Maven shade plugin does not exclude an artifact

Question

I need to exclude the log4j artifact from the shade plug-in to avoid the log4j vulnerability, however, the exclude tag under artifactSet does not seem to work. Any suggestion to fix this?

<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-shade-plugin</artifactId>
<version>3.2.4</version>
~~
<executions>
   <execution>
      <phase>package</phase>
      <goals>
         <goal>shade</goal>
      </goals>
      <configuration>
         <artifactSet>
            <excludes>
              <exclude>*:log4j-core:jar</exclude>
            </excludes>
         </artifactSet>
~~~

I keep getting below error: Failed to execute goal org.apache.maven.plugins:maven-shade-plugin:3.2.4:shade (default) on project : Execution default of goal org.apache.maven.plugins:maven-shade-plugin:3.2.4:shade failed: Plugin org.apache.maven.plugins:maven-shade-plugin:3.2.4 or one of its dependencies could not be resolved: Could not find artifact org.apache.logging.log4j:log4j-core:jar:2.13.0

Answer 1

I meet the same problem, and finally solved by maven-shade-plugin config. In your case, you want to exclude log4j-core, your filter config must put outside of artifactSet as below.

1. find log4j-core class path prefix, for example org/slf4j/;

2. put this class path prefix in filter exclude rule, run cmd mvn package

3. use vim your-target.jar to check exclude success or not, you will find that org/slf4j has gone.

4. for more exclude info, pls see https://maven.apache.org/plugins/maven-shade-plugin/examples/includes-excludes.html

           <filter>
              <artifact>*:*</artifact>
              <excludes>
                <exclude>org/slf4j/**</exclude>
              </excludes>
            </filter>