Update version of commons-collections in jacoco-maven-plugin #645
Conversation
| </prerequisites> | ||
|
|
||
| <dependencyManagement> | ||
| <dependencies> |
There was a problem hiding this comment.
@Godin Should we leave a comment here, why this redundant/explicit dependency has been added?
There was a problem hiding this comment.
@marchof dependencyManagement is to explicitly declare version of transitive dependency, so strictly speaking can't say that it is redundant, and some even advice to fully control transivite dependencies and always explicitly declare their versions. And seems that commons-collections uses semantic versioning, so update from 3.2 to 3.2.2 (on its own) seems like a good idea to grab bug-fixes. Commit message and so git blame will anyway be linked with this PR and hence with initial ticket. But also can add link to a ticket as a comment, or you was thinking about some other comment?
There was a problem hiding this comment.
@Godin Someone looking at it might ask: why do we care about this version? I was thinking about a in-line comment like:
Avoid transitive dependency on version with security issue CVE-2015-7450
There was a problem hiding this comment.
@marchof I still don't believe that serialization can be involved during execution of plugin, and so don't believe that security issue can be exploited here, also because
--- jacoco-maven-plugin.test/pom.xml
+++ jacoco-maven-plugin.test/pom.xml
@@ -31 +31 @@
- <jacoco.includes>org.jacoco.maven.*</jacoco.includes>
+ <jacoco.includes>*</jacoco.includes>$ mvn clean install
$ java -jar /tmp/jacoco-0.8.0/lib/jacococli.jar execinfo jacoco-maven-plugin.test/target/jacoco.exec | grep InvokerTransformer | wc -l
0
insecure org/apache/commons/collections/functors/InvokerTransformer is not touched during execution of our tests that IMO quite exhaustive. And so didn't wanted to scare by comment users that browse sources or follow commits (see for example 6a0c097#commitcomment-26640407) 😉 But ok - can add such message and let you handle user questions about where is immediate release to fix security vulnerability 😆 or maybe add such comment just before release to scare users of old versions 😈
There was a problem hiding this comment.
BTW latest version of org.apache.maven.reporting:maven-reporting-impl:3.0.0 brings 3.2.1 as transitive dependency, so I'm pretty sure that many Maven plugins do not have 3.2.2.
There was a problem hiding this comment.
@Godin After this discussion I feel like we should close #641 as ´Other Project´.
- The only sustainable fix is bumping the dependency in the
maven-reporting-implproject. - There are many other plugins depending on it, so why adding a hack in JaCoCo?
- As you wrote the vulnerable part is not used.
- Builds need excessive local privileges like access to the file system, network etc anyways. So either you trust your build or you run it in a sandboxed environment.
|
@Godin What is your preference about this issue?
After the discussion my personal preference would be 2. |
|
@marchof well, looks like we will need third opinion 😆 Maybe as a trade-off can propose to update this PR with comment next to dependency on Or we can flip a coin to decide - right now Google says that upper side is "heads" 😆 In any case I will love reduction of open tickets and PRs 😉 |
|
@Godin My personal preference is to do nothing here. But I can life with a documented declaration. 👍 for reduction of open tickets |
|
@marchof please check - IMO looks better now |
|
@Godin Looks better now, except that there is no mention why the "slight update" is done. But good to merge for me -- at least I will probably remember why. |
Fixes #641