Apache Maven 3.9.9 (8e8579a9e76f7d015ee5ec7bfcdc97d260186937)
Maven home: C:\Tools\apache-maven-3.9.9-bin
Java version: 1.8.0_431, vendor: Oracle Corporation, runtime: C:\Tools\Java\jre
Default locale: en_US, platform encoding: Cp1252
OS name: "windows 10", version: "10.0", arch: "amd64", family: "windows"
java version "1.8.0_431"
Java(TM) SE Runtime Environment (build 1.8.0_431-b10)
Java HotSpot(TM) 64-Bit Server VM (build 25.431-b10, mixed mode)
C:\Users\user\projectX>mvn validate
[INFO] Scanning for projects...
[INFO]
[INFO] -------------------------< projectX:projectX >--------------------------
[INFO] Building ProjectX 1.0-SNAPSHOT
[INFO] from pom.xml
[INFO] --------------------------------[ pom ]---------------------------------
Downloading ...
[INFO]
[INFO] --- enforcer:3.4.1:enforce (enforce-versions) @ projectX ---
Downloading ...
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 13.259 s
[INFO] Finished at: 2024-12-04T10:37:41-05:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.4.1:enforce (enforce-versions) on project projectX: Execution enforce-versions of goal org.apache.maven.plugins:maven-enforcer-plugin:3.4.1:enforce failed: Plugin org.apache.maven.plugins:maven-enforcer-plugin:3.4.1 or one of its dependencies could not be resolved:
[ERROR] Could not transfer artifact commons-io:commons-io:jar:2.13.0 from/to nexus (https://nexus.xyz.com/repository/maven): status code: 403, reason phrase: -------------------->>> REQUESTED ITEM IS QUARANTINED -------------------->>> FOR DETAILS SEE ------>>> https://nexus-iq-server.xyz.com:8070/ui/links/repositories/quarantinedComponent/MzBlNmE1NmVjY2MyNDc5ZWI1MGZiNzAyMTkyZjVkODI <<<------ (403)
[ERROR]
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/PluginResolutionException
commons-io : commons-io : 2.13.0
9 Security-High High risk CVSS score
Found security vulnerability CVE-2024-47554 with severity >= 7 (severity = 8.7)
Found security vulnerability CVE-2024-47554 with severity < 9 (severity = 8.7)
Nexus said to upgrade to 2.16.0. Latest version of comomns.io is 2.18.0.
pom.xml
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://nexus.xyz.com/repository/raw/schemas/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>projectX</groupId>
<artifactId>projectX</artifactId>
<version>1.0-SNAPSHOT</version>
<packaging>pom</packaging>
<name>ProjectX</name>
<description>An example of Nexus blocking vulnerable dependencies in Maven Plugins</description>
<url></url>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.16.0</version>
<optional>false</optional>
</dependency>
</dependencies>
</dependencyManagement>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>3.4.1</version>
<executions>
<execution>
<id>enforce-versions</id>
<goals>
<goal>enforce</goal>
</goals>
<configuration>
<fail>true</fail>
<rules>
<requireMavenVersion>
<version>3.2.5</version>
</requireMavenVersion>
<requireJavaVersion>
<version>[1.8,)</version>
</requireJavaVersion>
</rules>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
I access the Maven repository through Nexus. Many of the plugins that I've tried to use have one or more dependencies that are vulnerable. Nexus blocks the vulnerable dependencies and the builds fail. I created the example above to demonstrate the issue as simply as possible. I put a dependency in my pom file in an attempt to override the plugin dependency and it's not working. My assumption was that if you defined a dependency, in dependencyManagement, in your pom, it would override all child dependencies versions, but that appears to be incorrect. Does anyone know of a way to correct this problem? Any help would be greatly appreciated.
Make sure that you use the latest versions of all the Maven plugins
Have a look at the vulnerability and see if it is really "dangerous" if you use it in a Maven run. Many vulnerabilities are not really problematic in this context. If it appears to be not dangerous, you can probably ask the security team of your company to allow it.
Try to override the dependency within the plugin definition (not in the dependencies section of your POM). This may or may not work.