Yes, if you see "there are some critical vulnerabilities in Maven" in the PPT in the future, you should understand it as "there are vulnerabilities in these dependent artifacts in the Maven central repository".
The above is an Apache Maven to the following figure:
In addition to take to innuendo Snyk Senior Engineer Company (the world's leading provider of application security solutions) do not understand Maven and Maven Center difference, but also brought Maven returning to the central warehouse change . Maven central warehouse ( mvnrepository.com ) recently quietly added a feature, adding a Vulnerabilities red highlight field to the dependency list. This field is used to display the vulnerability information of the current dependency version to remind those who have not noticed The developer of the vulnerability information can easily assess the vulnerability and avoid it.
Please note that the vulnerabilities that have been announced will be displayed. The Maven central warehouse does not have the ability to scan for vulnerabilities.
This move is very timely and is intended to introduce a mechanism to deal with risks like the Log4j2 vulnerability. Log4j2 vulnerability has not subsided. According Google statistics, there are currently more than 35,000 a Java class library by Log4j impact vulnerabilities accounted for Maven the total number of library central warehouse store 8% , the entire software industry have caused widespread as a result of. Experts analyzed the time taken to repair the defects reported in the key bulletin Maven 48% of the affected by the vulnerability have been repaired. The entire process may take several years. Maven team will help R&D teams that do not have a complete security assessment system to speed up the repair of the Java ecosystem log4jshell
Follow the public account: Felordcn for more information
java
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。