Adding Juraj back in the chain as I see that he is removed. Juraj,
Can you please look at the below 6 emails in this chain? Thanks, Venu On Thu, Mar 3, 2022 at 3:07 AM John Patrick <nhoj.patr...@gmail.com> wrote: > Sorry I thought you where talking about log4j v2, not v1. I can see it > downloads the metadata about the project but non or the jars; > local-repo/log4j > local-repo/log4j/log4j > local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom > local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1 > local-repo/log4j > local-repo/log4j/log4j > local-repo/log4j/log4j/1.2.12 > local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom > local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1 > local-repo/log4j/log4j/1.2.12/_remote.repositories > > So I would still say false positive, as the jar is not actually used. > > But looking at the dependency tree it would need the apache commons to > update commons-logging:commons-logging, then > ommons-digester:commons-digester then org.apache.velocity:velocity-tools, > then it gets to the 1st dependency within the maven ecosystem. > So 5 ish patches to 5 separate projects to upgrade, test and release, each > before then next pr can progress. > > John > > > On Thu, 3 Mar 2022 at 07:53, Thomas Matthijs <li...@selckin.be> wrote: > >> That was just to demonstrate how i got the dependency chain, that file >> was there, but if you're going to be this hostile, i'm not interested >> anymore, muting thread >> >> On Thu, 3 Mar 2022 at 08:48, Piotr Żygieło <piotr.zygi...@gmail.com> >> wrote: >> > >> > On Thu, 3 Mar 2022 at 08:37, Thomas Matthijs <li...@selckin.be> wrote: >> > > >> > > Can confirm this project downloads log4j 1.12.12 for me >> > >> > As I see it - you confirm something else. >> > >> > > Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: >> > >> > Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: >> > _artifact descriptor_ >> > >> > -- >> > Piotrek >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >> > For additional commands, e-mail: dev-h...@maven.apache.org >> > >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >> For additional commands, e-mail: dev-h...@maven.apache.org >> >>