maven-shared-utils@3.2.1 Security Vulnerability: Command Injection

[xmlking]

Describe the bug

My company nexus blocked quarkus-ide-launcher due to the following Vulnerability.
https://snyk.io/vuln/maven:org.apache.maven.shared:maven-shared-utils@3.2.1

Expected behavior

Should not have dependencies issues with quarkus latest version.

Actual behavior

(Describe the actual behavior clearly and concisely.)
please lock org.apache.maven.shared:maven-shared-utils version to 3.3.3 or above.

Fixed in maven-shared-utils@3.3.3
apache/maven-shared-utils#40
https://issues.apache.org/jira/browse/MSHARED-297

To Reproduce

Link to a small reproducer (preferably a Maven project if the issue is not Gradle-specific).

Or attach an archive containing the reproducer to the issue.

Steps to reproduce the behavior:
1.
2.
3.

Configuration

# Add your application.properties here, if applicable.

Screenshots

(If applicable, add screenshots to help explain your problem.)

Environment (please complete the following information):

Output of uname -a or ver

Output of java -version

GraalVM version (if different from Java)

Quarkus version or git rev

Build tool (ie. output of mvnw --version or gradlew --version)

mvn --version
Apache Maven 3.8.1 (05c21c65bdfed0f71a2f2ada8b84da59348c4c5d)
Maven home: /Users/schintha/.sdkman/candidates/maven/current
Java version: 11.0.11, vendor: AdoptOpenJDK, runtime: /Users/<userid>/.sdkman/candidates/java/11.0.11.hs-adpt
Default locale: en_US, platform encoding: UTF-8
OS name: "mac os x", version: "11.4", arch: "x86_64", family: "mac"

gradle --version
------------------------------------------------------------
Gradle 7.1
------------------------------------------------------------

Build time:   2021-06-14 14:47:26 UTC
Revision:     989ccc9952b140ee6ab88870e8a12f1b2998369e

Kotlin:       1.4.31
Groovy:       3.0.7
Ant:          Apache Ant(TM) version 1.10.9 compiled on September 27 2020
JVM:          11.0.11 (AdoptOpenJDK 11.0.11+9)
OS:           Mac OS X 11.4 x86_64

Additional context

Repo: https://github.com/xmlking/micro-apps

[quarkus-bot]

/cc @evanchooly, @manovotn, @mkouba, @quarkusio/devtools, @sberyozkin

[xmlking]

[xmlking]

[gsmet]

@aloubyansky WDYT? I'm a bit nervous at the idea of using a version different from the one coming with Maven.

[aloubyansky]

If you are using gradle in Quarkus 1.x you should be able to completely exclude all the org.apache.maven dependencies from your project and the io.quarkus plugin.
I am not sure why maven 3.8.1 distribution includes maven-shared-utils 3.2.1 which was released half a year later than e.g. 3.3.0.

[xmlking]

this is really blocking us to use any recent 1.x or 2.x Quarkus releases.
@aloubyansky Could you please guild me, how to completely exclude all the org.apache.maven in Gradle Quarkus 1.x repo ?

I tried this with no lick:

configurations.all {
    resolutionStrategy {
        force("org.apache.maven.shared:maven-shared-utils:3.3.4")
    }
}

I also surprised why maven is not using their own latest deps.
https://mvnrepository.com/artifact/org.apache.maven/maven-core/3.8.1

[aloubyansky]

Which Quarkus version are you using? It should work in, e.g. 1.13.7.Final. E.g.

configurations.all {
     resolutionStrategy {
          exclude group:'org.apache.maven'
      }
}

[xmlking]

@aloubyansky since maven-shared-utils is also used in Gradle plugin, the above solution is not working for me.
looks like the only way is to force org.apache.maven.shared:maven-shared-utils:3.3.4 Quarkus BOM

[aloubyansky]

You mean the Quarkus gradle plugin? You should be able to exclude dependencies from the plugin as well. Which Quarkus version are you using?

[xmlking]

I tried 1.13.7.Final and 1.13.5.Final
https://github.com/xmlking/micro-apps/blob/develop/gradle/libs.versions.toml#L51-L55
our Nexus proxy blacklisted quarkus-ide-launcher-1.13.7.Final.jar and not allowing to pull it. It is marked as vulnerable (due to its dependency on maven-shared-utils)
My understanding is resolutionStrategy/exclude solution only filter our after it pulls the dependency graph.

[aloubyansky]

What if you exclude org.apache.maven.shared, do you still see it among the dependencies locally with 1.13.7.Final?

[hamburml]

We have the same issue and we use maven 3.8.1.

[aloubyansky]

Are you also using gradle?

[aloubyansky]

@gsmet i think we could try upgrading it. I actually did it last week locally and the CI has passed at least.

[famod]

If in doubt, you can ask on maven-dev oder maven-user mailing list.

[famod]

@gnodet Since you were the one who bumped maven-shared-utils from 3.2.1 to 3.3.4 in Maven master (apache/maven#433): Do you think it should be safe for Quarkus to bump shared-utils?
Those dependency unpack adjustments in that PR don't look relevant, AFAICS.
Thanks!

[famod]

FWIW, I raised awareness in an ongoing Maven 3.8.x discussion on maven-dev mailing list: https://lists.apache.org/thread.html/r960d0cc002dfdaa7140694122ae829e6de21ad82daa17427facd267a%40%3Cdev.maven.apache.org%3E

[hamburml]

@aloubyansky No, we use maven 3.8.1. Nexus blocks quarkus-ide-launcher. We simply exclude it on all dependencies which use it - but it's not a great solution.

[aloubyansky]

Thanks for the info @hamburml

[aloubyansky]

I'll add a safe version of maven-shared-utils to the quarkus-bootstrap-bom once #18167 has been merged.