Example enforcer rule to exclude commons-collections 3.2.1 from the build
| <!-- Avoid the M.A.D. Gadget vulnerability in certain apache commons-collections versions --> | |
| <project> | |
| <!-- ... --> | |
| <build> | |
| <plugins> | |
| <plugin> | |
| <artifactId>maven-enforcer-plugin</artifactId> | |
| <executions> | |
| <execution> | |
| <goals><goal>enforce</goal></goals> | |
| <configuration> | |
| <rules> | |
| <bannedDependencies> | |
| <excludes> | |
| <exclude>commons-collections:commons-collections:[3.0,3.2.1]</exclude> | |
| <exclude>commons-collections:commons-collections:4.0</exclude> | |
| </excludes> | |
| </bannedDependencies> | |
| </rules> | |
| </configuration> | |
| </execution> | |
| </executions> | |
| </plugin> | |
| </plugins> | |
| </build> | |
| </project> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
TobiX commentedSep 5, 2017
•
edited
Unfortunatly, the second exclude is wrong, since the GAV for commons-collections 4 is different from older versions. The correct syntax is: