[jira] [Commented] (MNG-7366) Maven downloading log4j version not specified in POM when building the Project.
[ https://issues.apache.org/jira/browse/MNG-7366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17471664#comment-17471664 ] Tharanadha K commented on MNG-7366: --- Thanks for Maarten. I am getting log4j1.2.12 downloading even though there is no plug-ins and dependencies added in my POM.xml. It's automatically taking maven-dependency-plugin 2.8 and getting downloading. (please see attachment). Is there any solution as my client don't want this downloading. Thank you in Advance !image-2022-01-10-11-18-51-317.png! > Maven downloading log4j version not specified in POM when building the > Project. > --- > > Key: MNG-7366 > URL: https://issues.apache.org/jira/browse/MNG-7366 > Project: Maven > Issue Type: Bug > Components: Artifacts and Repositories, Dependencies >Affects Versions: 3.8.4 >Reporter: Srinivasan L >Priority: Critical > Attachments: image-2022-01-10-11-18-51-317.png, maven log4j issue.png > > > Maven downloading log4j version not specified in POM when building the > Project. > In POM i have updated my log4j to log4j core 2.16.0 to fix the Log4j > Vulnerability with Older version. But even after changing the Version Maven > is downloading 1.2.12 and 1.2.17 version of Log4j when running the build. > I'm not seeing these version even in the dependency tree of my Project. > Please help to fix this issue as its a Critical Security Issue. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (MNG-7366) Maven downloading log4j version not specified in POM when building the Project.
[ https://issues.apache.org/jira/browse/MNG-7366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17471200#comment-17471200 ] Maarten Mulders commented on MNG-7366: -- I've said it before, and I'll say it again: a dependency being downloaded and stored on your filesystem does not do any harm per se. It _can_ become harmful when that JAR is included in the classpath of a running system, that is also exposing the vulnerability. Then still, one would need to assess the _whole_ situation: what traffic hits the system, how is that vulnerable JAR used, etc. There is no single answer to that question - not for Maven, not for any other software in the world. Back to the case of [~tharanadha]. Indeed, the Maven Compiler Plugin 3.1 (transitively) depends on Log4J 1.2.12. Note that the latest version of that plugin, 3.8.1, no longer has this transitive dependency. But another plugin in your build may still have such a (transitive) dependency. > Maven downloading log4j version not specified in POM when building the > Project. > --- > > Key: MNG-7366 > URL: https://issues.apache.org/jira/browse/MNG-7366 > Project: Maven > Issue Type: Bug > Components: Artifacts and Repositories, Dependencies >Affects Versions: 3.8.4 >Reporter: Srinivasan L >Priority: Critical > Attachments: maven log4j issue.png > > > Maven downloading log4j version not specified in POM when building the > Project. > In POM i have updated my log4j to log4j core 2.16.0 to fix the Log4j > Vulnerability with Older version. But even after changing the Version Maven > is downloading 1.2.12 and 1.2.17 version of Log4j when running the build. > I'm not seeing these version even in the dependency tree of my Project. > Please help to fix this issue as its a Critical Security Issue. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (MNG-7366) Maven downloading log4j version not specified in POM when building the Project.
[ https://issues.apache.org/jira/browse/MNG-7366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17471184#comment-17471184 ] Tharanadha K commented on MNG-7366: --- Hi Maarten, I am also facing this issue. Log4J1.2.12 getting downloading in repository through maven default compiler 3.1 even though I upgraded maven compiler plugin to 3.8.1 version. And also I observed from Maven assembly plugin 3.3.0. In our dependencies, we are using log4j-core 2.17.0. Looking for help to resolve this downloading of Log4j1-2-12 in repository as client don't want it. Thank you, > Maven downloading log4j version not specified in POM when building the > Project. > --- > > Key: MNG-7366 > URL: https://issues.apache.org/jira/browse/MNG-7366 > Project: Maven > Issue Type: Bug > Components: Artifacts and Repositories, Dependencies >Affects Versions: 3.8.4 >Reporter: Srinivasan L >Priority: Critical > Attachments: maven log4j issue.png > > > Maven downloading log4j version not specified in POM when building the > Project. > In POM i have updated my log4j to log4j core 2.16.0 to fix the Log4j > Vulnerability with Older version. But even after changing the Version Maven > is downloading 1.2.12 and 1.2.17 version of Log4j when running the build. > I'm not seeing these version even in the dependency tree of my Project. > Please help to fix this issue as its a Critical Security Issue. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (MNG-7366) Maven downloading log4j version not specified in POM when building the Project.
[ https://issues.apache.org/jira/browse/MNG-7366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17463597#comment-17463597 ] Srinivasan L commented on MNG-7366: --- Thanks [~mthmulders] got it. But I was curious why Maven is downloading Log4j when no Dependency specified in the Project POM. > Maven downloading log4j version not specified in POM when building the > Project. > --- > > Key: MNG-7366 > URL: https://issues.apache.org/jira/browse/MNG-7366 > Project: Maven > Issue Type: Bug > Components: Artifacts and Repositories, Dependencies >Affects Versions: 3.8.4 >Reporter: Srinivasan L >Priority: Critical > Attachments: maven log4j issue.png > > > Maven downloading log4j version not specified in POM when building the > Project. > In POM i have updated my log4j to log4j core 2.16.0 to fix the Log4j > Vulnerability with Older version. But even after changing the Version Maven > is downloading 1.2.12 and 1.2.17 version of Log4j when running the build. > I'm not seeing these version even in the dependency tree of my Project. > Please help to fix this issue as its a Critical Security Issue. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (MNG-7366) Maven downloading log4j version not specified in POM when building the Project.
[
https://issues.apache.org/jira/browse/MNG-7366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17463054#comment-17463054
]
Maarten Mulders commented on MNG-7366:
--
As said before:
{quote}By the way, the fact that Maven downloads a particular JAR is in itself
not a critical security issue.
{quote}
Because as long as Log4J is not loaded by the application you package, deploy
or run, nobody will be able to exploit any issue in Log4J.
> Maven downloading log4j version not specified in POM when building the
> Project.
> ---
>
> Key: MNG-7366
> URL: https://issues.apache.org/jira/browse/MNG-7366
> Project: Maven
> Issue Type: Bug
> Components: Artifacts and Repositories, Dependencies
>Affects Versions: 3.8.4
>Reporter: Srinivasan L
>Priority: Critical
> Attachments: maven log4j issue.png
>
>
> Maven downloading log4j version not specified in POM when building the
> Project.
> In POM i have updated my log4j to log4j core 2.16.0 to fix the Log4j
> Vulnerability with Older version. But even after changing the Version Maven
> is downloading 1.2.12 and 1.2.17 version of Log4j when running the build.
> I'm not seeing these version even in the dependency tree of my Project.
> Please help to fix this issue as its a Critical Security Issue.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (MNG-7366) Maven downloading log4j version not specified in POM when building the Project.
[ https://issues.apache.org/jira/browse/MNG-7366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17463045#comment-17463045 ] Srinivasan L commented on MNG-7366: --- I tried saving with No dependency in the POM File but still seeing Log4j version1.2.12 getting downloaded. Please refer the attached image and investigate if its issue or not. > Maven downloading log4j version not specified in POM when building the > Project. > --- > > Key: MNG-7366 > URL: https://issues.apache.org/jira/browse/MNG-7366 > Project: Maven > Issue Type: Bug > Components: Artifacts and Repositories, Dependencies >Affects Versions: 3.8.4 >Reporter: Srinivasan L >Priority: Critical > Attachments: maven log4j issue.png > > > Maven downloading log4j version not specified in POM when building the > Project. > In POM i have updated my log4j to log4j core 2.16.0 to fix the Log4j > Vulnerability with Older version. But even after changing the Version Maven > is downloading 1.2.12 and 1.2.17 version of Log4j when running the build. > I'm not seeing these version even in the dependency tree of my Project. > Please help to fix this issue as its a Critical Security Issue. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (MNG-7366) Maven downloading log4j version not specified in POM when building the Project.
[ https://issues.apache.org/jira/browse/MNG-7366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17461366#comment-17461366 ] Maarten Mulders commented on MNG-7366: -- Then it is _probably_ downloaded because some plugin needs it. I can't tell you if that's the case. By the way, the fact that Maven downloads a particular JAR is in itself not a critical security issue. > Maven downloading log4j version not specified in POM when building the > Project. > --- > > Key: MNG-7366 > URL: https://issues.apache.org/jira/browse/MNG-7366 > Project: Maven > Issue Type: Bug > Components: Artifacts and Repositories, Dependencies >Affects Versions: 3.8.4 >Reporter: Srinivasan L >Priority: Critical > > Maven downloading log4j version not specified in POM when building the > Project. > In POM i have updated my log4j to log4j core 2.16.0 to fix the Log4j > Vulnerability with Older version. But even after changing the Version Maven > is downloading 1.2.12 and 1.2.17 version of Log4j when running the build. > I'm not seeing these version even in the dependency tree of my Project. > Please help to fix this issue as its a Critical Security Issue. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (MNG-7366) Maven downloading log4j version not specified in POM when building the Project.
[ https://issues.apache.org/jira/browse/MNG-7366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17461325#comment-17461325 ] Srinivasan L commented on MNG-7366: --- [~mthmulders] I checked the dependency tree and didn't find any transitive dependency for Log4j older version. so is there any other way to narrow down this to see from where its getting downloaded? > Maven downloading log4j version not specified in POM when building the > Project. > --- > > Key: MNG-7366 > URL: https://issues.apache.org/jira/browse/MNG-7366 > Project: Maven > Issue Type: Bug > Components: Artifacts and Repositories, Dependencies >Affects Versions: 3.8.4 >Reporter: Srinivasan L >Priority: Critical > > Maven downloading log4j version not specified in POM when building the > Project. > In POM i have updated my log4j to log4j core 2.16.0 to fix the Log4j > Vulnerability with Older version. But even after changing the Version Maven > is downloading 1.2.12 and 1.2.17 version of Log4j when running the build. > I'm not seeing these version even in the dependency tree of my Project. > Please help to fix this issue as its a Critical Security Issue. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (MNG-7366) Maven downloading log4j version not specified in POM when building the Project.
[
https://issues.apache.org/jira/browse/MNG-7366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17460542#comment-17460542
]
Maarten Mulders commented on MNG-7366:
--
This is not a bug in Maven. Your project probably has a transitive dependency
on Log4J 1.x. You can inspect all dependencies with {{mvn dependency:tree}}. In
the output, look for {{log4j:log4j:1.2.12}} or {{log4j:log4j:1.2.17}} and see
which dependencies of your project cause this older version to be downloaded.
Be aware that the log file of Maven may also mention downloading plugins and
their dependencies. Those will not end up in your project build.
> Maven downloading log4j version not specified in POM when building the
> Project.
> ---
>
> Key: MNG-7366
> URL: https://issues.apache.org/jira/browse/MNG-7366
> Project: Maven
> Issue Type: Bug
> Components: Artifacts and Repositories, Dependencies
>Affects Versions: 3.8.4
>Reporter: Srinivasan L
>Priority: Critical
>
> Maven downloading log4j version not specified in POM when building the
> Project.
> In POM i have updated my log4j to log4j core 2.16.0 to fix the Log4j
> Vulnerability with Older version. But even after changing the Version Maven
> is downloading 1.2.12 and 1.2.17 version of Log4j when running the build.
> I'm not seeing these version even in the dependency tree of my Project.
> Please help to fix this issue as its a Critical Security Issue.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
