0

I have used maven-dependency-plugin 2.8 which is bringing in log4j 1.2.12

<plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-checkstyle-plugin</artifactId>
                <version>${version.maven-checkstyle-plugin}</version>
                <configuration>
                    <m2eclipseConfig>
                        <!-- To prevent the eclipse-checkstyle-plugin, to update the configured 
                            Checkstyle see refrence https://code.google.com/p/m2e-extensions/wiki/Checkstyle -->
                        <disable>true</disable>
                    </m2eclipseConfig>

                    <rules>
                        <bannedDependencies>
                            <excludes>
                                <exclude>log4j:log4j</exclude>
                            </excludes>
                        </bannedDependencies>
                    </rules>
                    <fail>true</fail>
                </configuration>
                <dependencies>
                    <dependency>
                        <groupId>com.puppycrawl.tools</groupId>
                        <artifactId>checkstyle</artifactId>
                        <version>6.18</version>
                    </dependency>

                </dependencies>
                <executions>
                    <execution>
                        <!-- The checkstyle goal is tied to the Verify phase. When violations 
                            are found the build is not broken. Verify stand for : Run any checks to verify 
                            the package is valid and meets quality criteria. -->
                        <phase>verify</phase>
                        <goals>
                            <goal>checkstyle</goal>
                        </goals>
                    </execution>
                </executions>
        </plugin>

The dependency looks like maven-dependency-plugin:jar:2.8 -> org.apache.maven.shared:maven-common-artifact-filters:jar:1.4 -> org.codehaus.plexus:plexus-container-default:jar:1.5.5 -> org.apache.xbean:xbean-reflect:jar:3.4 -> log4j:log4j:jar:1.2.12

I want to remove log4j coming in from the dependency.

Jens
  • 67,715
  • 15
  • 98
  • 113
Ankit Dhar
  • 88
  • 9
  • 1
    First why are you using an old version...of maven-dependency-plugin ? – khmarbaise Jan 17 '22 at 16:14
  • Apart from that I don't see any dependency of plexus-container-default to xbean nor to log4j... ? – khmarbaise Jan 17 '22 at 17:19
  • Instead of excluding `log4j`, I would rather upgrade the `maven-dependency-plugin` as in [this question](https://stackoverflow.com/q/70473780/11748454). @khmarbaise: version 2.8 is specified in the [Super POM](https://maven.apache.org/ref/3.8.1/maven-model-builder/super-pom.html), most users don't change it. – Piotr P. Karwasz Jan 18 '22 at 05:31
  • @khmarbaise : The newer version of the maven dependency plugin also has the vulnerability. But my question remains the same, is there a way we can restrict the transitive dependency from getting into the repository. – Ankit Dhar Jan 18 '22 at 08:19
  • @PiotrP.Karwasz Best practise to always define particular versions of all used plugins and never rely on predefined. – khmarbaise Jan 18 '22 at 08:41
  • First which vulnerbilities? Second. If the dependencies are used you can't remove them because they are used. Apart from that I have written I don't see any use of log4j in maven-dependency-pugin (both 2.8 nor newer versions) so I don't understand why you write about a dependency onto log4j of maven-dependency-plugin here which does not exist. And more than that the post shows maven-checkstyle-plugin instead of maven-dependency-pugin and also uses configurations which do not exist and you are using a very old version of `com.puppycrawl.tools:checkstyle` .. – khmarbaise Jan 18 '22 at 08:47

0 Answers0