Hi,
while building the project I was not able to get maven to download org.apache.sling.commons.json dependency package which is being used by content-package-maven-plugin as our cyber team has blocked the access to mvn repository and all the vulnerable packages that have critical and high status. They set a proxy repository allowing us to download only the dependencies that are not flagged critical and high. so I'm stuck here not able to get commons.json direct dependency that content package plugin needs. I have checked the proxy repository and was not able to find any other version of commons.json that is allowed to downloaded may be all the versions are critical. So I'm not able to override the plugin with different commons.json version either. Is there any other way where I can exclude this direct dependency all together or use some other dependency that is not vulnerable to replace this for the plugin ??
<plugin>
<groupId>com.day.jcr.vault</groupId>
<artifactId>content-package-maven-plugin</artifactId>
<version>1.0.6</version>
</plugin>
<dependency>
<groupId>org.apache.sling</groupId>
<artifactId>org.apache.sling.commons.json</artifactId>
<version>2.0.6</version>
</dependency>
Views
Replies
Total Likes
Maybe you can try using
or try to add dependency from local
<!-- My Example JAR -->
<dependency>
<groupId>com.my.example</groupId>
<artifactId>my-example-jar</artifactId>
<version>1.0-SNAPSHOT</version>
<scope>provided</scope>
<systemPath>${maven.multiModuleProjectDirectory}/all/resource/jar/my-example-jar-1.0-SNAPSHOT.jar</systemPath>
</dependency>
Hi @MohammadUsman ,
Is it not possible to use another JSON dependency other than
org.apache.sling.commons.json
?
I was able to build the code successfully by removing the above dependency and replacing few codes.
Regards,
Anupam Patra
Hi @anupampat ,
We are not explicitly mentioning this dependency in our pom, it is a transitive dependency of "content-package-maven-plugin" plugin. so I'm not able to find a way to exclude this dependency from this plugin.
Views
Replies
Total Likes
To resolve the issue with the vulnerable commons.json dependency in the content-package-maven-plugin, here are your options:
1. Exclude the Vulnerable Dependency: Add the exclusion in your pom.xml to prevent Maven from downloading the vulnerable version:
<exclusions>
<exclusion>
<groupId>org.apache.sling</groupId>
<artifactId>commons-json</artifactId>
</exclusion>
</exclusions>
Manually Add a Safe Version: Download a safe version of commons-json (a non-vulnerable version). Install it into your local Maven repository using:
mvn install:install-file -Dfile=/path/to/commons-json.jar -DgroupId=org.apache.sling -DartifactId=commons-json -Dversion=2.0.x -Dpackaging=jar
Add the following dependency to your pom.xml:
<dependency>
<groupId>org.apache.sling</groupId>
<artifactId>commons-json</artifactId>
<version>2.0.x</version> <!-- Replace with the safe version -->
</dependency>
Using a Custom Repository:Upload the safe version of the dependency to your internal Maven repository (or proxy), so it's accessible during the build process.
Hi @AmitVishwakarma ,
There is no exclusion tag supported inside plugin tag. This is a plugin in which we are trying to remove a dependency from. I don't see there is a property or a tag to exclude dependency inside a plugin tag. We are not able to manually download because mvn repository is redirecting to protected environment where downloading to our local machine is not possible.
Views
Replies
Total Likes
@MohammadUsman Did you find the suggestions helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!
Views
Replies
Total Likes
no I dint find the correct answer yet. I'm expecting more answers from the community. help would be apperciated. Thanks
Views
Replies
Total Likes
Views
Likes
Replies
Views
Likes
Replies
Views
Likes
Replies