I’m trying to resolve a vulnerability (CVE-2021-26291) related to the dependency maven-core version 3.2.5, which is being pulled in by the build plugin maven-compiler-plugin version 3.12.1.
I tried following the official maven guide, by adding the version as follows:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.12.1</version>
<dependencies>
<dependency>
<groupId>org.apache.maven</groupId>
<artifactId>maven-core</artifactId>
<version>3.9.8</version>
</dependency>
</dependencies>
<configuration>
<source>${maven.compiler.source}</source>
<target>${maven.compiler.target}</target>
</configuration>
</plugin>
however I can still see the old version being pulled in by the when I run the mvn dependency:resolve-plugins
command:
org.apache.maven.plugins:maven-site-plugin:maven-plugin:3.12.1
[INFO] org.apache.maven.plugins:maven-site-plugin:jar:3.12.1
[INFO] org.apache.maven.reporting:maven-reporting-api:jar:3.1.1
[INFO] org.apache.maven.reporting:maven-reporting-exec:jar:1.6.0
[INFO] org.apache.maven:maven-artifact:jar:3.2.5
[INFO] org.apache.maven:maven-core:jar:3.2.5
I’m not sure why it comes through as maven-site-plugin, though the version matches the one I indicate in the compiler, could it be because it is somehow nested within the compiler dependency? I do not make any direct reference to the maven-site-plugin in my pom.
Any help is very much appreciated as to why it behaves like this or if I’m doing something wrong. Thanks!