[
https://issues.apache.org/jira/browse/MDEP-902?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17792168#comment-17792168
]
Michael Osipov commented on MDEP-902:
-------------------------------------
Patches are welcome.
> plugin has dependency on log4j version with vulnerability
> ---------------------------------------------------------
>
> Key: MDEP-902
> URL: https://issues.apache.org/jira/browse/MDEP-902
> Project: Maven Dependency Plugin
> Issue Type: Dependency upgrade
> Affects Versions: 3.6.1
> Reporter: Cary Mader
> Priority: Major
>
> We have Maven projects using dependency plugin, when it executes it's causing
> maven to pull the log4j jar version 1.2.12 to local maven repos on build
> servers, and then scanners are flagging that jar as having a vulnerability,
> which causes us a lot of noise.
> dependency gav is log4j / log4j / 1.2.12
> have seen this with latest version, 3.6.1
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
