[AUTO-CHERRYPICK] Upgrade maven to 3.8.1 to fix CVE-2021-26291 in javapackages-bootstrap [Critical] - branch main (#13777)

Signed-off-by: Kanishk Bansal <[email protected]>
Co-authored-by: Kanishk Bansal <[email protected]>
Co-authored-by: Kanishk Bansal <[email protected]>

Author: 3 people

SPECS/javapackages-bootstrap/CVE-2021-26291.patch

@@ -0,0 +1,217 @@
+From 3291b840445ecc468bddf6dbb4d782b9b79146b7 Mon Sep 17 00:00:00 2001
+From: mkoncek <[email protected]>
+Date: Fri, 17 Dec 2021 12:45:52 +0100
+Subject: [PATCH] Update maven to 3.8.4
+
+---
+ mbi/dist/metadata.txt                         |  1 +
+ .../0003-Port-to-maven-3.8.1.patch            | 59 +++++++++++++++++++
+ .../0003-Port-to-maven-3.8.1.patch            | 33 +++++++++++
+ project/maven.properties                      |  2 +-
+ project/maven.xml                             |  4 +-
+ 5 files changed, 97 insertions(+), 2 deletions(-)
+ create mode 100644 patches/maven-artifact-transfer/0003-Port-to-maven-3.8.1.patch
+ create mode 100644 patches/maven-plugin-testing/0003-Port-to-maven-3.8.1.patch
+
+diff --git a/mbi/dist/metadata.txt b/mbi/dist/metadata.txt
+index 90f4c62..8f4d49c 100644
+--- a/mbi/dist/metadata.txt
++++ b/mbi/dist/metadata.txt
+@@ -328,6 +328,7 @@ MOD maven-core
+     DEP org.codehaus.plexus plexus-classworlds
+     DEP org.codehaus.plexus plexus-component-annotations
+     DEP org.apache.commons commons-lang3
++    DEP org.slf4j slf4j-api
+ MOD maven-dependency-analyzer
+   ART org.apache.maven.shared maven-dependency-analyzer
+     DEP org.ow2.asm asm
+diff --git a/patches/maven-artifact-transfer/0003-Port-to-maven-3.8.1.patch b/patches/maven-artifact-transfer/0003-Port-to-maven-3.8.1.patch
+new file mode 100644
+index 0000000..afeef3c
+--- /dev/null
++++ b/patches/maven-artifact-transfer/0003-Port-to-maven-3.8.1.patch
+@@ -0,0 +1,59 @@
++From 801cdd23a9dd9e8948f516537b0f5f09a252c5b7 Mon Sep 17 00:00:00 2001
++From: Marian Koncek <[email protected]>
++Date: Fri, 17 Dec 2021 13:33:49 +0100
++Subject: [PATCH] Port to maven 3.8.1
++
++---
++ .../internal/Maven31ArtifactRepositoryAdapter.java   | 12 ++++++++++++
++ .../internal/Maven31ArtifactRepositoryAdapter.java   | 12 ++++++++++++
++ 2 files changed, 24 insertions(+)
++
++diff --git a/src/main/java/org/apache/maven/shared/transfer/collection/internal/Maven31ArtifactRepositoryAdapter.java b/src/main/java/org/apache/maven/shared/transfer/collection/internal/Maven31ArtifactRepositoryAdapter.java
++index 9d93f31..8297fdb 100644
++--- a/src/main/java/org/apache/maven/shared/transfer/collection/internal/Maven31ArtifactRepositoryAdapter.java
+++++ b/src/main/java/org/apache/maven/shared/transfer/collection/internal/Maven31ArtifactRepositoryAdapter.java
++@@ -207,6 +207,18 @@ class Maven31ArtifactRepositoryAdapter implements ArtifactRepository
++         throw new UnsupportedOperationException();
++     }
++ 
+++    @Override
+++    public boolean isBlocked()
+++    {
+++        throw new UnsupportedOperationException();
+++    }
+++
+++    @Override
+++    public void setBlocked(boolean blocked)
+++    {
+++        throw new UnsupportedOperationException();
+++    }
+++
++     @Override
++     public String toString()
++     {
++diff --git a/src/main/java/org/apache/maven/shared/transfer/dependencies/collect/internal/Maven31ArtifactRepositoryAdapter.java b/src/main/java/org/apache/maven/shared/transfer/dependencies/collect/internal/Maven31ArtifactRepositoryAdapter.java
++index d5716bb..4669353 100644
++--- a/src/main/java/org/apache/maven/shared/transfer/dependencies/collect/internal/Maven31ArtifactRepositoryAdapter.java
+++++ b/src/main/java/org/apache/maven/shared/transfer/dependencies/collect/internal/Maven31ArtifactRepositoryAdapter.java
++@@ -207,6 +207,18 @@ class Maven31ArtifactRepositoryAdapter implements ArtifactRepository
++         throw new UnsupportedOperationException();
++     }
++ 
+++    @Override
+++    public boolean isBlocked()
+++    {
+++        throw new UnsupportedOperationException();
+++    }
+++
+++    @Override
+++    public void setBlocked(boolean blocked)
+++    {
+++        throw new UnsupportedOperationException();
+++    }
+++
++     @Override
++     public String toString()
++     {
++-- 
++2.31.1
++
+diff --git a/patches/maven-plugin-testing/0003-Port-to-maven-3.8.1.patch b/patches/maven-plugin-testing/0003-Port-to-maven-3.8.1.patch
+new file mode 100644
+index 0000000..2786be2
+--- /dev/null
++++ b/patches/maven-plugin-testing/0003-Port-to-maven-3.8.1.patch
+@@ -0,0 +1,33 @@
++From 4dc38f384dab2d825e1ab6f7df018650b6aeded1 Mon Sep 17 00:00:00 2001
++From: Marian Koncek <[email protected]>
++Date: Fri, 17 Dec 2021 13:42:11 +0100
++Subject: [PATCH] Port to maven 3.8.1
++
++---
++ .../plugin/testing/stubs/StubArtifactRepository.java | 12 ++++++++++++
++ 1 file changed, 12 insertions(+)
++
++diff --git a/maven-plugin-testing-harness/src/main/java/org/apache/maven/plugin/testing/stubs/StubArtifactRepository.java b/maven-plugin-testing-harness/src/main/java/org/apache/maven/plugin/testing/stubs/StubArtifactRepository.java
++index 9a435b7..c13c3a8 100644
++--- a/maven-plugin-testing-harness/src/main/java/org/apache/maven/plugin/testing/stubs/StubArtifactRepository.java
+++++ b/maven-plugin-testing-harness/src/main/java/org/apache/maven/plugin/testing/stubs/StubArtifactRepository.java
++@@ -247,4 +247,16 @@ public class StubArtifactRepository
++     {
++         // no op
++     }
+++
+++    @Override
+++    public boolean isBlocked()
+++    {
+++        throw new UnsupportedOperationException();
+++    }
+++
+++    @Override
+++    public void setBlocked(boolean blocked)
+++    {
+++        throw new UnsupportedOperationException();
+++    }
++ }
++-- 
++2.31.1
++
+diff --git a/project/maven.properties b/project/maven.properties
+index e5a3c6b..b6ddc64 100644
+--- a/project/maven.properties
++++ b/project/maven.properties
+@@ -1,3 +1,3 @@
+ url=https://github.com/apache/maven.git
+ ref=maven-@.@.@
+-version=3.6.3
++version=3.8.1
+diff --git a/project/maven.xml b/project/maven.xml
+index 508bfb1..664f79b 100644
+--- a/project/maven.xml
++++ b/project/maven.xml
+@@ -82,6 +82,7 @@
+     <dependency>maven-shared-utils</dependency>
+     <dependency>commons-lang</dependency>
+     <dependency>maven-resolver-provider</dependency>
++    <dependency>slf4j</dependency>
+     <build>
+       <modello>
+         <model>src/main/mdo/toolchains.mdo</model>
+@@ -214,6 +215,7 @@
+     <dependency>maven-model-builder</dependency>
+     <dependency>guice</dependency>
+     <dependency>maven-builder-support</dependency>
++    <dependency>slf4j</dependency>
+     <build>
+       <compiler>
+         <addSourceRoot>src/main/java</addSourceRoot>
+@@ -244,7 +246,7 @@
+     <build>
+       <modello>
+         <model>src/main/mdo/settings.mdo</model>
+-        <version>1.1.0</version>
++        <version>1.2.0</version>
+         <output>java|xpp3-reader|xpp3-writer</output>
+       </modello>
+       <compiler>
+From bd8826af4fd489a5d6ed117173904f02775415ee Mon Sep 17 00:00:00 2001
+From: Sindhu Karri <[email protected]>
+Date: Thu, 25 Jul 2024 11:33:17 +0000
+Subject: [PATCH] Maven resolver patch
+
+---
+ project/maven-resolver.xml | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/project/maven-resolver.xml b/project/maven-resolver.xml
+index 9f23efc..a08fc61 100644
+--- a/project/maven-resolver.xml
++++ b/project/maven-resolver.xml
+@@ -20,6 +20,7 @@
+         <addSourceRoot>maven-resolver-util/src/main/java</addSourceRoot>
+         <addSourceRoot>maven-resolver-connector-basic/src/main/java</addSourceRoot>
+         <addSourceRoot>maven-resolver-transport-wagon/src/main/java</addSourceRoot>
++        <addSourceRoot>maven-resolver-named-locks/src/main/java</addSourceRoot>
+       </compiler>
+       <cdc/>
+     </build>
+-- 
+2.33.8
+
+From b23d2957440cb4ff06a289b4864f782794b45f52 Mon Sep 17 00:00:00 2001
+From: Marian Koncek <[email protected]>
+Date: Fri, 17 Dec 2021 13:05:49 +0100
+Subject: [PATCH] Port to maven-resolver 1.7.2
+
+---
+ .../org/apache/maven/repository/internal/MavenAetherModule.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/downstream/maven/maven-resolver-provider/src/main/java/org/apache/maven/repository/internal/MavenAetherModule.java b/downstream/maven/maven-resolver-provider/src/main/java/org/apache/maven/repository/internal/MavenAetherModule.java
+index 41e98aaea..d72e3c0f3 100644
+--- a/downstream/maven/maven-resolver-provider/src/main/java/org/apache/maven/repository/internal/MavenAetherModule.java
++++ b/downstream/maven/maven-resolver-provider/src/main/java/org/apache/maven/repository/internal/MavenAetherModule.java
+@@ -28,7 +28,7 @@
+ 
+ import org.apache.maven.model.building.DefaultModelBuilderFactory;
+ import org.apache.maven.model.building.ModelBuilder;
+-import org.eclipse.aether.impl.AetherModule;
++import org.eclipse.aether.impl.guice.AetherModule;
+ import org.eclipse.aether.impl.ArtifactDescriptorReader;
+ import org.eclipse.aether.impl.MetadataGeneratorFactory;
+ import org.eclipse.aether.impl.VersionRangeResolver;
+-- 
+2.31.1

SPECS/javapackages-bootstrap/javapackages-bootstrap.signatures.json

@@ -64,7 +64,7 @@
         "maven-plugin-testing.tar.xz": "0bc167583eef4321b69d7990d3cb0f2c9e03f7c92137aae0c938c1b6f01798a1",
         "maven-plugin-tools.tar.xz": "27a3b5835a34712862b00b3f540fda541c6a54d841988b0a3dec7f02e9a3db11",
         "maven-remote-resources-plugin.tar.xz": "e0b8cd3eb4ec00652b44da236b2c4eb796a8f99f89b9f02dbdb290e712854a08",
-        "maven-resolver.tar.xz": "f9722a31915945fa533995a642f7cee00f5e78ba8c4dfae6ad5f3e84fcbb1f87",
+        "maven-resolver-1.7.0.tar.xz": "d25fed747363399d91ab1dd19de01bf9c5eb288db17dc9262d844643dd2a2127",
         "maven-resources-plugin.tar.xz": "a61514bcf9216c4543c8710dc0c1a7fdf7c4ecdebb1c1de118a2db536142fd9d",
         "maven-resources.tar.xz": "cee8b36b3869a40c8fee6e7f01105c835ab192361e9abb5bdd23a706b979b3c1",
         "maven-shared-incremental.tar.xz": "951c4c7cf5d4a5a40d47c213c711e76e369cfca4bfd2e55075996706f175af92",
@@ -74,7 +74,7 @@
         "maven-surefire.tar.xz": "2f6b7af5b523949ba194ed61774a336cf88b64cdb81753eb73d0b6a94375ff52",
         "maven-verifier.tar.xz": "bfd78b31d226bead42b88ae787c310b42aa57b3f64e68652a4e88b0d0f3b49c9",
         "maven-wagon.tar.xz": "a34b0a40dd7bc566a284858613c875c5534f80a7c2afd2c3e503e2385728d131",
-        "maven.tar.xz": "9041ac7dda108625e159504f14e4d42375a1b2f0cf257a3b3c2ec4f0bd910d9e",
+        "maven-3.8.1.tar.xz": "65ea8259df08175343593daf6663e2c8a739d75a8d4ef76f0f7d23e15b06e40a",
         "mockito.tar.xz": "7b35153653525935f7e6a039dbe608a1058b139e9e6b5f3b6d0362ff114fe77f",
         "modello.tar.xz": "be90712a48c4305d9e2ea4d35729d2a2b505ea25512fc3014234d9ac1ec6e46c",
         "mojo-parent-pom.tar.xz": "23e97b26ff8efd391bccd0cf215bb0ec2e7ac6caf2b9394b61766bfb9b110bb7",

SPECS/javapackages-bootstrap/javapackages-bootstrap.spec

@@ -13,7 +13,7 @@
 
 Name:           javapackages-bootstrap
 Version:        1.5.0
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        A means of bootstrapping Java Packages Tools
 # For detailed info see the file javapackages-bootstrap-PACKAGE-LICENSING
 License:        ASL 2.0 and ASL 1.1 and (ASL 2.0 or EPL-2.0) and (EPL-2.0 or GPLv2 with exceptions) and MIT and (BSD with advertising) and BSD-3-Clause and EPL-1.0 and EPL-2.0 and CDDL-1.0 and xpp and CC0 and Public Domain
@@ -87,7 +87,7 @@ Source1057:     maven-parent-pom.tar.xz
 Source1058:     maven-plugin-testing.tar.xz
 Source1059:     maven-plugin-tools.tar.xz
 Source1060:     maven-remote-resources-plugin.tar.xz
-Source1061:     maven-resolver.tar.xz
+Source1061:     maven-resolver-1.7.0.tar.xz
 Source1062:     maven-resources-plugin.tar.xz
 Source1063:     maven-resources.tar.xz
 Source1064:     maven-shared-incremental.tar.xz
@@ -97,7 +97,7 @@ Source1067:     maven-source-plugin.tar.xz
 Source1068:     maven-surefire.tar.xz
 Source1069:     maven-verifier.tar.xz
 Source1070:     maven-wagon.tar.xz
-Source1071:     maven.tar.xz
+Source1071:     maven-3.8.1.tar.xz
 Source1072:     mockito.tar.xz
 Source1073:     modello.tar.xz
 Source1074:     mojo-parent-pom.tar.xz
@@ -141,6 +141,7 @@ Patch1:         0001-Remove-usage-of-ArchiveStreamFactory.patch
 Patch2:         CVE-2023-37460.patch
 Patch3:         Internal-Java-API.patch
 Patch4:         CVE-2021-36373.patch
+Patch5:         CVE-2021-26291.patch
 
 Provides:       bundled(ant) = 1.10.9
 Provides:       bundled(apache-parent) = 23
@@ -202,7 +203,7 @@ Provides:       bundled(maven-parent) = 34
 Provides:       bundled(maven-plugin-testing) = 3.3.0
 Provides:       bundled(maven-plugin-tools) = 3.6.0
 Provides:       bundled(maven-remote-resources-plugin) = 1.7.0
-Provides:       bundled(maven-resolver) = 1.6.1
+Provides:       bundled(maven-resolver) = 1.7.0
 Provides:       bundled(maven-resources-plugin) = 3.2.0
 Provides:       bundled(maven-resources) = 1.4
 Provides:       bundled(maven-shared-incremental) = 1.1
@@ -212,7 +213,7 @@ Provides:       bundled(maven-source-plugin) = 3.2.1
 Provides:       bundled(maven-surefire) = 3.0.0~M3
 Provides:       bundled(maven-verifier) = 1.7.2
 Provides:       bundled(maven-wagon) = 3.4.2
-Provides:       bundled(maven) = 3.6.3
+Provides:       bundled(maven) = 3.8.1
 Provides:       bundled(mockito) = 3.7.13
 Provides:       bundled(modello) = 1.11
 Provides:       bundled(mojo-parent) = 60
@@ -305,6 +306,8 @@ pushd "downstream/ant"
 %patch4 -p1
 popd
 
+%patch5 -p1
+
 # remove guava.xml from javapackage-bootstrap 1.5.0
 # import guava.xml 32.1.3 from Fedora 40
 # edit version from guava.properties
@@ -389,6 +392,10 @@ sed -i 's|/usr/lib/jvm/java-11-openjdk|%{java_home}|' %{buildroot}%{launchersPat
 %doc AUTHORS
 
 %changelog
+* Tue May 13 2025 Kanishk Bansal <[email protected]> - 1.5.0-7
+- Update maven to 3.8.1 and maven-resolver to 1.7.0 to fix CVE-2021-26291
+- Add the CVE-2021-26291.patch to enable these upgrades
+
 * Wed Feb 26 2025 Kshitiz Godara <[email protected]> - 1.5.0-6
 - Patch CVE-2021-36373 and CVE-2021-36374.