[
https://issues.apache.org/jira/browse/MNG-7364?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Osipov closed MNG-7364.
-------------------------------
Resolution: Invalid
Here is the solution: https://bfy.tw/SChV
> could log4j impair a program if it is a transitive "provided" dependency?
> -------------------------------------------------------------------------
>
> Key: MNG-7364
> URL: https://issues.apache.org/jira/browse/MNG-7364
> Project: Maven
> Issue Type: Improvement
> Reporter: Lida Zhao
> Priority: Major
>
> Log4j's problem lead me to a strange thought, I want to discuss with you
> this: will the transitive "provided" dependency impair my project? Lets take
> an example, I have a project's structure like this. I import "druid" which
> has a provided dependency "log4j-core":
> my-company:my-app2:v1.0
> - com.alibaba:druid:jar:1.2.8:compile
>
> -org.apache.logging.log4j:log4j-core:jar:2.13.3:provided
> to `my-app`, `log4j-core` is a {*}transitive "provided" dependency{*}.
> but "provided" scope is not transitive according to the doc, so when we use
> `mvn dependency:tree`, we can only get
> my-company:my-app2:v1.0
> - com.alibaba:druid:jar:1.2.8:compile
> Since log4j core participates in the compilation of druid, part of
> `log4j-core`'s code could be inside. In the worst condition, could they also
> be vulnerable? If so, how could we know `log4j-core`'s is actually inside?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
