Log4j 2.12.1 getting download it when running pluggin commands #1175
Comments
|
We don't use log4j. It's most likely a transitive dependency of your project. You can use mvn dependency:tree -Dverbose | grep -B 8 log4j |
|
You can also try with: next examine content of directories: |
|
Thank you for the quick response; the commands help me. Below, you can see the output, which indicates that the plugin is importing that specific dependency.
Thanks |
|
Apologies for closing this. This should be resolved by #1168 |
|
It is strange ... optional dependencies should not be downloaded .... we need more investigation in Maven/Resolver By the wat should be resolved with new version of doxia. |
|
@slawekjaranowski in case you're interested, here's the output of rm -rf ~/.m2/repository/log4j/log4j; mvn -X versions:set versions:revert -DnewVersion=dummy | tee /tmp/versions.logOnly pom.xml gets downloaded. Not a vulnerability. I'm not sure why pom.xml gets downloaded, but this is out of scope of versions-maven-plugin, it's a question to Resolver guys. I wonder if this plugin's use would get flagged by any threat scanner if it's only downloading a pom.xml. |
Hi team,
I want to raise the issue that when I run a command using this plugin in the .m2 folder, I get a log4j 2.12.1 version with multiple vulnerabilities. Our Security team is asking to upgrade to a higher version.
I already verify:
How can I get around to downloading that log4j version? I would appreciate any help or feedback you can give me.
Plugin version: 2.17.1
Command: version:set versions:commit -DnewVersion="dummy"
https://security.snyk.io/package/maven/org.apache.logging.log4j:log4j-core/2.12.1
The text was updated successfully, but these errors were encountered: