Plugins use dependencies that trigger CVEs

[binkley]

If you are submitting a bug, please include the following:

• summary of problem
• Gradle or Maven version
• spotless version
• operating system and version
• copy-paste your full Spotless configuration block(s), and a link to a public git repo that reproduces the problem if possible
• copy-paste the full content of any console errors emitted by gradlew spotless[Apply/Check] --stacktrace

If you're just submitting a feature request or question, no need for the above.

Summary

An accidental discovery: making Spotless a dependency instead of a plugin (yes, it was a mistake) turned up multiple CVEs from DependencyCheck. This tells me 2 things:

• DependencyCheck is not checking plugins
• Spotless has outdated dependencies for the plugins

Obviously, this is a user goof, however, it tells me that Spotless may need to refresh/update dependencies for the plugins.
On the other hand, some of these may be build-only dependencies for the plugin? Either way, there are some outdated dependencies in the plugin.

CVEs with 2.43.0:

• org.eclipse.jgit-6.7.0.202309050840-r.jar: CVE-2023-4759(8.8)
• org.eclipse.osgi-3.18.300.jar: CVE-2021-41033(8.1), CVE-2020-27225(7.8), CVE-2023-4218(5.0)
• plexus-resources-1.2.0.jar: CVE-2022-4245(4.3), CVE-2022-4244(7.5)

My issue post focuses on the Maven plugin. I haven't tried doing the same with the Gradle plugin.

Maven version

3.9.6

Spotless version

2.43.0

OS version

Not relevant, however "Linux Hobbiton 5.15.146.1-microsoft-standard-WSL2 #1 SMP Thu Jan 11 04:09:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux" running Ubuntu under WSL2 on Windows 11.

Spotless configuration block

No configuration block provided.

Console output

I wanted to paste the full ./mvnw -X verify output, however two problems:

• Lots of useless stuff non-specific to the problem at hand
• Posting the full output gave GitHub a heartburn, and it complained that this issue exceeded the character limit

[nedtwigg]

Regarding each in turn

• org.eclipse.jgit-6.7.0.202309050840-r.jar we've got to make some changes to adapt to a new API after this (Update dependency org.eclipse.jgit:org.eclipse.jgit to v6.10.0.202406032230-r #1949), a new JGit (6.10) is supposed to come out any day now, so that'll be a good time
• org.eclipse.osgi-3.18.300.jar: this should be trivial to bump
• plexus-resources-1.2.0.jar I had been holding this back with the idea of preserving compat, but sure we can bump to 1.3.0

[binkley]

@nedtwigg Sounds like y'all are on top of this already.
Again, thanks for considering an Issue that is the result of clear user error. 😄