[
https://issues.apache.org/jira/browse/MNG-7387?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Maarten Mulders closed MNG-7387.
--------------------------------
Resolution: Duplicate
Repeating myself here, but:
{quote}A dependency being downloaded and stored on your filesystem does not do
any harm per se.
It can become harmful when that JAR is included in the classpath of a running
system, that is also exposing the vulnerability. Then still, one would need to
assess the whole situation: what traffic hits the system, how is that
vulnerable JAR used, etc. There is no single answer to that question - not for
Maven, not for any other software in the world.{quote}
The fact that your client doesn't want this downloading is very unfortunate,
but also (to put it a bit blunt, apologies) none of our business. From Maven
perspective, downloading this file brings no harm.
If you insist, you can try upgrading the Maven Dependency Plugin for your
project. Maybe you're lucky and it does no longer depend (transitively) on
Log4J 1.x. If you're unlucky and it still does, you could consider contributing
a "fix" for the "problem".
Unless there's a proven exploit in Maven, I think the priority of this
"problem" is extremely low.
> Log4j1.2.12 dependency is getting downloading from Maven Project
> ----------------------------------------------------------------
>
> Key: MNG-7387
> URL: https://issues.apache.org/jira/browse/MNG-7387
> Project: Maven
> Issue Type: Bug
> Components: Artifacts and Repositories, Dependencies
> Affects Versions: 3.8.4
> Reporter: Tharanadha K
> Priority: Critical
> Attachments: image-2022-01-10-11-27-53-147.png
>
>
> I am getting log4j1.2.12 downloading even though there is no plug-ins and
> dependencies added in my POM.xml. It's automatically taking
> maven-dependency-plugin 2.8 and getting downloading. (please see attachment).
> Is there any solution as my client don't want this downloading
> !image-2022-01-10-11-27-53-147.png! .
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
