From 0d908de53f5623223791dca59a1464d4cf2e3a51 Mon Sep 17 00:00:00 2001
From: David Pursehouse <david.pursehouse@gmail.com>
Date: Wed, 6 Jun 2018 13:34:34 +0900
Subject: [PATCH] Update maven plugins to fix Zip Slip vulnerability

Zip Slip [1] is an arbitrary file write generic vulnerability, that can
be achieved using a specially crafted zip (or bzip2, gzip, tar, xz, war)
archive, that holds path traversal filenames.

According to Maven's announcement [2] several plugins use plexus-archiver to
unpack dependencies to disk and have been identified as potential triggers
for exposing the vulnerability.

Of those, JGit uses the maven-dependency-plugin and the maven-javadoc-plugin.

Update them to the fixed versions reported in [2].

See the corresponding issues for the maven-dependency-plugin [3] and the
maven-javadoc-plugin [4] for details.

[1] https://snyk.io/research/zip-slip-vulnerability
[2] https://maven.apache.org/security-plexus-archiver.html
[3] https://issues.apache.org/jira/browse/MDEP-611
[4] https://issues.apache.org/jira/browse/MJAVADOC-520

Change-Id: Id3ab2d6161db240f2ab8f82298fa3ecd7a930a43
Signed-off-by: David Pursehouse <david.pursehouse@gmail.com>
---
 pom.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index af26c741d2..042b21e98e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -213,7 +213,7 @@
     <httpcore-version>4.4.6</httpcore-version>
     <slf4j-version>1.7.2</slf4j-version>
     <log4j-version>1.2.15</log4j-version>
-    <maven-javadoc-plugin-version>3.0.0</maven-javadoc-plugin-version>
+    <maven-javadoc-plugin-version>3.0.1</maven-javadoc-plugin-version>
     <tycho-extras-version>1.1.0</tycho-extras-version>
     <gson-version>2.8.2</gson-version>
     <spotbugs-maven-plugin-version>3.1.2</spotbugs-maven-plugin-version>
@@ -286,7 +286,7 @@
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-dependency-plugin</artifactId>
-          <version>3.0.2</version>
+          <version>3.1.1</version>
         </plugin>
 
         <plugin>
-- 
2.39.5