update plexus-build-api

[nekitoss]

Describe the bug (required)

I've included this amazing plugin in my project, but then immediatly Snyk.io notified me about added new 3 vulnerabilities via transitive dependency of

<dependency>
    <groupId>org.sonatype.plexus</groupId>
    <artifactId>plexus-build-api</artifactId>
    <version>0.0.7</version>
</dependency>

I've wanted to fix that using <dependEncyManagement> by forcing version of that plugin - but it is not possible.
Problem is that they moved from org.sonatype.plexus to org.codehaus.plexus
So i can't override version (or i don't know how to frce-change )
Maybe that is also reason why your automated system didn't noticed that and didn't suggested to upgrade.

So if it is possible - can you change groupId and update to latest plugin version?

Tell us about your plugin configuration (required)

<plugin>
  <groupId>io.github.git-commit-id</groupId>
  <artifactId>git-commit-id-maven-plugin</artifactId>
</plugin>

Tell us about the Plugin version used (required)

8.0.1

Tell us about the Maven version used (required)

Apache Maven 3.8.5

Steps to Reproduce (required)

Use Snyk.io plugin for InteliJIdea or visit mvn repository site

Are there any stacktraces or any error messages? (required)

Vulnerabilities from dependencies:
CVE-2022-4245
CVE-2022-4244
CVE-2017-1000487

Is there a (public) project where this issue can be reproduced? (optional)

No response

Your Environment (optional)

No response

Context (optional)

No response

[nekitoss]

I wanted to try update myself - cloned repo, but when i try do plugin verify/compile i got "Permission denied" for submodule
Because of that i cannot create PR for you.

mvn clean compile

[INFO] Scanning for projects...
[INFO]
[INFO] ---------< io.github.git-commit-id:git-commit-id-maven-plugin >---------
[INFO] Building Git Commit Id Maven Plugin 8.0.2-SNAPSHOT
[INFO] ----------------------------[ maven-plugin ]----------------------------
[INFO]
[INFO] --- maven-clean-plugin:3.3.2:clean (default-clean) @ git-commit-id-maven-plugin ---
[INFO]
[INFO] --- maven-enforcer-plugin:3.4.1:enforce (enforce-maven) @ git-commit-id-maven-plugin ---
[INFO] Rule 0: org.apache.maven.enforcer.rules.version.RequireMavenVersion passed
[INFO]
[INFO] --- exec-maven-plugin:3.2.0:exec (clone git submodule) @ git-commit-id-maven-plugin ---
Cloning into '/Users/xxx/git-commit-id-maven-plugin/src/test/resources'...
[git@github.com](mailto:git@github.com): Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights and the repository exists.
fatal: clone of '[git@github.com](mailto:git@github.com):git-commit-id/git-test-resources.git' into submodule path '/Users/xxx/git-commit-id-maven-plugin/src/test/resources' failed
Failed to clone 'src/test/resources'. Retry scheduled
Cloning into '/Users/xxx/git-commit-id-maven-plugin/src/test/resources'...
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights and the repository exists.
fatal: clone of 'git@github.com:git-commit-id/git-test-resources.git' into submodule path '/Users/xxx/git-commit-id-maven plugin/src/test/resources' failed
Failed to clone 'src/test/resources' a second time, aborting

[ERROR] Command execution failed.
org.apache.commons.exec.ExecuteException: Process exited with an error: 1 (Exit value: 1)
    at org.apache.commons.exec.DefaultExecutor.executeInternal (DefaultExecutor.java:355)
    at org.apache.commons.exec.DefaultExecutor.execute (DefaultExecutor.java:253)
    at org.codehaus.mojo.exec.ExecMojo.executeCommandLine (ExecMojo.java:884)
    at org.codehaus.mojo.exec.ExecMojo.executeCommandLine (ExecMojo.java:844)
    at org.codehaus.mojo.exec.ExecMojo.execute (ExecMojo.java:450)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:301)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:211)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:165)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:157)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:121)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:127)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:294)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:960)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:293)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:196)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:77)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:568)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)

[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  2.172 s
[INFO] Finished at: 2024-03-12T14:28:50+02:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.codehaus.mojo:exec-maven-plugin:3.2.0:exec (clone git submodule) on project git-commit id-maven-plugin: Command execution failed.: Process exited with an error: 1 (Exit value: 1) -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

[TheSnoozer]

Hello, thanks for the detailed report.
Let me start with the "Permission denied" when you try to build/compile the plugin. This project depends on submodules.
In particular git-commit-id/git-test-resources.git which would get cloned as submodule into the path git-commit-id-maven-plugin/src/test/resources.
To fix this problem please clone the project with submodules.

The exec-maven-plugin:3.2.0:exec (clone git submodule) step is unfortunately needed when releasing the plugin. The maven-release plugin creates a new clone (from the pushed tag) but forgets to clone the submodule. This step ensures that the submodule is cloned when it's not available.

Regarding the issue you posted.
Ok sure I can update the dependency.
However I must admit I'm not sure if this plugin is affected by any of the CVE's you posted.

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4245 / https://bugzilla.redhat.com/show_bug.cgi?id=2149843: seems to be an issue in org.codehaus.plexus:plexus-utils
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4244 / https://bugzilla.redhat.com/show_bug.cgi?id=2149841: seems to be an issue in org.codehaus.plexus:plexus-utils
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000487 / https://lists.debian.org/debian-security-announce/2018/msg00072.html: seems to be an issue in org.codehaus.plexus:plexus-utils

As per mvn depdency tree:

$ mvn dependency:tree
[INFO] Scanning for projects...
[INFO] 
[INFO] ---------< io.github.git-commit-id:git-commit-id-maven-plugin >---------
[INFO] Building Git Commit Id Maven Plugin 8.0.2-SNAPSHOT
[INFO]   from pom.xml
[INFO] ----------------------------[ maven-plugin ]----------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:3.6.1:tree (default-cli) @ git-commit-id-maven-plugin ---
[INFO] io.github.git-commit-id:git-commit-id-maven-plugin:maven-plugin:8.0.2-SNAPSHOT
[INFO] +- org.apache.maven:maven-plugin-api:jar:3.9.2:provided
[INFO] |  +- org.apache.maven:maven-model:jar:3.9.2:provided
[INFO] |  +- org.apache.maven:maven-artifact:jar:3.9.2:provided
[INFO] |  +- org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.3.5:provided
[INFO] |  |  \- javax.annotation:javax.annotation-api:jar:1.2:provided
[INFO] |  +- org.codehaus.plexus:plexus-utils:jar:3.5.1:compile
[INFO] |  \- org.codehaus.plexus:plexus-classworlds:jar:2.7.0:provided
[INFO] +- org.apache.maven:maven-core:jar:3.9.2:provided
[INFO] |  +- org.apache.maven:maven-settings:jar:3.9.2:provided
[INFO] |  +- org.apache.maven:maven-settings-builder:jar:3.9.2:provided
[INFO] |  |  \- org.codehaus.plexus:plexus-sec-dispatcher:jar:2.0:provided
[INFO] |  |     \- org.codehaus.plexus:plexus-cipher:jar:2.0:provided
[INFO] |  +- org.apache.maven:maven-builder-support:jar:3.9.2:provided
[INFO] |  +- org.apache.maven:maven-repository-metadata:jar:3.9.2:provided
[INFO] |  +- org.apache.maven:maven-model-builder:jar:3.9.2:provided
[INFO] |  +- org.apache.maven:maven-resolver-provider:jar:3.9.2:provided
[INFO] |  +- org.apache.maven.resolver:maven-resolver-impl:jar:1.9.10:provided
[INFO] |  |  \- org.apache.maven.resolver:maven-resolver-named-locks:jar:1.9.10:provided
[INFO] |  +- org.apache.maven.resolver:maven-resolver-api:jar:1.9.10:provided
[INFO] |  +- org.apache.maven.resolver:maven-resolver-spi:jar:1.9.10:provided
[INFO] |  +- org.apache.maven.resolver:maven-resolver-util:jar:1.9.10:provided
[INFO] |  +- org.apache.maven.shared:maven-shared-utils:jar:3.3.4:provided
[INFO] |  +- org.eclipse.sisu:org.eclipse.sisu.inject:jar:0.3.5:provided
[INFO] |  +- com.google.inject:guice:jar:5.1.0:provided
[INFO] |  |  \- aopalliance:aopalliance:jar:1.0:provided
[INFO] |  +- com.google.guava:guava:jar:31.1-jre:provided
[INFO] |  +- com.google.guava:failureaccess:jar:1.0.1:provided
[INFO] |  +- javax.inject:javax.inject:jar:1:provided
[INFO] |  +- org.codehaus.plexus:plexus-interpolation:jar:1.26:provided
[INFO] |  +- org.codehaus.plexus:plexus-component-annotations:jar:2.1.0:provided
[INFO] |  +- org.apache.commons:commons-lang3:jar:3.12.0:provided
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO] +- io.github.git-commit-id:git-commit-id-plugin-core:jar:6.0.0-rc.8:compile
[INFO] |  +- org.eclipse.jgit:org.eclipse.jgit:jar:6.7.0.202309050840-r:compile
[INFO] |  |  +- com.googlecode.javaewah:JavaEWAH:jar:1.2.3:compile
[INFO] |  |  \- commons-codec:commons-codec:jar:1.16.0:compile
[INFO] |  +- org.eclipse.jgit:org.eclipse.jgit.ssh.jsch:jar:6.7.0.202309050840-r:compile
[INFO] |  |  +- com.jcraft:jsch:jar:0.1.55:compile
[INFO] |  |  \- com.jcraft:jzlib:jar:1.1.3:compile
[INFO] |  +- joda-time:joda-time:jar:2.12.7:compile
[INFO] |  +- nu.studer:java-ordered-properties:jar:1.0.4:compile
[INFO] |  +- jakarta.json:jakarta.json-api:jar:2.1.3:compile
[INFO] |  +- org.eclipse.parsson:parsson:jar:1.1.5:compile
[INFO] |  \- org.yaml:snakeyaml:jar:2.2:compile
[INFO] +- org.sonatype.plexus:plexus-build-api:jar:0.0.7:compile
[INFO] +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] +- org.apache.maven.plugin-tools:maven-plugin-annotations:jar:3.11.0:provided
[INFO] +- junit:junit:jar:4.13.2:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- org.assertj:assertj-core:jar:3.25.3:test
[INFO] |  \- net.bytebuddy:byte-buddy:jar:1.14.11:test
[INFO] +- org.mockito:mockito-core:jar:5.10.0:test
[INFO] |  +- net.bytebuddy:byte-buddy-agent:jar:1.14.11:test
[INFO] |  \- org.objenesis:objenesis:jar:3.3:test
[INFO] +- commons-io:commons-io:jar:2.15.1:test
[INFO] +- pl.pragmatists:JUnitParams:jar:1.1.1:test
[INFO] \- org.slf4j:slf4j-simple:jar:2.0.12:test
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  1.575 s
[INFO] ------------------------------------------------------------------------

This plugin depends on org.sonatype.plexus:plexus-build-api:jar:0.0.7:compile which is not mentioned in the CVE's.
The only plexus-utils I see comes directly from org.apache.maven:maven-plugin-api:jar:3.9.2:provided (granted that should also be updated to 3.9.6)

[TheSnoozer]

Thanks again for the report I have updated the dependency now.

[TheSnoozer]

plexus-build-api-0.0.7 depends on org.codehaus.plexus:plexus-utils:1.5.8

plexus-build-api-1.2.0 depends on org.codehaus.plexus:plexus-utils:4.0.0

As per

• https://www.cvedetails.com/cve/CVE-2022-4245: affecting Codehaus-plexus Versions before (<) 3.0.24
• https://www.cvedetails.com/cve/CVE-2022-4244: affecting Codehaus-plexus Versions before (<) 3.0.24
• https://www.cvedetails.com/cve/CVE-2017-1000487: affecting Plexus-utils Versions before (<) 3.0.16

So updating to plexus utils 4.0.0 should fix those problems (if they can be exploited somehow), also 4.0.0 is the latest version available on https://mvnrepository.com/artifact/org.codehaus.plexus/plexus-utils