity-tools:2.0.1-atlassian-2

A bunch of things depend on velocity-tools:2.0, e.g.

  • org.apache.lucene.*
  • org.apache.maven.doxia.*
  • com.googlecode.htmlcompressor
  • etc.

More likely in this case is the fact that com.atlassian.confluence.confluence-project depends on:

  • velocity-tools:2.0.1-atlassian-2.

confluence-project, in turn, is depended upon by

  • com.atlassian.confluence.confluence-build
  • com.atlassian.confluence.confluence-core
  • etc.

My guess is that running one of the aforementioned commands (atlas-run, atlas-package) triggers this chain of dependencies, causing struts-core:1.3.8 to return to my repository cache.

Assuming that I’ve now answered my own question about how the offending struts-core version is getting back onto my machine, the next obvious question is why are these Confluence libraries still depending on a vulnerable version of struts-core?

I suppose only the Atlassian teams that look after the com.atlassian.confluence/* packages, or velocity-tools:2.0.1-atlassian-2, can answer that.