0

I need to exclude the log4j artifact from the shade plug-in to avoid the log4j vulnerability, however, the exclude tag under artifactSet does not seem to work. Any suggestion to fix this?

<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-shade-plugin</artifactId>
<version>3.2.4</version>
~~
<executions>
   <execution>
      <phase>package</phase>
      <goals>
         <goal>shade</goal>
      </goals>
      <configuration>
         <artifactSet>
            <excludes>
              <exclude>*:log4j-core:jar</exclude>
            </excludes>
         </artifactSet>
~~~

I keep getting below error: Failed to execute goal org.apache.maven.plugins:maven-shade-plugin:3.2.4:shade (default) on project : Execution default of goal org.apache.maven.plugins:maven-shade-plugin:3.2.4:shade failed: Plugin org.apache.maven.plugins:maven-shade-plugin:3.2.4 or one of its dependencies could not be resolved: Could not find artifact org.apache.logging.log4j:log4j-core:jar:2.13.0

Anup
  • 23
  • 8
  • Does [this](https://stackoverflow.com/questions/52221326/maven-shade-plugin-failed-to-execute-goal) help? Or maybe just [change the version](https://stackoverflow.com/questions/54704585/maven-shade-plugin-failed-to-execute-goal)? – The Amateur Coder Jan 22 '22 at 03:19
  • The output looks like you don't even use log4j-core... – khmarbaise Jan 22 '22 at 14:05
  • thanks TheAmateurCoder and khmarbaise for the comments. I tried changing the versions but getting same error. I want to exclude the log4j-core which this plug-in tries to resolve during build time. It throws this error when I run 'mvn install' command/ – Anup Jan 23 '22 at 03:50

1 Answers1

0

I meet the same problem, and finally solved by maven-shade-plugin config. In your case, you want to exclude log4j-core, your filter config must put outside of artifactSet as below.

  1. find log4j-core class path prefix, for example org/slf4j/;

  2. put this class path prefix in filter exclude rule, run cmd mvn package

  3. use vim your-target.jar to check exclude success or not, you will find that org/slf4j has gone.

  4. for more exclude info, pls see https://maven.apache.org/plugins/maven-shade-plugin/examples/includes-excludes.html

            <filter>
               <artifact>*:*</artifact>
               <excludes>
                 <exclude>org/slf4j/**</exclude>
               </excludes>
             </filter>
    
Armstrongya
  • 795
  • 1
  • 6
  • 9