Example enforcer rule to exclude commons-collections 3.2.1 from the build
<!-- Avoid the M.A.D. Gadget vulnerability in certain apache commons-collections versions --> | |
<project> | |
<!-- ... --> | |
<build> | |
<plugins> | |
<plugin> | |
<artifactId>maven-enforcer-plugin</artifactId> | |
<executions> | |
<execution> | |
<goals><goal>enforce</goal></goals> | |
<configuration> | |
<rules> | |
<bannedDependencies> | |
<excludes> | |
<exclude>commons-collections:commons-collections:[3.0,3.2.1]</exclude> | |
<exclude>commons-collections:commons-collections:4.0</exclude> | |
</excludes> | |
</bannedDependencies> | |
</rules> | |
</configuration> | |
</execution> | |
</executions> | |
</plugin> | |
</plugins> | |
</build> | |
</project> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
Unfortunatly, the second exclude is wrong, since the GAV for commons-collections 4 is different from older versions. The correct syntax is: