Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

1.4.18 breaks nexus-staging-maven-plugin 1.6.7 #263

Closed
zqfan opened this issue Aug 30, 2021 · 2 comments
Closed

1.4.18 breaks nexus-staging-maven-plugin 1.6.7 #263

zqfan opened this issue Aug 30, 2021 · 2 comments
Assignees
@joehni
Labels
invalid

Comments

@zqfan
Copy link

zqfan commented Aug 30, 2021

I'm using nexus-staging-maven-plugin 1.6.7, it indirectly requires xstream 1.4.7, but xstream 1.4.7 has security issue, so I have to bump it to 1.4.17, and it works fine.
But recently github complains a new security alert which ask me to upgrade xstream to 1.4.18, but then nexus-staging-maven-plugin failed with message:

[ERROR] Failed to execute goal org.sonatype.plugins:nexus-staging-maven-plugin:1.6.8:deploy (injected-nexus-deploy) on project tencentcloud-sdk-java: Execution injected-nexus-deploy of goal org.sonatype.plugins:nexus-staging-maven-plugin:1.6.8:deploy failed: Nexus connection problem to URL [https://oss.sonatype.org/ ]: org.sonatype.nexus.rest.model.StatusResourceResponse -> [Help 1]

after revert it back to xstream 1.4.17, then it works again.
zqfan added a commit to TencentCloud/tencentcloud-sdk-java that referenced this issue Aug 30, 2021
@zqfan
fix: revert xstream to 1.4.17
39fdf3c 
eventhough 1.4.18 is a security fix to xstream, and we should upgrade it,
but unfortunately it breaks nexus-staging-maven-plugin 1.6.7.

[ERROR] Failed to execute goal org.sonatype.plugins:nexus-staging-maven-plugin:1.6.8:deploy
(injected-nexus-deploy) on project tencentcloud-sdk-java: Execution
injected-nexus-deploy of goal org.sonatype.plugins:nexus-staging-maven-plugin:1.6.8:deploy
failed: Nexus connection problem to URL [https://oss.sonatype.org/ ]:
org.sonatype.nexus.rest.model.StatusResourceResponse -> [Help 1]

* 8a4d7af
* #148
* x-stream/xstream#263
@joehni joehni self-assigned this Aug 30, 2021
@joehni joehni added the invalid label Aug 30, 2021
@joehni
Copy link
Member

joehni commented Aug 30, 2021
edited

This is by design. If the nexus staging plugin does not initialize the Security Framework for its own needs, XStream will now only marshal the types on its own whitelist. It cannot know, what types the nexus staging plugin its using. The authors of the plugin had 9 years time to do this as recommended.

@joehni joehni closed this as completed Aug 30, 2021
kohlschuetter added a commit to kohlschuetter/nexus-public that referenced this issue Dec 20, 2021
@kohlschuetter
Fix incompatibility with xstream 1.4.18
a2c03c9 
Also see x-stream/xstream#263
kohlschuetter added a commit to kohlschuetter/nexus-public that referenced this issue Dec 20, 2021
@kohlschuetter
Fix incompatibility with xstream 1.4.18
2a09969 
Also see x-stream/xstream#263
@kohlschuetter kohlschuetter mentioned this issue Dec 20, 2021
Open
@kohlschuetter
Copy link

@zqfan FYI

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joehni joehni

Labels
invalid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joehni @kohlschuetter @zqfan