Maven central release rejected due to dependency vulnerabilities

Question

Maven central release rejected due to dependency vulnerabilities

MarcGiffing opened this issue 3 years ago · 9 comments

The dependency

<groupId>com.github.jennybrown8.wicket-source</groupId>
<artifactId>wicket-source</artifactId>

has a transitive dependency to

maven/org.apache.wicket/wicket@8.0.0-M1

which hase a vulnerability

[CVE-2016-6806] Cross-Site Request Forgery (CSRF)

Answer 1 · 2021-12-13T20:01:38.000Z

jennybrown8/wicket-source#4 :-/

Answer 2 · 2021-12-16T17:36:23.000Z

Seen, thanks for the note. I'll see what I can do to get a fixed build; not sure on timeline.

Answer 3 · 2021-12-17T09:53:00.000Z

Thank you, @jennybrown8 !

Another option is to donate wicket-source project to https://github.com/wicketstuff/core/

Answer 4 · 2021-12-17T19:10:01.000Z

I don't understand why I can't deploy to nexus. I've always get the following message:

[INFO] [INFO] * Upload of locally staged artifacts finished.
[INFO] [INFO] * Closing staging repository with ID "comgiffing-1119".
[INFO]
[INFO] Waiting for operation to complete...
[INFO] ......................................................................................
[INFO] [WARNING] TIMEOUT after 302,4 s
[INFO]
[INFO] [ERROR] Rule failure while trying to close staging repository with ID "comgiffing-1119".
[INFO] [ERROR]
[INFO] [ERROR] Nexus Staging Rules Failure Report
[INFO] [ERROR] ==================================
[INFO] [ERROR]
[INFO] [ERROR]
[INFO] [ERROR] Cleaning up local stage directory after a Rule failure during close of staging repositories: []
[INFO] [ERROR] * Deleting context 4aa2f4b9b81fda.properties
[INFO] [ERROR] Cleaning up remote stage repositories after a Rule failure during close of staging repositories: []
[INFO] [ERROR] * Dropping failed staging repository with ID "comgiffing-1119" (Rule failure during close of staging repositories: []).
[INFO]
[INFO] Waiting for operation to complete...

There is not information about what is going wrong. For some failures I got a mail with dependency vulnerabilities. But I'm not sure if that's the real problem. Most of the time its only the log output above.

I've analyzed the master branch with the help of lift.sonytype.com. There are critical errors for a tomcat version which is not used.

Development environment:

lieft.sonatype.com:

I

Answer 5 · 2021-12-17T19:36:54.000Z

It seems that the problem is Apache Shiro. I'm not sure if provided dependencies should result in critical error because there are NOT provided.... any ideas?

Answer 6 · 2021-12-17T19:52:10.000Z

It's not a dependency vulnerability issue. I've got the following message:

Answer 7 · 2021-12-17T20:09:33.000Z

I have no idea.
Better file a ticket at https://issues.sonatype.org/

Answer 8 · 2021-12-17T20:14:55.000Z

https://issues.sonatype.org/browse/OSSRH-76391

Answer 9 · 2021-12-18T01:44:53.000Z

I've made a release of wicket-source:9.0.0 to maven central, which should become available in the indexes shortly. Not sure if that actually helps your issue here or not, but it's available.