(Note I had originally sent this on Feb 14, but I think it never got posted to the mailing list -- likely because I forgot to subscribe first -- as such, some of the version information may not be "current" as of today).
All: I'm looking into an issue where we had an old package [1] flagged by security tooling as being present on our build servers in the Maven repository (~/.m2/repository). After a bit of digging, I managed to narrow down where it came from and when it got fetched, and I can reproduce in a pretty narrow use case as well. We have a library (jar) that gets built for the purposes of a REST API. This package was generated with some automated tooling, but has been hand-tweaked. However, the specifics of the package do not seem to be that important (other than the tools it uses). The specific plugin with the transitive dependency to the offending package [1] is "maven-javadoc-plugin" (which likely needs some updates of dependencies, etc, in particular maven-reporting-xxxx which seem to be the ones that are older). During our build process, "maven-dependency-plugin" is used with the goal "copy-dependencies" to copy runtime artifacts to the output directory (target/lib) [2]. It does this, and copies in about 15 or so files as expected. [3] None of these files are the "offending" package being flagged by the security tools. However, if you clean your Maven repository (rm -rf ~/.m2/repository), and run either the build up to and including the dependency copying (e.g. mvn package) [3], or just run "mvn dependency:tree" [4], the offending package gets copied into the local Maven repository (~/.m2/repository). So, my questions are: a) Why does maven-dependency-plugin fetch absolutely everything regardless of how far it actually needs to traverse the tree to do the task it's performing? (or does it really need to traverse the whole tree?) b) Is there a way to stop this behaviour without either removing the dependency (maven-javadoc.plugin) with the offending dependency [1] from the project, or not using "maven-dependency-plugin"? I have tried some exclusion methods documented for the goals, but they do not seem to change the fetching / tree traversal behaviour. Thanks, Robert == References / Details == [1] log4j:log4j:1.2.12 [2] <plugin> <artifactId>maven-dependency-plugin</artifactId> <version>3.6.1</version> <executions> <execution> <phase>package</phase> <goals> <goal>copy-dependencies</goal> </goals> <configuration> <outputDirectory>${project.build.directory}/lib</outputDirectory> </configuration> </execution> </executions> </plugin> [3] $ rm -rf ~/.m2/repository $ mvn package 09:26:55.703 [INFO] Scanning for projects... 09:26:55.726 [INFO] ...snip... 09:27:14.083 [INFO] 09:27:14.083 [INFO] --- dependency:3.6.1:copy-dependencies (default) @ <name-withheld> --- Downloading from central: https://repo.maven.apache.org/maven2/org/apache/maven/doxia/doxia-sink-api/1.11.1/doxia-sink-api-1.11.1.pom Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/maven/doxia/doxia-sink-api/1.11.1/doxia-sink-api-1.11.1.pom (1.6 kB at 27 kB/s) ...snip... Downloading from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom Downloaded from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom (145 B at 2.1 kB/s) ...snip... Downloaded from central: https://repo.maven.apache.org/maven2/com/github/luben/zstd-jni/1.5.5-5/zstd-jni-1.5.5-5.jar (5.9 MB at 3.7 MB/s) 09:27:28.043 [INFO] com.google.code.findbugs:jsr305:jar:3.0.2 already exists in destination. 09:27:28.043 [INFO] org.apache.httpcomponents.client5:httpclient5:jar:5.2.1 already exists in destination. 09:27:28.043 [INFO] org.apache.httpcomponents.core5:httpcore5:jar:5.2 already exists in destination. 09:27:28.043 [INFO] org.apache.httpcomponents.core5:httpcore5-h2:jar:5.2 already exists in destination. 09:27:28.043 [INFO] org.slf4j:slf4j-api:jar:1.7.36 already exists in destination. 09:27:28.043 [INFO] com.fasterxml.jackson.core:jackson-core:jar:2.15.2 already exists in destination. 09:27:28.043 [INFO] com.fasterxml.jackson.core:jackson-annotations:jar:2.15.2 already exists in destination. 09:27:28.043 [INFO] com.fasterxml.jackson.core:jackson-databind:jar:2.15.2 already exists in destination. 09:27:28.043 [INFO] com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.15.2 already exists in destination. 09:27:28.043 [INFO] com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.15.2 already exists in destination. 09:27:28.043 [INFO] com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.15.2 already exists in destination. 09:27:28.043 [INFO] jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3 already exists in destination. 09:27:28.043 [INFO] jakarta.activation:jakarta.activation-api:jar:1.2.2 already exists in destination. 09:27:28.043 [INFO] com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.15.2 already exists in destination. 09:27:28.043 [INFO] jakarta.annotation:jakarta.annotation-api:jar:1.3.5 already exists in destination. 09:27:28.043 [INFO] junit:junit:jar:4.13.2 already exists in destination. 09:27:28.043 [INFO] org.hamcrest:hamcrest-core:jar:1.3 already exists in destination. 09:27:28.043 [INFO] ...snip... [4] $ rm -rf ~/.m2/repository $ mvn dependency:tree 09:24:23.287 [INFO] Scanning for projects... Downloading from central: https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-compiler-plugin/3.12.1/maven-compiler-plugin-3.12.1.pom Downloaded from central: https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-compiler-plugin/3.12.1/maven-compiler-plugin-3.12.1.pom (9.7 kB at 24 kB/s) ...snip... Downloading from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom Downloaded from central: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom (145 B at 2.4 kB/s) ...snip... 09:24:46.340 [INFO] <name-withheld>:jar:3.13.0-SNAPSHOT 09:24:46.340 [INFO] +- com.google.code.findbugs:jsr305:jar:3.0.2:compile 09:24:46.340 [INFO] +- org.apache.httpcomponents.client5:httpclient5:jar:5.2.1:compile 09:24:46.340 [INFO] | +- org.apache.httpcomponents.core5:httpcore5:jar:5.2:compile 09:24:46.340 [INFO] | +- org.apache.httpcomponents.core5:httpcore5-h2:jar:5.2:compile 09:24:46.340 [INFO] | \- org.slf4j:slf4j-api:jar:1.7.36:compile 09:24:46.340 [INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.15.2:compile 09:24:46.340 [INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.15.2:compile 09:24:46.340 [INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.15.2:compile 09:24:46.340 [INFO] +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.15.2:compile 09:24:46.340 [INFO] | +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.15.2:compile 09:24:46.340 [INFO] | \- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.15.2:compile 09:24:46.340 [INFO] | +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile 09:24:46.340 [INFO] | \- jakarta.activation:jakarta.activation-api:jar:1.2.2:compile 09:24:46.340 [INFO] +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.15.2:compile 09:24:46.340 [INFO] +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:provided 09:24:46.340 [INFO] \- junit:junit:jar:4.13.2:test 09:24:46.340 [INFO] \- org.hamcrest:hamcrest-core:jar:1.3:test 09:24:46.340 [INFO] ------------------------------------------------------------------------ 09:24:46.340 [INFO] BUILD SUCCESS