Just to add my 2 cents: Many security scanning tools are not smart enough to detect the context, or in other words, they will mark as an issue a dependency that's only used with "test" scope even if it's not used in the final jar, and in the same line, there are some dependencies that can be optional and that might or might not be present in the final classpath.
Anyway, I agree that since log4shell, for many of us, a (small) security issue can cause panic, and with the actual events it gets more relevance, and actually I think it's a good thing since we are now more aware of security, but the issue is that we need to distinguish case by case if there is a security issue or not, and not blindly follow the suggestion of a scanning tool. Nevertheless, the issue comes from the velocity dependency in this chain: > [INFO] +- org.apache.maven.reporting:maven-reporting-impl:jar:3.1.0:compile > [INFO] | +- > org.apache.maven.reporting:maven-reporting-api:jar:3.1.0:compile > [INFO] | +- org.apache.maven.doxia:doxia-sink-api:jar:1.11.1:compile > [INFO] | | \- org.apache.maven.doxia:doxia-logging-api:jar:1.11.1:compile > [INFO] | +- > org.apache.maven.doxia:doxia-decoration-model:jar:1.11.1:compile > [INFO] | +- org.apache.maven.doxia:doxia-core:jar:1.11.1:compile > [INFO] | | +- > org.codehaus.plexus:plexus-container-default:jar:2.1.0:compile > [INFO] | | | +- org.apache.xbean:xbean-reflect:jar:3.7:compile > [INFO] | | | \- > com.google.collections:google-collections:jar:1.0:compile > [INFO] | | +- org.apache.commons:commons-text:jar:1.3:compile > [INFO] | | +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile > [INFO] | | | \- commons-codec:commons-codec:jar:1.11:compile > [INFO] | | \- org.apache.httpcomponents:httpcore:jar:4.4.14:compile > [INFO] | \- org.apache.maven.doxia:doxia-site-renderer:jar:1.11.1:compile > [INFO] | +- org.apache.maven.doxia:doxia-skin-model:jar:1.11.1:compile > [INFO] | +- > org.apache.maven.doxia:doxia-module-xhtml:jar:1.11.1:compile > [INFO] | +- > org.apache.maven.doxia:doxia-module-xhtml5:jar:1.11.1:compile > [INFO] | +- org.codehaus.plexus:plexus-i18n:jar:1.0-beta-10:compile > [INFO] | +- org.codehaus.plexus:plexus-velocity:jar:1.2:compile > [INFO] | +- org.apache.velocity:velocity:jar:1.7:compile > [INFO] | | \- commons-lang:commons-lang:jar:2.4:compile > [INFO] | \- org.apache.velocity:velocity-tools:jar:2.0:compile > [INFO] | +- commons-digester:commons-digester:jar:1.8:compile > [INFO] | +- commons-chain:commons-chain:jar:1.1:compile > [INFO] | +- dom4j:dom4j:jar:1.1:compile > [INFO] | \- oro:oro:jar:2.0.8:compile > The velocity version that the doxia-site-renderer dependency uses is org.apache.velocity:velocity:jar:1.7:compile, and the velocity dependency declares this: > <dependency> > <groupId>log4j</groupId> > <artifactId>log4j</artifactId> > <version>1.2.12</version> > <scope>provided</scope> > </dependency> > So, the root issue comes from the doxia-site-renderer that uses an old (29-Nov-201) version of velocity. On Fri, Mar 4, 2022 at 7:41 AM Ralph Goers <ralph.go...@dslextreme.com> wrote: > This appears to be plugin dependencies though, not project dependencies. > The > issue should really be raised with whatever plugin is causing it to be > used. My > recollection is that Maven itself hasn’t used Log4j in quite some time for > logging. > > Ralph > > > On Mar 3, 2022, at 8:21 AM, Gary Gregory <garydgreg...@gmail.com> wrote: > > > > Also note that in log4j 2.17.2 that was released a few days ago, I added > > many improvements to the log4j-1.2-api module which aims to provide > > compatibility with 1.2. > > > > Gary > > > > On Thu, Mar 3, 2022, 08:37 Bernd Eckenfels <e...@zusammenkunft.net> > wrote: > > > >> All of the (known) remaining log4j1.x security bugs (none of which are > as > >> severe as log4shell) are fixed in reload4j 1.2.18+. If you need to stick > >> with 1.2 you should use that. Otherwise you can try to migrate to the > log4j > >> bridge, it’s compatibility was increased in 2.17.2 or 2.12.4. > >> > >> Gruss > >> Bernd > >> -- > >> http://bernd.eckenfels.net > >> ________________________________ > >> Von: Martin Gainty <mgai...@hotmail.com> > >> Gesendet: Thursday, March 3, 2022 1:18:50 PM > >> An: Maven Developers List <dev@maven.apache.org> > >> Cc: David Milet <david.mi...@gmail.com>; iss...@maven.apache.org < > >> iss...@maven.apache.org>; VZ-Product-OneTalk < > >> vz-product-onet...@verizon.com>; Danylo Volokh < > >> danylo.vol...@globallogic.com> > >> Betreff: RE: Maven Dependency Plugin - Log4j vulnerabilities > >> > >> I *thought* log4j 1.2.15 had the patch to mitigate the JNDI Security > >> Vulnerabity? > >> Is this not the case? > >> Thanks John > >> M. > >> > >> > >> > >> Sent from my Verizon, Samsung Galaxy smartphone > >> > >> > >> > >> -------- Original message -------- > >> From: John Patrick <nhoj.patr...@gmail.com> > >> Date: 3/3/22 4:07 AM (GMT-05:00) > >> To: Maven Developers List <dev@maven.apache.org> > >> Cc: David Milet <david.mi...@gmail.com>, iss...@maven.apache.org, > >> VZ-Product-OneTalk <vz-product-onet...@verizon.com>, Danylo Volokh < > >> danylo.vol...@globallogic.com> > >> Subject: Re: Maven Dependency Plugin - Log4j vulnerabilities > >> > >> Sorry I thought you where talking about log4j v2, not v1. I can see it > >> downloads the metadata about the project but non or the jars; > >> local-repo/log4j > >> local-repo/log4j/log4j > >> local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom > >> local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1 > >> local-repo/log4j > >> local-repo/log4j/log4j > >> local-repo/log4j/log4j/1.2.12 > >> local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom > >> local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1 > >> local-repo/log4j/log4j/1.2.12/_remote.repositories > >> > >> So I would still say false positive, as the jar is not actually used. > >> > >> But looking at the dependency tree it would need the apache commons to > >> update commons-logging:commons-logging, then > >> ommons-digester:commons-digester then > org.apache.velocity:velocity-tools, > >> then it gets to the 1st dependency within the maven ecosystem. > >> So 5 ish patches to 5 separate projects to upgrade, test and release, > each > >> before then next pr can progress. > >> > >> John > >> > >> > >> On Thu, 3 Mar 2022 at 07:53, Thomas Matthijs <li...@selckin.be> wrote: > >> > >>> That was just to demonstrate how i got the dependency chain, that file > >>> was there, but if you're going to be this hostile, i'm not interested > >>> anymore, muting thread > >>> > >>> On Thu, 3 Mar 2022 at 08:48, Piotr Żygieło <piotr.zygi...@gmail.com> > >>> wrote: > >>>> > >>>> On Thu, 3 Mar 2022 at 08:37, Thomas Matthijs <li...@selckin.be> > wrote: > >>>>> > >>>>> Can confirm this project downloads log4j 1.12.12 for me > >>>> > >>>> As I see it - you confirm something else. > >>>> > >>>>> Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: > >>>> > >>>> Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: > >>>> _artifact descriptor_ > >>>> > >>>> -- > >>>> Piotrek > >>>> > >>>> --------------------------------------------------------------------- > >>>> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > >>>> For additional commands, e-mail: dev-h...@maven.apache.org > >>>> > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > >>> For additional commands, e-mail: dev-h...@maven.apache.org > >>> > >>> > >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > >
