fabric8.io/docker-maven-plugin security alert

[Roland Huss]

Hi,

thanks to a mindful user, a security issue with an integration test of d-m-p as been detected [1]. For introducing the `docker:load` feature in version 0.2, a test image was loaded and saved during an integration test. This feature was provided as a PR which we merged on January, 2nd, 2017. Unfortunately the PR includes a `busybox-image.tar.gz` which contains a Trojan.

I consider the impact as quite low:

* It is used only during an integration test where it imports the image and immediately deletes it afterwards [2]. So only when this test fails in between the image is left on the Docker daemon used for testing (but we never encountered any issue with this test).

* It never was part of any binary release on Maven central.

* It only possibly can affect people developing on d-m-p, running integration tests.

In order to fix this, I just

* removed the affected file from master's HEAD [3]

* rewrote the Git history with the BFG Repo-Cleaner [4] to remove it from Git history.

However this obviously doesn't clean up any forks or local clones. 

**It is therefore highly recommended to clone local working directories afresh and create a new fork (or at least rebase on the laster version on master)**

Sorry for any inconvenience.

... roland

[1]: https://github.com/fabric8io/docker-maven-plugin/issues/795

[2]: https://github.com/fabric8io/docker-maven-plugin/blob/f963b926ab325abf4ddc450755476eba2644cf7c/src/test/java/integration/DockerAccessIT.java#L103-L108

[3]: https://github.com/fabric8io/docker-maven-plugin/commit/c98e9d3f05fed4ac32292cd7a6f7f3553e39fc79

[4]: https://rtyley.github.io/bfg-repo-cleaner/

--

... roland