Lida Zhao created MASFRES-51:
--------------------------------
Summary: could log4j impair a program if it is a transitive
"provided" dependency?
Key: MASFRES-51
URL: https://issues.apache.org/jira/browse/MASFRES-51
Project: Apache Maven Resource Bundles
Issue Type: Improvement
Reporter: Lida Zhao
Log4j's problem lead me to a strange thought, I want to discuss with you this:
will the transitive "provided" dependency impair my project? Lets take an
example, I have a project's structure like this. I import "druid" which has a
provided dependency "log4j-core":
my-company:my-app2:v1.0
\\- com.alibaba:druid:jar:1.2.8:compile
\\-org.apache.logging.log4j:log4j-core:jar:2.13.3:provided
to `my-app`, `log4j-core` is a {*}transitive "provided" dependency{*}.
but "provided" scope is not transitive according to the doc, so when we use
`mvn dependency:tree`, we can only get
my-company:my-app2:v1.0
\\- com.alibaba:druid:jar:1.2.8:compile
Since log4j core participates in the compilation of druid, part of
`log4j-core`'s code could be inside. In the worst condition, could they also be
vulnerable? If so, how could we know `log4j-core`'s is actually inside?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
