Hi David Just for clarification: we are not relying on the maven dependency plugin at runtime. Our runtime is perfectly clear of log4j vulnerabilities. The problem is that our security scanners are scanning gitlab runner nodes (virtual machines on which we compile and package our application) and log4j vulnerability is found there.
Kind regards Juraj Veverka On Mon, Feb 28, 2022 at 1:32 PM Juraj Veverka <juraj.veve...@globallogic.com> wrote: > Hi David > > Many thanks for your email, I really appreciate your reply. This is an > isolated example of the problem. > https://github.com/jveverka/mvn-dependency-log4j > You can find all repro steps there. In case of any questions, feel free > to contact me. > > Kind regards > Juraj Veverka > > > > On Mon, Feb 28, 2022 at 12:14 PM David Milet <david.mi...@gmail.com> > wrote: > >> Where I work we decided to address log4j vulnerabilities only for >> components directly used by the application and actually performing logging. >> We ignored transitive dependencies and maven plug-ins. >> I’m curious about this use case from Venu though, what application would >> rely on the maven dependency plugin at runtime? Does it mean you’re pulling >> maven dependencies after application startup? >> >> > On Feb 28, 2022, at 03:30, Slawomir Jaranowski <s.jaranow...@gmail.com> >> wrote: >> > >> > Hi, >> > >> > Please provide more information, like plugin, mven, os version. >> > >> > We also need an example project which reproduces your issue. >> > When we can't reproduce we can't help. >> > >> > pon., 28 lut 2022 o 08:55 Jaladi, Venumadhav >> > <jaladi.venumad...@verizon.com.invalid> napisał(a): >> > >> >> Hi team, >> >> >> >> Can I expect any response? Is this the right email address for my >> >> question? >> >> >> >> Thanks, >> >> Venu >> >> >> >> >> >>> On Thu, Feb 24, 2022 at 6:47 AM Jaladi, Venumadhav < >> >>> jaladi.venumad...@verizon.com> wrote: >> >>> >> >>> Hi team, >> >>> >> >>> We are using the Maven Dependency Plugin in one of our projects and >> our >> >>> scanning tools are showing multiple vulnerabilities related to Log4j >> >>> (CVE-2019-17571, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, >> >>> CVE-2022-23307 and CVE-2021-4104). >> >>> >> >>> We would like to know if there are any plans to release a newer >> version >> >>> of Maven Dependency Plugin with the fixes of these >> >>> vulnerabilities(referring to the latest version of Log4j libraries). >> If >> >>> so, is there any planned date for this release? >> >>> >> >>> Please let us know any any more information is required. >> >>> >> >>> Thanks, >> >>> Venu >> >>> >> >> >> > >> > >> > -- >> > Sławomir Jaranowski >> >> > > -- > > Best Regards > > > -- > > Juraj Veverka <https://github.com/jveverka> | Solution Design Architect > > M +421 917 521 285 > > www.globallogic.sk <https://www.globallogic.com/sk/> > > <https://www.facebook.com/GlobalLogicSlovakia> [image: GLTwitter] > <https://twitter.com/GlobalLogic_SR> > <https://www.linkedin.com/company/9409064/admin/> > <https://www.youtube.com/channel/UClazQeLF6Oas1ZVs-Iaq2Bg> > <https://www.instagram.com/globallogic_slovakia/> > > http://www.globallogic.com/Disclaimer.htm > > > -- Best Regards -- Juraj Veverka <https://github.com/jveverka> | Solution Design Architect M +421 917 521 285 www.globallogic.sk <https://www.globallogic.com/sk/> <https://www.facebook.com/GlobalLogicSlovakia> [image: GLTwitter] <https://twitter.com/GlobalLogic_SR> <https://www.linkedin.com/company/9409064/admin/> <https://www.youtube.com/channel/UClazQeLF6Oas1ZVs-Iaq2Bg> <https://www.instagram.com/globallogic_slovakia/> http://www.globallogic.com/Disclaimer.htm
