jaxb-v2
jaxb-v2 copied to clipboard
POM contains insecure external repositories
The jaxb-parent
2.3.0 POM contains <repositories>
and <pluginRepositories>
with non-https
URLs. That makes it unsafe to use JAXB from Maven Central, since downloads of artifacts from those third-party repositories may be intercepted and maliciously modified in-flight. (2.2.10 has only https
URLs.)
Please do at least one of the following:
- Remove the
<repositories>
and<pluginRepositories>
entirely. - Change all of their URLs to
https
. - Move them into a
<profile>
that isn't active by default.
Note that the requirements for publishing to Maven Central discourage the use of <repositories>
and <pluginRepositories>
. In the past, it was forbidden.