commons-io CVE in transitive dependency of build-helper-maven-plugin

[ChrWeissDe]

The ace-maven-plugin uses under the cover for the packaging the "build-helper-maven-plugin"
to attach build outputs (e.g. the bar file) to the maven artefact / package.

See e.g.: https://github.com/ot4i/ace-maven-plugin/blob/feature/java17/ace-maven-plugin/src/main/java/ibm/maven/plugins/ace/mojos/PackageaceBarMojo.java

Unfortunately the build-helper-maven-plugin has a transitive dependency to a quite old version of the commons-io plugin which has a CVE

--> https://mvnrepository.com/artifact/commons-io/commons-io/2.11.0
--> CVE: CVE-2024-47554

This should be of course fixed. Unfortunately - as of now - there is no newer version of the build-helper-maven-plugin available.

Options:

• wait for a new version of the build-helper-maven-plugin
• change the packaging --> one option would be leverage the maven-assembly-plugin

Next steps:

• check if the maven-assembly-plugin can be modified / configured to add the generated bar file

[ChrWeissDe]

Opened an issue for the build-helper-maven-plugin - to get it fixed:
mojohaus/build-helper-maven-plugin#223

However no response yet.

[ChrWeissDe]

One Option would be to extend the assembly and define that the bar file is part of the overall "generated zip".
Link to the current assembly file:
https://github.com/ot4i/ace-maven-plugin/blob/feature/java17/ace-maven-plugin/src/main/resources/assemblies/ace-bar-project.xml

[ChrWeissDe]

bar file is stored under: target\ace*.bar file