This appears to be plugin dependencies though, not project dependencies. The issue should really be raised with whatever plugin is causing it to be used. My recollection is that Maven itself hasn’t used Log4j in quite some time for logging.
Ralph > On Mar 3, 2022, at 8:21 AM, Gary Gregory <garydgreg...@gmail.com> wrote: > > Also note that in log4j 2.17.2 that was released a few days ago, I added > many improvements to the log4j-1.2-api module which aims to provide > compatibility with 1.2. > > Gary > > On Thu, Mar 3, 2022, 08:37 Bernd Eckenfels <e...@zusammenkunft.net> wrote: > >> All of the (known) remaining log4j1.x security bugs (none of which are as >> severe as log4shell) are fixed in reload4j 1.2.18+. If you need to stick >> with 1.2 you should use that. Otherwise you can try to migrate to the log4j >> bridge, it’s compatibility was increased in 2.17.2 or 2.12.4. >> >> Gruss >> Bernd >> -- >> http://bernd.eckenfels.net >> ________________________________ >> Von: Martin Gainty <mgai...@hotmail.com> >> Gesendet: Thursday, March 3, 2022 1:18:50 PM >> An: Maven Developers List <dev@maven.apache.org> >> Cc: David Milet <david.mi...@gmail.com>; iss...@maven.apache.org < >> iss...@maven.apache.org>; VZ-Product-OneTalk < >> vz-product-onet...@verizon.com>; Danylo Volokh < >> danylo.vol...@globallogic.com> >> Betreff: RE: Maven Dependency Plugin - Log4j vulnerabilities >> >> I *thought* log4j 1.2.15 had the patch to mitigate the JNDI Security >> Vulnerabity? >> Is this not the case? >> Thanks John >> M. >> >> >> >> Sent from my Verizon, Samsung Galaxy smartphone >> >> >> >> -------- Original message -------- >> From: John Patrick <nhoj.patr...@gmail.com> >> Date: 3/3/22 4:07 AM (GMT-05:00) >> To: Maven Developers List <dev@maven.apache.org> >> Cc: David Milet <david.mi...@gmail.com>, iss...@maven.apache.org, >> VZ-Product-OneTalk <vz-product-onet...@verizon.com>, Danylo Volokh < >> danylo.vol...@globallogic.com> >> Subject: Re: Maven Dependency Plugin - Log4j vulnerabilities >> >> Sorry I thought you where talking about log4j v2, not v1. I can see it >> downloads the metadata about the project but non or the jars; >> local-repo/log4j >> local-repo/log4j/log4j >> local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom >> local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1 >> local-repo/log4j >> local-repo/log4j/log4j >> local-repo/log4j/log4j/1.2.12 >> local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom >> local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1 >> local-repo/log4j/log4j/1.2.12/_remote.repositories >> >> So I would still say false positive, as the jar is not actually used. >> >> But looking at the dependency tree it would need the apache commons to >> update commons-logging:commons-logging, then >> ommons-digester:commons-digester then org.apache.velocity:velocity-tools, >> then it gets to the 1st dependency within the maven ecosystem. >> So 5 ish patches to 5 separate projects to upgrade, test and release, each >> before then next pr can progress. >> >> John >> >> >> On Thu, 3 Mar 2022 at 07:53, Thomas Matthijs <li...@selckin.be> wrote: >> >>> That was just to demonstrate how i got the dependency chain, that file >>> was there, but if you're going to be this hostile, i'm not interested >>> anymore, muting thread >>> >>> On Thu, 3 Mar 2022 at 08:48, Piotr Żygieło <piotr.zygi...@gmail.com> >>> wrote: >>>> >>>> On Thu, 3 Mar 2022 at 08:37, Thomas Matthijs <li...@selckin.be> wrote: >>>>> >>>>> Can confirm this project downloads log4j 1.12.12 for me >>>> >>>> As I see it - you confirm something else. >>>> >>>>> Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: >>>> >>>> Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: >>>> _artifact descriptor_ >>>> >>>> -- >>>> Piotrek >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >>>> For additional commands, e-mail: dev-h...@maven.apache.org >>>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >>> For additional commands, e-mail: dev-h...@maven.apache.org >>> >>> >> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
