Where I work we decided to address log4j vulnerabilities only for components directly used by the application and actually performing logging. We ignored transitive dependencies and maven plug-ins. I’m curious about this use case from Venu though, what application would rely on the maven dependency plugin at runtime? Does it mean you’re pulling maven dependencies after application startup?
> On Feb 28, 2022, at 03:30, Slawomir Jaranowski <s.jaranow...@gmail.com> wrote: > > Hi, > > Please provide more information, like plugin, mven, os version. > > We also need an example project which reproduces your issue. > When we can't reproduce we can't help. > > pon., 28 lut 2022 o 08:55 Jaladi, Venumadhav > <jaladi.venumad...@verizon.com.invalid> napisał(a): > >> Hi team, >> >> Can I expect any response? Is this the right email address for my >> question? >> >> Thanks, >> Venu >> >> >>> On Thu, Feb 24, 2022 at 6:47 AM Jaladi, Venumadhav < >>> jaladi.venumad...@verizon.com> wrote: >>> >>> Hi team, >>> >>> We are using the Maven Dependency Plugin in one of our projects and our >>> scanning tools are showing multiple vulnerabilities related to Log4j >>> (CVE-2019-17571, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, >>> CVE-2022-23307 and CVE-2021-4104). >>> >>> We would like to know if there are any plans to release a newer version >>> of Maven Dependency Plugin with the fixes of these >>> vulnerabilities(referring to the latest version of Log4j libraries). If >>> so, is there any planned date for this release? >>> >>> Please let us know any any more information is required. >>> >>> Thanks, >>> Venu >>> >> > > > -- > Sławomir Jaranowski --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
