Juraj, I have run this command on your reproducer and in "tmp" I cannot find log4j versions other then 2.17.1
mvn clean install -X -Dmaven.repo.local=tmp > out.txt Enrico Il giorno lun 28 feb 2022 alle ore 13:52 Juraj Veverka <juraj.veve...@globallogic.com.invalid> ha scritto: > > Hi David > > Many thanks for your email, I really appreciate your reply. This is an > isolated example of the problem. > https://github.com/jveverka/mvn-dependency-log4j > You can find all repro steps there. In case of any questions, feel free > to contact me. > > Kind regards > Juraj Veverka > > > > On Mon, Feb 28, 2022 at 12:14 PM David Milet <david.mi...@gmail.com> wrote: > > > Where I work we decided to address log4j vulnerabilities only for > > components directly used by the application and actually performing logging. > > We ignored transitive dependencies and maven plug-ins. > > I’m curious about this use case from Venu though, what application would > > rely on the maven dependency plugin at runtime? Does it mean you’re pulling > > maven dependencies after application startup? > > > > > On Feb 28, 2022, at 03:30, Slawomir Jaranowski <s.jaranow...@gmail.com> > > wrote: > > > > > > Hi, > > > > > > Please provide more information, like plugin, mven, os version. > > > > > > We also need an example project which reproduces your issue. > > > When we can't reproduce we can't help. > > > > > > pon., 28 lut 2022 o 08:55 Jaladi, Venumadhav > > > <jaladi.venumad...@verizon.com.invalid> napisał(a): > > > > > >> Hi team, > > >> > > >> Can I expect any response? Is this the right email address for my > > >> question? > > >> > > >> Thanks, > > >> Venu > > >> > > >> > > >>> On Thu, Feb 24, 2022 at 6:47 AM Jaladi, Venumadhav < > > >>> jaladi.venumad...@verizon.com> wrote: > > >>> > > >>> Hi team, > > >>> > > >>> We are using the Maven Dependency Plugin in one of our projects and our > > >>> scanning tools are showing multiple vulnerabilities related to Log4j > > >>> (CVE-2019-17571, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, > > >>> CVE-2022-23307 and CVE-2021-4104). > > >>> > > >>> We would like to know if there are any plans to release a newer > > version > > >>> of Maven Dependency Plugin with the fixes of these > > >>> vulnerabilities(referring to the latest version of Log4j libraries). > > If > > >>> so, is there any planned date for this release? > > >>> > > >>> Please let us know any any more information is required. > > >>> > > >>> Thanks, > > >>> Venu > > >>> > > >> > > > > > > > > > -- > > > Sławomir Jaranowski > > > > > > -- > > Best Regards > > > -- > > Juraj Veverka <https://github.com/jveverka> | Solution Design Architect > > M +421 917 521 285 > > www.globallogic.sk <https://www.globallogic.com/sk/> > > <https://www.facebook.com/GlobalLogicSlovakia> [image: GLTwitter] > <https://twitter.com/GlobalLogic_SR> > <https://www.linkedin.com/company/9409064/admin/> > <https://www.youtube.com/channel/UClazQeLF6Oas1ZVs-Iaq2Bg> > <https://www.instagram.com/globallogic_slovakia/> > > http://www.globallogic.com/Disclaimer.htm --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org