Thanks a ton, great cud to chew on! Now I think I know the culprit and it's been deprecated. Guessing I can just delete that log4j directory and be done with it.
On Thursday, December 16, 2021 at 1:12:28 PM UTC-7 nhoj.p...@gmail.com wrote: > I would exclude /opt/jenkins/.m2/repository from any scans, as already > mentioned that is the local maven cache. > Also if you don't maintain that, it will grow and grow. > Personally I update build jobs so they each have their own maven cache > using -Dmaven.repo.local=mvn-repo then delete that after your job > completes. You might need to tweak some of your process if they depending > upon one job installing and another job consuming. But the problem with > that is if you do builds pre branch they could conflict if using the same > version number. > > Or, delete /opt/jenkins/.m2/repository/org/apache/logging/log4j/ and > rebuild all your projects. As maven will download it again if it still > needs it. If a pre 2.15.0/2.16.0 version appears, then it means one of your > jobs still has an older version as a dependency. > > > > On Thu, 16 Dec 2021 at 18:59, Baptiste Mathus <m...@batmat.net> wrote: > >> That's unrelated to Jenkins per se. This directory is the maven cache, >> also called 'local repository'. >> >> My theory is that you have a job or more that uses maven with default >> values. I suspect you even run these on the controller itself... >> >> Some of your job(s) build(s) a software of yours that depends on a >> vulnerable version of log4j. >> >> >> >> >> Le jeu. 16 déc. 2021 à 19:15, eric....@gmail.com <eric....@gmail.com> a >> écrit : >> >>> Hi all. Getting popped by our security team for an old version of >>> log4j. I've checked and we don't have any of the plugins installed >>> identified by the following issue: >>> >>> https://issues.jenkins.io/browse/JENKINS-67353 >>> >>> Here's the info from the scan: >>> >>> Plugin Output: >>> Path : >>> /opt/jenkins/.m2/repository/org/apache/logging/log4j/log4j-core/2.14.1/log4j-core-2.14.1.pom.sha1 >>> Installed version : 2.14.1 >>> Fixed version : 2.15.0 >>> >>> Anyone have a clue on how I go about upgrading this? >>> >>> Thanks, >>> Eric >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Jenkins Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to jenkinsci-use...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/jenkinsci-users/0e0194bf-3090-43e1-92d2-be3789365ae5n%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/jenkinsci-users/0e0194bf-3090-43e1-92d2-be3789365ae5n%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to jenkinsci-use...@googlegroups.com. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-users/CANWgJS7PpCx6a9J__vv7G-oYC0ssUbZbW%2Ba8_bWsS0_Na-6dyw%40mail.gmail.com >> >> <https://groups.google.com/d/msgid/jenkinsci-users/CANWgJS7PpCx6a9J__vv7G-oYC0ssUbZbW%2Ba8_bWsS0_Na-6dyw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/6147a143-256b-4f71-9b42-081744fc6bb8n%40googlegroups.com.
