Hello, Can confirm this project downloads log4j 1.12.12 for me
rm -rf ~/.m2/repository/log4j/log4j sudo chown root:root ~/.m2/repository/log4j/log4j [ERROR] Failed to execute goal org.apache.maven.plugins:maven-dependency-plugin:3.2.0:copy (copy-artifact) on project demo: Execution copy-artifact of goal org.apache.maven.plugins:maven-dependency-plugin:3.2.0:copy failed: Plugin org.apache.maven.plugins:maven-dependency-plugin:3.2.0 or one of its dependencies could not be resolved: Failed to collect dependencies at org.apache.maven.plugins:maven-dependency-plugin:jar:3.2.0 -> org.apache.maven.reporting:maven-reporting-impl:jar:3.0.0 -> org.apache.maven.doxia:doxia-site-renderer:jar:1.7.4 -> org.apache.velocity:velocity-tools:jar:2.0 -> commons-digester:commons-digester:jar:1.8 -> commons-logging:commons-logging:jar:1.1 -> log4j:log4j:jar:1.2.12: Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: So the dependency chain seems to be org.apache.maven.plugins:maven-dependency-plugin:jar:3.2.0 -> org.apache.maven.reporting:maven-reporting-impl:jar:3.0.0 -> org.apache.maven.doxia:doxia-site-renderer:jar:1.7.4 -> org.apache.velocity:velocity-tools:jar:2.0 -> commons-digester:commons-digester:jar:1.8 -> commons-logging:commons-logging:jar:1.1 -> log4j:log4j:jar:1.2.12: Regards On Mon, 28 Feb 2022 at 13:52, Juraj Veverka <juraj.veve...@globallogic.com.invalid> wrote: > > Hi David > > Many thanks for your email, I really appreciate your reply. This is an > isolated example of the problem. > https://github.com/jveverka/mvn-dependency-log4j > You can find all repro steps there. In case of any questions, feel free > to contact me. > > Kind regards > Juraj Veverka > > > > On Mon, Feb 28, 2022 at 12:14 PM David Milet <david.mi...@gmail.com> wrote: > > > Where I work we decided to address log4j vulnerabilities only for > > components directly used by the application and actually performing logging. > > We ignored transitive dependencies and maven plug-ins. > > I’m curious about this use case from Venu though, what application would > > rely on the maven dependency plugin at runtime? Does it mean you’re pulling > > maven dependencies after application startup? > > > > > On Feb 28, 2022, at 03:30, Slawomir Jaranowski <s.jaranow...@gmail.com> > > wrote: > > > > > > Hi, > > > > > > Please provide more information, like plugin, mven, os version. > > > > > > We also need an example project which reproduces your issue. > > > When we can't reproduce we can't help. > > > > > > pon., 28 lut 2022 o 08:55 Jaladi, Venumadhav > > > <jaladi.venumad...@verizon.com.invalid> napisał(a): > > > > > >> Hi team, > > >> > > >> Can I expect any response? Is this the right email address for my > > >> question? > > >> > > >> Thanks, > > >> Venu > > >> > > >> > > >>> On Thu, Feb 24, 2022 at 6:47 AM Jaladi, Venumadhav < > > >>> jaladi.venumad...@verizon.com> wrote: > > >>> > > >>> Hi team, > > >>> > > >>> We are using the Maven Dependency Plugin in one of our projects and our > > >>> scanning tools are showing multiple vulnerabilities related to Log4j > > >>> (CVE-2019-17571, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, > > >>> CVE-2022-23307 and CVE-2021-4104). > > >>> > > >>> We would like to know if there are any plans to release a newer > > version > > >>> of Maven Dependency Plugin with the fixes of these > > >>> vulnerabilities(referring to the latest version of Log4j libraries). > > If > > >>> so, is there any planned date for this release? > > >>> > > >>> Please let us know any any more information is required. > > >>> > > >>> Thanks, > > >>> Venu > > >>> > > >> > > > > > > > > > -- > > > Sławomir Jaranowski > > > > > > -- > > Best Regards > > > -- > > Juraj Veverka <https://github.com/jveverka> | Solution Design Architect > > M +421 917 521 285 > > www.globallogic.sk <https://www.globallogic.com/sk/> > > <https://www.facebook.com/GlobalLogicSlovakia> [image: GLTwitter] > <https://twitter.com/GlobalLogic_SR> > <https://www.linkedin.com/company/9409064/admin/> > <https://www.youtube.com/channel/UClazQeLF6Oas1ZVs-Iaq2Bg> > <https://www.instagram.com/globallogic_slovakia/> > > http://www.globallogic.com/Disclaimer.htm --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
