When using the Atlassian Plugin SDK 8.2.8, running the
atlas-package commands in a range of different projects (JIRA plugins, Confluence plugins etc.) results in
~/.m2/repository/org/apache/struts/struts-core/1.3.8 being added to my maven repository cache.
This particular version of Struts has some known CVEs, and its presence on my local machine is being flagged by some of our internal security scanners. If I delete the
~/.m2/repository/org/apache/struts/struts-core/1.3.8 directory and re-run
atlas-package, the offending version returns.
There is nothing in the console output of these
atlas-* commands that mentions downloading this version of struts-core, as far as I can tell.
I’m not a maven expert, so I’m trying to understand what is transiently depending on this vulnerable version of Struts, with the hope that I can upgrade something to permanently keep it off my machine. But I’m not sure how best to do this.
If I run
mvn dependency:tree -Dverbose | grep -C20 struts, I don’t see any mention of it in my project; so I suspect it could be the Atlassian Plugin SDK itself that has this dependency?
Any tips for how I might figure out what is causing this version of struts to be downloaded?
For what its worth, this happens with both AMPS 8.10.1 and AMPS 8.12.3.
I should also note that I’m using the SDK with Maven 3.9.4, via the
ATLAS_MVN environment variable.
Any help would be greatly appreciated.