Description
Precondition
- I checked the issues list for existing open or closed reports of the same problem.
Describe the bug
dependency-check-maven contains a compile dependency to org.apache.maven.shared:maven-artifact-transfer:0.13.1 which contains a compile dependency to org.apache.maven:maven-core.
dependency-check-maven contains a provided dependency to org.apache.maven:maven-core:3.6.3.
This means that dependency-check-maven will pull in org.apache.maven:maven-core:3.6.3 as a compile dependency.
org.apache.maven:maven-core:3.6.3 contains the critical vulnerability CVE-2021-26291: https://mvnrepository.com/artifact/org.apache.maven/maven-core/3.6.3
The recommendation is to have a provided dependency to maven-core, not compile, and the org.apache.maven.shared:maven-artifact-transfer artifact is deprecated.
Version of dependency-check used
The problem occurs using version 12.1.0 of the maven plugin.
Log file
N/A
To Reproduce
Steps to reproduce the behavior:
- Create a simple project containing
dependency-check-maven, like this: https://gist.github.com/johanblumenberg/72d74aa8520292e1fb220a06de1490af - Run
mvn verify - Open
target/dependency-check-report.htmland check the critical items reported.
Expected behavior
No critical vulnerabilities coming from the dependency-check-maven plugin itself.
Additional context
N/A