[
https://issues.apache.org/jira/browse/MJAVADOC-726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17690941#comment-17690941
]
Michael Osipov edited comment on MJAVADOC-726 at 2/19/23 9:58 PM:
------------------------------------------------------------------
I didn't say it isn't maintained, but I don't intend to put any effort into it.
If you can tackle the issue and release the entire stack, no problem. If this
is such a problem for [~writetoyogi], HE should provide ALL the PRs for make
that happen. Since he's is not using the reporting, but rather standalone
invocation, he could try to exclude the dependency.
Note: Doxia 2 isn't GA and won't happen before summer.
was (Author: michael-o):
I didn't say it isn't maintained, but I don't intend to put any effort into it.
If you can tackle the issue and release the entire stack, no problem. If this
is such a problem for [~writetoyogi], HE should provide ALL the PRs for make
that happen. Since he's is not using the reporting, but rather standalone
invocation, he could try to exclude the dependency.
Note: Doxia 2 isn't GA and won't be fore summer.
> Maven Java Doc Plug-in v3.4.0 downloads Log4j-1.2.12 dependency transitively
> ----------------------------------------------------------------------------
>
> Key: MJAVADOC-726
> URL: https://issues.apache.org/jira/browse/MJAVADOC-726
> Project: Maven Javadoc Plugin
> Issue Type: Bug
> Components: jar, javadoc
> Affects Versions: 3.4.0
> Environment: Windows 10
> Reporter: Yogesh Desai
> Priority: Major
> Labels: Vulnerability, vulnerability
> Fix For: wontfix-candidate, waiting-for-feedback
>
> Attachments: log4j-1.2.12.png
>
>
> I have observed that Maven Javadoc Plug-in v3.4.0 downloads Log4j-1.2.12
> dependency transitively in local maven repository i.e. .m2 folder upon
> running maven update in eclipse IDE or from command line. Since Log4j-1.X is
> strictly prohibited for use in many organisations, we had no other option
> that not using the plugin. Please plan to fix this issue and get rid of the
> log4j-1.X dependency.
> *Steps to Reproduce-*
> 1. Add maven javadoc plugin v3.4.0 in your project POM file
> <plugin>
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-javadoc-plugin</artifactId>
> <version>3.4.0</version>
> <configuration>
> <encoding>UTF-8</encoding>
> <additionalparam>-Xdoclint:none</additionalparam>
> </configuration>
> <executions>
> <execution>
> <id>attach-javadocs</id>
> <goals>
> <goal>jar</goal>
> </goals>
> </execution>
> </executions>
> </plugin>
> 2. Observe your local maven repository ie. .m2 folder and see if there are
> any log4j-1.2.12 artifacts are present in log4j folder of it. If artifacts
> are present already, delete them for now.
> 3. Run maven update command for your project (additionally run maven install
> command as needed)
> 4. Observe your local maven repository ie. .m2 folder and see if there are
> any log4j-1.2.12 artifacts are generated with latest timestamp inside log4j
> folder.
> Attached is the screenshot showing, maven javadoc plugin v3.4.0 used in
> POM.xml and log4j-1.2.12 dependency getting downloaded in local maven
> repository i.e. .m2 folder.
> Let me know if any other information is required. Thanks!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
