Expand my Community achievements bar.

Nomination window for the Adobe Community Advisor Program, Class of 2025, is now open!

content-package-maven-plugin direct dependency (org.apache.sling.commons.json) vulnerable blocking the build

Avatar

Level 2

Hi,

  while building the project I was not able to get maven to download org.apache.sling.commons.json dependency package which is being used by content-package-maven-plugin as our cyber team has blocked the access to mvn repository and all the vulnerable packages that have critical and high status. They set a proxy repository  allowing us to download only the dependencies that are not flagged critical and high. so I'm stuck here not able to get commons.json direct dependency that content package plugin needs. I have checked the proxy repository and was not able to find any other version of commons.json that is allowed to downloaded may be all the versions are critical. So I'm not able to override the plugin with different commons.json version either. Is there any other way where I can exclude this direct dependency all together or use some other dependency that is not vulnerable to replace this for the plugin ?? 

 

 

<plugin>
<groupId>com.day.jcr.vault</groupId>
<artifactId>content-package-maven-plugin</artifactId>
<version>1.0.6</version>
</plugin>

<dependency>
<groupId>org.apache.sling</groupId>
<artifactId>org.apache.sling.commons.json</artifactId>
<version>2.0.6</version>
</dependency>
7 Replies

Avatar

Community Advisor

Hi @MohammadUsman 

Maybe you can try using 

https://github.com/arunpatidar02/aemaacs-aemlab/blob/e31fc62bfd147e56ecaca740c6e2739c66c75f75/ui.con...

or try to add dependency from local

https://experienceleague.adobe.com/en/docs/experience-manager-learn/foundation/development/install-t... 

 

<!-- My Example JAR -->
<dependency>
    <groupId>com.my.example</groupId>
    <artifactId>my-example-jar</artifactId>
    <version>1.0-SNAPSHOT</version>
   <scope>provided</scope>
    <systemPath>${maven.multiModuleProjectDirectory}/all/resource/jar/my-example-jar-1.0-SNAPSHOT.jar</systemPath>
</dependency>


Arun Patidar

Avatar

Level 7

Hi @MohammadUsman ,

 

Is it not possible to use another JSON dependency other than 

org.apache.sling.commons.json

?

I was able to build the code successfully by removing the above dependency and replacing few codes.

 

Regards,

Anupam Patra 

Avatar

Level 2

Hi @anupampat ,

                 We are not explicitly mentioning this dependency in our pom, it is a transitive dependency of "content-package-maven-plugin" plugin. so I'm not able to find a way to exclude this dependency from this plugin.

Avatar

Level 7

To resolve the issue with the vulnerable commons.json dependency in the content-package-maven-plugin, here are your options:
1. Exclude the Vulnerable Dependency: Add the exclusion in your pom.xml to prevent Maven from downloading the vulnerable version:

<exclusions>
  <exclusion>
    <groupId>org.apache.sling</groupId>
    <artifactId>commons-json</artifactId>
  </exclusion>
</exclusions>

Manually Add a Safe Version: Download a safe version of commons-json (a non-vulnerable version). Install it into your local Maven repository using:

mvn install:install-file -Dfile=/path/to/commons-json.jar -DgroupId=org.apache.sling -DartifactId=commons-json -Dversion=2.0.x -Dpackaging=jar

Add the following dependency to your pom.xml:

<dependency>
  <groupId>org.apache.sling</groupId>
  <artifactId>commons-json</artifactId>
  <version>2.0.x</version> <!-- Replace with the safe version -->
</dependency>

Using a Custom Repository:Upload the safe version of the dependency to your internal Maven repository (or proxy), so it's accessible during the build process.

Avatar

Level 2

Hi @AmitVishwakarma ,

                  There is no exclusion tag supported inside plugin tag. This is a plugin in which we are trying to remove a dependency from. I don't see there is a property or  a tag to exclude dependency inside a plugin tag. We are not able to manually download because mvn repository is redirecting to protected environment where downloading to our local machine is not possible.

Avatar

Administrator

@MohammadUsman Did you find the suggestions helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!



Kautuk Sahni

Avatar

Level 2

no I dint find the correct answer yet. I'm expecting more answers from the community. help would be apperciated. Thanks