Skip to content

Plugin dependencies overrides are ignored and may lead to FPs #8570

Open
Open
Plugin dependencies overrides are ignored and may lead to FPs#8570
Labels
bugmavenchanges to the maven plugin
@bjansen

Description

@bjansen
bjansen
opened on Jun 4, 2026

Precondition

  • I checked the issues list for existing open or closed reports of the same problem.

Describe the bug
When scanPlugins is enabled, dependency-check looks for CVEs in Maven plugins and their dependencies. If one of these dependencies is vulnerable, overriding the dependency to a more recent version usually fixes the vulnerability but dependency-check still sees the vulnerable version and reports false positives.

Version of dependency-check used
The problem occurs using version 12.2.x of the maven plugin.

To Reproduce
Steps to reproduce the behavior:

  1. Create an empty maven project with the following configuration:
	<build>
		<pluginManagement>
			<plugins>
				<plugin>
					<groupId>org.apache.maven.plugins</groupId>
					<artifactId>maven-dependency-plugin</artifactId>
					<version>3.11.0</version>
				</plugin>

				<plugin>
					<groupId>org.apache.maven.plugins</groupId>
					<artifactId>maven-clean-plugin</artifactId>
					<version>3.5.0</version>
				</plugin>
				
				<plugin>
					<groupId>org.owasp</groupId>
					<artifactId>dependency-check-maven</artifactId>
					<version>12.2.2</version>
					
					<configuration>
						<scanPlugins>true</scanPlugins>
					</configuration>
				</plugin>
			</plugins>
		</pluginManagement>	
	</build>
  1. Run mvn dependency-check:check and see CVEs in plexus-utils-4.0.2:
One or more dependencies were identified with known vulnerabilities in dependency-check-plugin-cve:
[...]
plexus-utils-4.0.2.jar (pkg:maven/org.codehaus.plexus/plexus-utils@4.0.2, cpe:2.3:a:codehaus-plexus:plexus-utils:4.0.2:*:*:*:*:*:*:*, cpe:2.3:a:utils_project:utils:4.0.2:*:*:*:*:*:*:*) : CVE-2025-67030
[...]

See that this dependency is pulled by maven-clean-plugin (and others) in the HTML report:

Image
  1. Override the version of plexus-utils pulled by maven-clean-plugin in pluginManagement:
				<plugin>
					<groupId>org.apache.maven.plugins</groupId>
					<artifactId>maven-clean-plugin</artifactId>
					<version>3.5.0</version>
					<dependencies>
						<dependency>
							<groupId>org.codehaus.plexus</groupId>
							<artifactId>plexus-utils</artifactId>
							<version>4.0.3</version>
						</dependency>
					</dependencies>
				</plugin>
  1. Confirm that maven sees the correct version at runtime using mvn dependency:resolve-plugins (you need a recent version of maven-depedency-plugin, I used 3.11.0):
% mvn dependency:resolve-plugins
[...]
[INFO]    org.apache.maven.plugins:maven-clean-plugin:jar:3.5.0
[INFO]       org.apache.maven.plugins:maven-clean-plugin:jar:3.5.0
[INFO]       org.codehaus.plexus:plexus-utils:jar:4.0.3
[...]
  1. Run dependency-check again and see in the report that it still believes maven-clean-plugin is using a vulnerable version of plexus-utils

Expected: plugins overrides should fix vulnerabilities.
Actual: dependency-check reports FPs once non-vunerable transitive dependencies are forced in pluginManagement.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugmavenchanges to the maven plugin

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions