CODEWITHSUNDEEP
javamavensecuritypom.xmltrivy
Nicola Cortese
Nicola Cortese

Reputation: 11

Unable to update the maven-core dependency version within the plugin maven-compiler-plugin

I'm trying to resolve a vulnerability (CVE-2021-26291) related to the dependency maven-core version 3.2.5, which is being pulled in by the build plugin maven-compiler-plugin version 3.12.1.

I tried following the official maven guide, by adding the version as follows:

<plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-compiler-plugin</artifactId>
                <version>3.12.1</version>
                <dependencies>
                    <dependency>
                        <groupId>org.apache.maven</groupId>
                        <artifactId>maven-core</artifactId>
                        <version>3.9.8</version>
                    </dependency>
                </dependencies>
                <configuration>
                    <source>${maven.compiler.source}</source>
                    <target>${maven.compiler.target}</target>
                </configuration>
            </plugin>

however I can still see the old version being pulled in when I run the mvn dependency:resolve-plugins command:

org.apache.maven.plugins:maven-site-plugin:maven-plugin:3.12.1
[INFO]       org.apache.maven.plugins:maven-site-plugin:jar:3.12.1
[INFO]       org.apache.maven.reporting:maven-reporting-api:jar:3.1.1
[INFO]       org.apache.maven.reporting:maven-reporting-exec:jar:1.6.0
[INFO]       org.apache.maven:maven-artifact:jar:3.2.5 
[INFO]       org.apache.maven:maven-core:jar:3.2.5

I'm not sure why it comes through as maven-site-plugin, though the version matches the one I indicate in the compiler, could it be because it is somehow nested within the compiler dependency? I do not make any direct reference to the maven-site-plugin in my pom.

Any help is very much appreciated as to why it behaves like this or if I'm doing something wrong. Thanks!

Upvotes: 0

Views: 249

Answers (1)

Gerold Broser
Gerold Broser

Reputation: 14782

The mvn-site-plugin:3.12.1's POM contains:

...
<properties>
    <mavenVersion>3.2.5</mavenVersion>
...
<dependency>
      <groupId>org.apache.maven</groupId>
      <artifactId>maven-core</artifactId>
      <version>${mavenVersion}</version>
...

I'd not expect to change its maven-core version just by changing it for the maven-compiler-plugin.

mvn-site-plugin's goals are bound to phases of the site lifecycle by default. Perhaps you (or someone else) ran the site lifecycle on the command line at least once in the past and you don't know/remember. ;)

Upvotes: 0

Related Questions