Hi David Many thanks for your email, I really appreciate your reply. This is an isolated example of the problem. https://github.com/jveverka/mvn-dependency-log4j You can find all repro steps there. In case of any questions, feel free to contact me.
Kind regards Juraj Veverka On Mon, Feb 28, 2022 at 12:14 PM David Milet <david.mi...@gmail.com> wrote: > Where I work we decided to address log4j vulnerabilities only for > components directly used by the application and actually performing logging. > We ignored transitive dependencies and maven plug-ins. > I’m curious about this use case from Venu though, what application would > rely on the maven dependency plugin at runtime? Does it mean you’re pulling > maven dependencies after application startup? > > > On Feb 28, 2022, at 03:30, Slawomir Jaranowski <s.jaranow...@gmail.com> > wrote: > > > > Hi, > > > > Please provide more information, like plugin, mven, os version. > > > > We also need an example project which reproduces your issue. > > When we can't reproduce we can't help. > > > > pon., 28 lut 2022 o 08:55 Jaladi, Venumadhav > > <jaladi.venumad...@verizon.com.invalid> napisał(a): > > > >> Hi team, > >> > >> Can I expect any response? Is this the right email address for my > >> question? > >> > >> Thanks, > >> Venu > >> > >> > >>> On Thu, Feb 24, 2022 at 6:47 AM Jaladi, Venumadhav < > >>> jaladi.venumad...@verizon.com> wrote: > >>> > >>> Hi team, > >>> > >>> We are using the Maven Dependency Plugin in one of our projects and our > >>> scanning tools are showing multiple vulnerabilities related to Log4j > >>> (CVE-2019-17571, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, > >>> CVE-2022-23307 and CVE-2021-4104). > >>> > >>> We would like to know if there are any plans to release a newer > version > >>> of Maven Dependency Plugin with the fixes of these > >>> vulnerabilities(referring to the latest version of Log4j libraries). > If > >>> so, is there any planned date for this release? > >>> > >>> Please let us know any any more information is required. > >>> > >>> Thanks, > >>> Venu > >>> > >> > > > > > > -- > > Sławomir Jaranowski > > -- Best Regards -- Juraj Veverka <https://github.com/jveverka> | Solution Design Architect M +421 917 521 285 www.globallogic.sk <https://www.globallogic.com/sk/> <https://www.facebook.com/GlobalLogicSlovakia> [image: GLTwitter] <https://twitter.com/GlobalLogic_SR> <https://www.linkedin.com/company/9409064/admin/> <https://www.youtube.com/channel/UClazQeLF6Oas1ZVs-Iaq2Bg> <https://www.instagram.com/globallogic_slovakia/> http://www.globallogic.com/Disclaimer.htm