Thanks a ton, great cud to chew on! Now I think I know the culprit and it's been deprecated. Guessing I can just delete that log4j directory and be done with it.
On Thursday, December 16, 2021 at 1:12:28 PM UTC-7 [email protected] wrote: > I would exclude /opt/jenkins/.m2/repository from any scans, as already > mentioned that is the local maven cache. > Also if you don't maintain that, it will grow and grow. > Personally I update build jobs so they each have their own maven cache > using -Dmaven.repo.local=mvn-repo then delete that after your job > completes. You might need to tweak some of your process if they depending > upon one job installing and another job consuming. But the problem with > that is if you do builds pre branch they could conflict if using the same > version number. > > Or, delete /opt/jenkins/.m2/repository/org/apache/logging/log4j/ and > rebuild all your projects. As maven will download it again if it still > needs it. If a pre 2.15.0/2.16.0 version appears, then it means one of your > jobs still has an older version as a dependency. > > > > On Thu, 16 Dec 2021 at 18:59, Baptiste Mathus <[email protected]> wrote: > >> That's unrelated to Jenkins per se. This directory is the maven cache, >> also called 'local repository'. >> >> My theory is that you have a job or more that uses maven with default >> values. I suspect you even run these on the controller itself... >> >> Some of your job(s) build(s) a software of yours that depends on a >> vulnerable version of log4j. >> >> >> >> >> Le jeu. 16 déc. 2021 à 19:15, [email protected] <[email protected]> a >> écrit : >> >>> Hi all. Getting popped by our security team for an old version of >>> log4j. I've checked and we don't have any of the plugins installed >>> identified by the following issue: >>> >>> https://issues.jenkins.io/browse/JENKINS-67353 >>> >>> Here's the info from the scan: >>> >>> Plugin Output: >>> Path : >>> /opt/jenkins/.m2/repository/org/apache/logging/log4j/log4j-core/2.14.1/log4j-core-2.14.1.pom.sha1 >>> Installed version : 2.14.1 >>> Fixed version : 2.15.0 >>> >>> Anyone have a clue on how I go about upgrading this? >>> >>> Thanks, >>> Eric >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Jenkins Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/jenkinsci-users/0e0194bf-3090-43e1-92d2-be3789365ae5n%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/jenkinsci-users/0e0194bf-3090-43e1-92d2-be3789365ae5n%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-users/CANWgJS7PpCx6a9J__vv7G-oYC0ssUbZbW%2Ba8_bWsS0_Na-6dyw%40mail.gmail.com >> >> <https://groups.google.com/d/msgid/jenkinsci-users/CANWgJS7PpCx6a9J__vv7G-oYC0ssUbZbW%2Ba8_bWsS0_Na-6dyw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/6147a143-256b-4f71-9b42-081744fc6bb8n%40googlegroups.com.
