Java maven-core-3.0.jar maven-core-3.1.0.jar 上的 CVE-2021-26291

Java CVE-2021-26291 on maven-core-3.0.jar maven-core-3.1.0.jar

关于 maven-core-3 上的 CVE-2021-26291 的小问题。0.jar maven-core-3.1。0.jar 请。

关于一个很简单的项目,下面是哪个pom文件(请随意复制粘贴)

Maven 版本为:Apache Maven 3.6.3

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.6.5</version>
        <relativePath/>
    </parent>

    <groupId>org.example</groupId>
    <artifactId>cvequestion</artifactId>
    <version>1.0-SNAPSHOT</version>
    <packaging>pom</packaging>

    <properties>
        <java.version>11</java.version>
        <maven.compiler.source>11</maven.compiler.source>
        <maven.compiler.target>11</maven.compiler.target>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
        <project.type>application</project.type>
        <sonar.java.coveragePlugin>jacoco</sonar.java.coveragePlugin>
        <sonar.java.libraries>target/</sonar.java.libraries>
        <sonar.junit.reportsPaths>target/reports/junit</sonar.junit.reportsPaths>
        <sonar.language>java</sonar.language>
    </properties>

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>2021.0.1</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-webflux</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-cassandra-reactive</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-kubernetes-fabric8</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-config-client</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-sleuth</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-sleuth-zipkin</artifactId>
        </dependency>
        <dependency>
            <groupId>io.projectreactor.netty</groupId>
            <artifactId>reactor-netty-http-brave</artifactId>
        </dependency>
        <dependency>
            <groupId>io.micrometer</groupId>
            <artifactId>micrometer-registry-prometheus</artifactId>
        </dependency>
        <dependency>
            <groupId>io.github.resilience4j</groupId>
            <artifactId>resilience4j-micrometer</artifactId>
        </dependency>
        <dependency>
            <groupId>io.github.resilience4j</groupId>
            <artifactId>resilience4j-reactor</artifactId>
        </dependency>
        <dependency>
            <groupId>io.github.resilience4j</groupId>
            <artifactId>resilience4j-spring-boot2</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-starter-contract-verifier</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.junit.jupiter</groupId>
            <artifactId>junit-jupiter</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.mockito</groupId>
            <artifactId>mockito-core</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>com.lmax</groupId>
            <artifactId>disruptor</artifactId>
            <version>3.4.4</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.statemachine</groupId>
            <artifactId>spring-statemachine-core</artifactId>
            <version>3.0.1</version>
        </dependency>
        <dependency>
            <groupId>net.logstash.logback</groupId>
            <artifactId>logstash-logback-encoder</artifactId>
            <version>7.0.1</version>
        </dependency>
        <dependency>
            <groupId>de.codecentric</groupId>
            <artifactId>spring-boot-admin-starter-client</artifactId>
            <version>2.6.2</version>
        </dependency>
        <dependency>
            <groupId>org.springdoc</groupId>
            <artifactId>springdoc-openapi-webflux-ui</artifactId>
            <version>1.6.6</version>
        </dependency>
        <dependency>
            <groupId>io.github.hakky54</groupId>
            <artifactId>sslcontext-kickstart-for-netty</artifactId>
            <version>7.3.0</version>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-compiler-plugin</artifactId>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-surefire-plugin</artifactId>
                <configuration>
                    <testFailureIgnore>true</testFailureIgnore>
                    <reportsDirectory>target/reports/junit</reportsDirectory>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-javadoc-plugin</artifactId>
                <configuration>
                    <outputDirectory>target/javadoc</outputDirectory>
                    <reportOutputDirectory>target/javadoc</reportOutputDirectory>
                    <javadocExecutable>${java.home}/bin/javadoc</javadocExecutable>
                </configuration>
                <executions>
                    <execution>
                        <goals>
                            <goal>javadoc</goal>
                        </goals>
                        <phase>site</phase>
                    </execution>
                </executions>
            </plugin>
            <plugin>
                <groupId>org.sonarsource.scanner.maven</groupId>
                <artifactId>sonar-maven-plugin</artifactId>
                <version>3.9.1.2184</version>
                <dependencies>
                    <dependency>
                        <groupId>org.codehaus.woodstox</groupId>
                        <artifactId>woodstox-core-asl</artifactId>
                        <version>4.4.1</version>
                    </dependency>
                </dependencies>
            </plugin>
            <plugin>
                <groupId>com.github.spotbugs</groupId>
                <artifactId>spotbugs-maven-plugin</artifactId>
                <version>4.5.3.0</version>
                <configuration>
                    <outputDirectory>target/reports/findbugs</outputDirectory>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-pmd-plugin</artifactId>
                <version>3.16.0</version>
                <configuration>
                    <targetDirectory>.out/reports/pmd</targetDirectory>
                    <outputDirectory>target/reports/pmd</outputDirectory>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-checkstyle-plugin</artifactId>
                <version>3.1.2</version>
                <configuration>
                    <outputFile>.out/reports/checkstyle/checkstyle-result.xml</outputFile>
                    <outputDirectory>target/reports/checkstyle</outputDirectory>
                    <outputFileFormat>xml</outputFileFormat>
                </configuration>
                <dependencies>
                    <dependency>
                        <groupId>com.puppycrawl.tools</groupId>
                        <artifactId>checkstyle</artifactId>
                        <version>10.0</version>
                    </dependency>
                </dependencies>
            </plugin>
            <plugin>
                <groupId>org.jacoco</groupId>
                <artifactId>jacoco-maven-plugin</artifactId>
                <version>0.8.7</version>
                <configuration>
                    <append>true</append>
                </configuration>
                <executions>
                    <execution>
                        <goals>
                            <goal>prepare-agent</goal>
                        </goals>
                    </execution>
                    <execution>
                        <id>report</id>
                        <phase>verify</phase>
                        <goals>
                            <goal>report</goal>
                            <goal>report-aggregate</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
            <plugin>
                <groupId>org.pitest</groupId>
                <artifactId>pitest-maven</artifactId>
                <version>1.7.5</version>
                <configuration>
                    <withHistory>true</withHistory>
                    <threads>16</threads>
                    <outputFormats>
                        <param>XML</param>
                        <param>HTML</param>
                    </outputFormats>
                    <mutators>
                        <mutator>CONDITIONALS_BOUNDARY</mutator>
                        <mutator>INCREMENTS</mutator>
                        <mutator>INVERT_NEGS</mutator>
                        <mutator>MATH</mutator>
                        <mutator>NEGATE_CONDITIONALS</mutator>
                        <mutator>EMPTY_RETURNS</mutator>
                        <mutator>FALSE_RETURNS</mutator>
                        <mutator>TRUE_RETURNS</mutator>
                        <mutator>PRIMITIVE_RETURNS</mutator>
                        <mutator>REMOVE_INCREMENTS</mutator>
                        <mutator>EXPERIMENTAL_BIG_INTEGER</mutator>
                        <mutator>EXPERIMENTAL_MEMBER_VARIABLE</mutator>
                        <mutator>EXPERIMENTAL_SWITCH</mutator>
                    </mutators>
                </configuration>
                <dependencies>
                    <dependency>
                        <groupId>org.pitest</groupId>
                        <artifactId>pitest-junit5-plugin</artifactId>
                        <version>0.15</version>
                    </dependency>
                </dependencies>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-site-plugin</artifactId>
                <version>3.11.0</version>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-project-info-reports-plugin</artifactId>
                <version>3.2.2</version>
            </plugin>
        </plugins>
    </build>

    <reporting>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-jxr-plugin</artifactId>
                <version>3.2.0</version>
            </plugin>
        </plugins>
    </reporting>

</project>

我正在运行进行静态分析以找出 CVE。

就我而言,在 maven-core-3.0.jar maven-core-3.1.0.jar 上找到了 CVE-2021-26291。

对结果感到非常惊讶,因为我没有使用任何 maven 核心 jar。

然后我 运行 命令 mvn clean install dependency:tree -X 以解决问题。 (请随意 运行 相同,问题是 100% 可重现的)

从三者看来:

[INFO] --- jacoco-maven-plugin:0.8.7:prepare-agent (default) @ cvequestion ---
[DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=146555, ConflictMarker.markTime=114395, ConflictMarker.nodeCount=94, ConflictIdSorter.graphTime=72340, ConflictIdSorter.topsortTime=57819, ConflictIdSorter.conflictIdCount=40, ConflictIdSorter.conflictIdCycleCount=0, ConflictResolver.totalTime=852861, ConflictResolver.conflictItemCount=87, DefaultDependencyCollector.collectTime=267858813, DefaultDependencyCollector.transformTime=1327133}
[DEBUG] org.jacoco:jacoco-maven-plugin:jar:0.8.7
[DEBUG]    org.apache.maven:maven-plugin-api:jar:3.0:compile
[DEBUG]       org.apache.maven:maven-model:jar:3.0:compile
[DEBUG]       org.apache.maven:maven-artifact:jar:3.0:compile
[DEBUG]       org.sonatype.sisu:sisu-inject-plexus:jar:1.4.2:compile
[DEBUG]          org.sonatype.sisu:sisu-inject-bean:jar:1.4.2:compile
[DEBUG]             org.sonatype.sisu:sisu-guice:jar:noaop:2.1.7:compile
[DEBUG]    org.apache.maven:maven-core:jar:3.0:compile

我试图做的,甚至是在 pom 的插件和依赖块中添加最新的 maven 核心 3.8.5(截至撰写本文时最新版本为 2022 年 3 月),但仍然看到这两个特定版本,以及 CVE。

请问,为什么他们在我的依赖中?

最重要的是,我该如何解决这个技术问题?

谢谢

在这种情况下,真正的问题是那些分析插件的扫描工具是完全错误的,因为它们不是结果工件的一部分。工件 maven-core 的使用(定义为插件的依赖项)也与在命令行上使用 Maven (3.0.5) 的结果不同。

报告的问题与 org.apache.maven:maven-core:jar:3.0:compile 有关,插件需要它作为依赖项来定义 api(更准确:org.apache.maven:maven-plugin-api:jar:3.0:compile),它定义了 Maven 的最低版本该插件将支持。

reported CVE 与以下问题有关,即如果 pom 文件包含的存储库具有 http 而不是 https,这可用于引入一些恶意工件。这已由 Maven 3.8.2+ 修复,但它与使用 maven-core/maven-plugin-api 作为插件开发的工件无关。