[ https://issues.apache.org/jira/browse/MASFRES-51 ]
Lida Zhao deleted comment on MASFRES-51:
----------------------------------
was (Author: JIRAUSER281746):
Why do you continuously close my question? Is there any reason? At least give
me some guidance about what is wrong or where should I go.
> could log4j impair a program if it is a transitive "provided" dependency?
> -------------------------------------------------------------------------
>
> Key: MASFRES-51
> URL: https://issues.apache.org/jira/browse/MASFRES-51
> Project: Apache Maven Resource Bundles
> Issue Type: Improvement
> Reporter: Lida Zhao
> Priority: Major
>
> Log4j's problem lead me to a strange thought, I want to discuss with you
> this: will the transitive "provided" dependency impair my project? Lets take
> an example, I have a project's structure like this. I import "druid" which
> has a provided dependency "log4j-core":
> my-company:my-app2:v1.0
> \\- com.alibaba:druid:jar:1.2.8:compile
> \\-org.apache.logging.log4j:log4j-core:jar:2.13.3:provided
> to `my-app`, `log4j-core` is a {*}transitive "provided" dependency{*}.
> but "provided" scope is not transitive according to the doc, so when we use
> `mvn dependency:tree`, we can only get
> my-company:my-app2:v1.0
> \\- com.alibaba:druid:jar:1.2.8:compile
> Since log4j core participates in the compilation of druid, part of
> `log4j-core`'s code could be inside. In the worst condition, could they also
> be vulnerable? If so, how could we know `log4j-core`'s is actually inside?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
