content-package-maven-plugin direct dependency (org.apache.sling.commons.json) vulnerable blocking the build | Community
Skip to main content
M
MohammadUsman
Level 2
January 29, 2025

content-package-maven-plugin direct dependency (org.apache.sling.commons.json) vulnerable blocking the build

  • January 29, 2025
  • 4 replies
  • 1281 views

Hi,

  while building the project I was not able to get maven to download org.apache.sling.commons.json dependency package which is being used by content-package-maven-plugin as our cyber team has blocked the access to mvn repository and all the vulnerable packages that have critical and high status. They set a proxy repository  allowing us to download only the dependencies that are not flagged critical and high. so I'm stuck here not able to get commons.json direct dependency that content package plugin needs. I have checked the proxy repository and was not able to find any other version of commons.json that is allowed to downloaded may be all the versions are critical. So I'm not able to override the plugin with different commons.json version either. Is there any other way where I can exclude this direct dependency all together or use some other dependency that is not vulnerable to replace this for the plugin ?? 

 

 

<plugin>
  <groupId>com.day.jcr.vault</groupId>
  <artifactId>content-package-maven-plugin</artifactId>
  <version>1.0.6</version>
</plugin>

<dependency>
  <groupId>org.apache.sling</groupId>
  <artifactId>org.apache.sling.commons.json</artifactId>
  <version>2.0.6</version>
</dependency>

4 replies

arunpatidar
Community Advisor
arunpatidarCommunity Advisor
Community Advisor
January 29, 2025

Hi @mohammadusman 

Maybe you can try using 

https://github.com/arunpatidar02/aemaacs-aemlab/blob/e31fc62bfd147e56ecaca740c6e2739c66c75f75/ui.content/pom.xml#L48

or try to add dependency from local

https://experienceleague.adobe.com/en/docs/experience-manager-learn/foundation/development/install-third-party-artifacts 

 

<!-- My Example JAR --> <dependency> <groupId>com.my.example</groupId> <artifactId>my-example-jar</artifactId> <version>1.0-SNAPSHOT</version> <scope>provided</scope> <systemPath>${maven.multiModuleProjectDirectory}/all/resource/jar/my-example-jar-1.0-SNAPSHOT.jar</systemPath> </dependency>
Arun Patidar
    anupampat
    Community Advisor
    anupampatCommunity Advisor
    Community Advisor
    January 29, 2025

    Hi @mohammadusman ,

     

    Is it not possible to use another JSON dependency other than 

    org.apache.sling.commons.json

    ?

    I was able to build the code successfully by removing the above dependency and replacing few codes.

     

    Regards,

    Anupam Patra 

      M
      MohammadUsmanAuthor
      Level 2
      January 29, 2025

      Hi @anupampat ,

                       We are not explicitly mentioning this dependency in our pom, it is a transitive dependency of "content-package-maven-plugin" plugin. so I'm not able to find a way to exclude this dependency from this plugin.

      AmitVishwakarma
      Community Advisor
      AmitVishwakarmaCommunity Advisor
      Community Advisor
      January 29, 2025

      To resolve the issue with the vulnerable commons.json dependency in the content-package-maven-plugin, here are your options:
      1. Exclude the Vulnerable Dependency: Add the exclusion in your pom.xml to prevent Maven from downloading the vulnerable version:

      <exclusions> <exclusion> <groupId>org.apache.sling</groupId> <artifactId>commons-json</artifactId> </exclusion> </exclusions>

      Manually Add a Safe Version: Download a safe version of commons-json (a non-vulnerable version). Install it into your local Maven repository using:

      mvn install:install-file -Dfile=/path/to/commons-json.jar -DgroupId=org.apache.sling -DartifactId=commons-json -Dversion=2.0.x -Dpackaging=jar

      Add the following dependency to your pom.xml:

      <dependency> <groupId>org.apache.sling</groupId> <artifactId>commons-json</artifactId> <version>2.0.x</version> <!-- Replace with the safe version --> </dependency>

      Using a Custom Repository:Upload the safe version of the dependency to your internal Maven repository (or proxy), so it's accessible during the build process.

        M
        MohammadUsmanAuthor
        Level 2
        January 29, 2025

        Hi @amitvishwakarma ,

                          There is no exclusion tag supported inside plugin tag. This is a plugin in which we are trying to remove a dependency from. I don't see there is a property or  a tag to exclude dependency inside a plugin tag. We are not able to manually download because mvn repository is redirecting to protected environment where downloading to our local machine is not possible.

        kautuk_sahni
        Community Manager
        kautuk_sahniCommunity Manager
        Community Manager
        January 29, 2025

        @mohammadusman Did you find the suggestions helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!

        Kautuk Sahni
        M
        MohammadUsmanAuthor
        Level 2
        January 30, 2025

        no I dint find the correct answer yet. I'm expecting more answers from the community. help would be apperciated. Thanks

        Terms & ConditionsAccessibility statement

        Loading footer...