mvnd is affected by CVE-2020-17521 vulnerability

[galegofer]

Related to apache:groovy:3.0.4, dependency even though is not a critical vulnerability, and is easily avoided by not using extension methods when creating temporal files, I do believe it will be good to keep project dependencies as safest as possible, upgrading to 3.0.7 will fix this issue.

You can have a look into https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Agroovy&cpe_version=cpe%3A%2F%3Aapache%3Agroovy%3A3.0.4.

The tool used to scan for vulnerabilities is OWASP dependency-check.

You can add it using at your root pom:

org.owasp dependency-check-maven 6.0.3 check

it will generate a report in your /target called dependency-check-report.

[ppalaga]

We have upgraded to groovy 3.0.7 already in the master #254

BTW, now that we know that module build order can be controlled via stock Maven means, like

        <dependency>
            <groupId>org.group</groupId>
            <artifactId>my-dependency</artifactId>
            <version>${project.version}</version>
            <type>pom</type>
            <scope>test</scope>
            <exclusions>
                <exclusion>
                    <groupId>*</groupId>
                    <artifactId>*</artifactId>
                </exclusion>
            </exclusions>
        </dependency>

I would not mind removing both the custom dependency properties and the groovy script features from the daemon. WDYT, @gnodet? Have you ever used the groovy script feature somewhere?

[gnodet]

We have upgraded to groovy 3.0.7 already in the master #254

BTW, now that we know that module build order can be controlled via stock Maven means, like

        <dependency>
            <groupId>org.group</groupId>
            <artifactId>my-dependency</artifactId>
            <version>${project.version}</version>
            <type>pom</type>
            <scope>test</scope>
            <exclusions>
                <exclusion>
                    <groupId>*</groupId>
                    <artifactId>*</artifactId>
                </exclusion>
            </exclusions>
        </dependency>

I don't follow how that affects the build order. Can you be more explicit ?

I would not mind removing both the custom dependency properties and the groovy script features from the daemon. WDYT, @gnodet? Have you ever used the groovy script feature somewhere?

I thought it was used in one camel subproject, but I can't find any reference, so I suppose not.

[ppalaga]

We have upgraded to groovy 3.0.7 already in the master #254
BTW, now that we know that module build order can be controlled via stock Maven means, like

        <dependency>
            <groupId>org.group</groupId>
            <artifactId>my-dependency</artifactId>
            <version>${project.version}</version>
            <type>pom</type>
            <scope>test</scope>
            <exclusions>
                <exclusion>
                    <groupId>*</groupId>
                    <artifactId>*</artifactId>
                </exclusion>
            </exclusions>
        </dependency>

I don't follow how that affects the build order. Can you be more explicit ?

We started to use these kind of dependencies it in Camel Quarkus instead of <mvnd.builder.rules> and the provider Groovy scripts.
A dependency like above will cause that the current module is built after org.group:my-dependency. Note that adding a pom dependency with all transitives excluded to the test class path has no actual effect on the class path. It only impacts the build order.

I would not mind removing both the custom dependency properties and the groovy script features from the daemon. WDYT, @gnodet? Have you ever used the groovy script feature somewhere?

I thought it was used in one camel subproject, but I can't find any reference, so I suppose not.

Let's deprecate it and warn for the case that somebody uses it.

[ppalaga]

I have filed #264