Guys,
please stop spamming the dev mailing list with this. Take the problem
off list, since this is not a Maven problem.
M
-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@m
> https://github.com/jveverka/mvn-dependency-log4j/commit/ac87977c19bb2ee2564d15fa87f255d621a4706d
https://github.com/pzygielo/mvn-dependency-log4j/runs/5425284512?check_suite_focus=true#step:5:1
No log4j:1.2.12:jar is downloaded in that reproducer.
log4j/log4j is excluded by commons-logging from
Hi David
Thank you for summarizing the problem, let me explain some details:
1. "The business application is not exposed" - true
2. "The maven build environment might (can’t confirm at this point)
download a transitive dependency on log4j 1.x" - this is true, build
environment and maven-dependency
Hi David,
Thanks for the summary and the suggestion. Sure, we will look at how best
we can handle this with our Security team.
Thanks,
Venu
On Thu, Mar 3, 2022 at 4:20 AM David Milet wrote:
> Hey guys
> Let’s be courteous and civil.
>
> As part of vulnerability management, an assessment has t
Adding Juraj back in the chain as I see that he is removed.
Juraj,
Can you please look at the below 6 emails in this chain?
Thanks,
Venu
On Thu, Mar 3, 2022 at 3:07 AM John Patrick wrote:
> Sorry I thought you where talking about log4j v2, not v1. I can see it
> downloads the metadata about
atibility was increased in 2.17.2 or 2.12.4.
> >>
> >> Gruss
> >> Bernd
> >> --
> >> http://bernd.eckenfels.net
> >> ________
> >> Von: Martin Gainty
> >> Gesendet: Thursday, March 3, 2022 1:18:50 PM
>
n.apache.org <
>> iss...@maven.apache.org>; VZ-Product-OneTalk <
>> vz-product-onet...@verizon.com>; Danylo Volokh <
>> danylo.vol...@globallogic.com>
>> Betreff: RE: Maven Dependency Plugin - Log4j vulnerabilities
>>
>> I *thought* log4j 1.2.15
my Verizon, Samsung Galaxy smartphone
>
>
>
> Original message
> From: John Patrick
> Date: 3/3/22 4:07 AM (GMT-05:00)
> To: Maven Developers List
> Cc: David Milet , iss...@maven.apache.org,
> VZ-Product-OneTalk , Danylo Volokh <
> danylo.vol...@gl
Martin Gainty
> Gesendet: Thursday, March 3, 2022 1:18:50 PM
> An: Maven Developers List
> Cc: David Milet ; iss...@maven.apache.org <
> iss...@maven.apache.org>; VZ-Product-OneTalk <
> vz-product-onet...@verizon.com>; Danylo Volokh <
> danylo.vol...@globallog
Bernd
--
http://bernd.eckenfels.net
Von: Martin Gainty
Gesendet: Thursday, March 3, 2022 1:18:50 PM
An: Maven Developers List
Cc: David Milet ; iss...@maven.apache.org
; VZ-Product-OneTalk ;
Danylo Volokh
Betreff: RE: Maven Dependency Plugin - Log4j vulnerabilities
Milet , iss...@maven.apache.org,
VZ-Product-OneTalk , Danylo Volokh
Subject: Re: Maven Dependency Plugin - Log4j vulnerabilities
Sorry I thought you where talking about log4j v2, not v1. I can see it
downloads the metadata about the project but non or the jars;
local-repo/log4j
local-repo/log4j
Hey guys
Let’s be courteous and civil.
As part of vulnerability management, an assessment has to be made about the
potential security impact of a vulnerability in software.
New vulnerabilities are found every day on older components and it is not
practical nor feasible to chase down every rabbi
Sorry I thought you where talking about log4j v2, not v1. I can see it
downloads the metadata about the project but non or the jars;
local-repo/log4j
local-repo/log4j/log4j
local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom
local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1
local-repo/log4j
local-repo
That was just to demonstrate how i got the dependency chain, that file
was there, but if you're going to be this hostile, i'm not interested
anymore, muting thread
On Thu, 3 Mar 2022 at 08:48, Piotr Żygieło wrote:
>
> On Thu, 3 Mar 2022 at 08:37, Thomas Matthijs wrote:
> >
> > Can confirm this p
On Thu, 3 Mar 2022 at 08:37, Thomas Matthijs wrote:
>
> Can confirm this project downloads log4j 1.12.12 for me
As I see it - you confirm something else.
> Failed to read artifact descriptor for log4j:log4j:jar:1.2.12:
Failed to read artifact descriptor for log4j:log4j:jar:1.2.12:
_artifact des
Hello,
Can confirm this project downloads log4j 1.12.12 for me
rm -rf ~/.m2/repository/log4j/log4j
sudo chown root:root ~/.m2/repository/log4j/log4j
[ERROR] Failed to execute goal
org.apache.maven.plugins:maven-dependency-plugin:3.2.0:copy
(copy-artifact) on project demo: Execution copy-artifact
On Thu, 3 Mar 2022 at 07:27, Jaladi, Venumadhav
>
> Below I am pasting some of the information on the 3 vulnerabilities from
> our report.
It's hard to talk about that report, for (said at least twice) linked
reproducer does not demonstrate to actually download vulnerable
log4j:1.2.12 jar.
--
Pi
Hi,
Below I am pasting some of the information on the 3 vulnerabilities from
our report. FYI, I removed the information about the server details and
also trimmed the file path. This report is generated by the Tenable agent.
Severity scandate Vuln Name Description Summary Fix CVE ID CVS Base
Sco
You might need to raise a bug with your security scanner regarding false
positives.
So your dependency tree I only see log4j 2.17.1; i.e.
Your Pom
- org.springframework.boot:spring-boot-starter-web:2.6.4
-- org.springframework.boot:spring-boot-starter-web:2.6.4
--- org.springframework.boot:spring
Hi David
Just for clarification: we are not relying on the maven dependency plugin
at runtime. Our runtime is perfectly clear of log4j vulnerabilities.
The problem is that our security scanners are scanning gitlab runner nodes
(virtual machines on which we compile and package our application) and
Juraj,
I have run this command on your reproducer and in "tmp" I cannot find
log4j versions other then 2.17.1
mvn clean install -X -Dmaven.repo.local=tmp > out.txt
Enrico
Il giorno lun 28 feb 2022 alle ore 13:52 Juraj Veverka
ha scritto:
>
> Hi David
>
> Many thanks for your email, I really app
Hi David
Many thanks for your email, I really appreciate your reply. This is an
isolated example of the problem.
https://github.com/jveverka/mvn-dependency-log4j
You can find all repro steps there. In case of any questions, feel free
to contact me.
Kind regards
Juraj Veverka
On Mon, Feb 28, 20
Where I work we decided to address log4j vulnerabilities only for components
directly used by the application and actually performing logging.
We ignored transitive dependencies and maven plug-ins.
I’m curious about this use case from Venu though, what application would rely
on the maven dependen
Hi,
Please provide more information, like plugin, mven, os version.
We also need an example project which reproduces your issue.
When we can't reproduce we can't help.
pon., 28 lut 2022 o 08:55 Jaladi, Venumadhav
napisał(a):
> Hi team,
>
> Can I expect any response? Is this the right email ad
Dear Maven team,
May I renovate this request?
Thanks,
Marco Seguri
On 2021/09/09 17:15:01, Sergey Vyacheslavovich Brunov
wrote:
> Dear Maven team,>
>
> Could anyone please release `maven-dependency-plugin` with the `MDEP-753`
changes?>
>
> Please, note that the MDEP-753 defect is critical: see
As far as I know, no one is currently working on this and no one has
stepped forward to fund this work with either hours or dollars.
On Wed, May 5, 2021 at 5:49 AM Tom VanDeGrift wrote:
>
> I have been hunting down old security "vulnerable" versions of struts that
> have been showing up in my .m2
ok I can see the comments.
On Wed, 14 Oct 2020 at 15:41, Olivier Lamy wrote:
> why?
>
> On Wed, 14 Oct 2020 at 15:37, wrote:
>
>> This is an automated email from the ASF dual-hosted git repository.
>>
>> mthmulders pushed a commit to branch master
>> in repository
>> https://gitbox.apache.org/
why?
On Wed, 14 Oct 2020 at 15:37, wrote:
> This is an automated email from the ASF dual-hosted git repository.
>
> mthmulders pushed a commit to branch master
> in repository
> https://gitbox.apache.org/repos/asf/maven-dependency-plugin.git
>
> commit e943c83cabf4009d00597168f3dc1ff39a30d398
>
yes, removing this type of code is exactly the objective of updating minimum
Maven version prerequisite to something > 3.0.x
please all share your though on the other email thread on the next level of
compatibility we should put in our plan:
https://maven.apache.org/developers/compatibility-plan
Oh yes +10
it would be so good to remove this hackhish code.
Not sure but we may have this piece of code in few places..
On Fri, 22 May 2020 at 06:45, Elliotte Rusty Harold
wrote:
> The TreeMojo in maven-dependency-plugin uses maven-dependency-tree to
> do some complicated reflection based s
Would this simply affect the output of what's shown to the user by
maven dependency:tree or would it also affect the order of resolution
for compile, exec:java, and everything else?
On Mon, Feb 17, 2020 at 3:28 PM Loïc Le Doyen wrote:
>
> Hello @dev team !
>
> Being a frequent user of the *maven-
Hi Loïc,
First of all, thanks for the suggestion! You are not alone in this idea.
In fact, there is already a PR [1] that provides this kind of
functionality. It's been open for a while. The main reason is that it is
currently hard to prove that it doesn't break anything. For that reason,
I s
Hi Mark,
On 29/03/18 11:53, Mark Raynsford wrote:
On 2018-03-28T21:54:32 +0200
Karl Heinz Marbaise wrote:
If you check via:
http://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22org.apache.maven.shared%22%20AND%20a%3A%22maven-dependency-analyzer%22
and see a 1.9 version you can use the followi
On 2018-03-28T21:54:32 +0200
Karl Heinz Marbaise wrote:
>
> If you check via:
>
> http://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22org.apache.maven.shared%22%20AND%20a%3A%22maven-dependency-analyzer%22
>
> and see a 1.9 version you can use the following SNAPSHOT of
> maven-dependency-plugin:
Hi Mark,
On 28/03/18 21:43, Mark Raynsford wrote:
On 2018-03-28T21:29:08 +0200
Karl Heinz Marbaise wrote:
Hi Mark,
just a question do you have the chance to test a SNAPSHOT version before
I start the VOTE of maven-dependency-plugin so we are sure it will fix
things...
Yes indeed, I can tes
On 2018-03-28T21:29:08 +0200
Karl Heinz Marbaise wrote:
> Hi Mark,
>
> just a question do you have the chance to test a SNAPSHOT version before
> I start the VOTE of maven-dependency-plugin so we are sure it will fix
> things...
Yes indeed, I can test as soon as you publish one.
--
Mark Ray
Hi Robert,
On 06/09/17 22:30, Robert Scholte wrote:
+1, you beat me :)
Yes Yeah got it ;-)..
Kind regards
Karl Heinz Marbaise
On Wed, 06 Sep 2017 22:28:32 +0200, Karl Heinz Marbaise
wrote:
Hi,
I would like to make a new release of the current state of
maven-dependency-plugin ..
Are
+1, you beat me :)
On Wed, 06 Sep 2017 22:28:32 +0200, Karl Heinz Marbaise
wrote:
Hi,
I would like to make a new release of the current state of
maven-dependency-plugin ..
Are there any objections about this? or are issues missed?
Kind regards
Karl Heinz Marbaise
hi Julius,
first thanks for the patch
I have taken a look at it...
formatting looks ok...no problem to apply the patch...and checked...
On 2/20/15 8:56 PM, Julius Davies wrote:
Hi,
Just curious if anyone is interested in looking at this. I attached a
patch:
http://jira.codehaus.org/brow
Le samedi 10 novembre 2012 19:15:47 Karl Heinz Marbaise a écrit :
> Hi Hervè,
>
> many for the explanation...
>
> > yes, the behaviour is known - probably not from many people, but I do
>
> know it
>
> > was a consequence of maven-dependency-tree-2.0 MSHARED-167
> >
> > I wouldn't say "intent
Hi Hervè,
many for the explanation...
> yes, the behaviour is known - probably not from many people, but I do
know it
was a consequence of maven-dependency-tree-2.0 MSHARED-167
I wouldn't say "intentional", but that's a consequence of using Aether in
Maven 3 instead of tracking internal Maven
yes, the behaviour is known - probably not from many people, but I do know it
was a consequence of maven-dependency-tree-2.0 MSHARED-167
I wouldn't say "intentional", but that's a consequence of using Aether in
Maven 3 instead of tracking internal Maven 2 dependency resolution events.
Maven 3/A
On Wed, Sep 14, 2011 at 5:33 AM, Anders Hammar wrote:
> I may be off, but I don't think that maven-aether-provider wraps
> Aether. It's just the provider for the Maven specific implementation
> used by Aether.
So much for email too late at night. More research later.
>
> /Anders
>
> On Wed, Sep
I may be off, but I don't think that maven-aether-provider wraps
Aether. It's just the provider for the Maven specific implementation
used by Aether.
/Anders
On Wed, Sep 14, 2011 at 03:30, Benson Margulies wrote:
> https://svn.apache.org/repos/asf/maven/maven-3/trunk/maven-aether-provider/
>
> O
On Wed, Sep 14, 2011 at 11:00 AM, Benson Margulies
wrote:
> https://svn.apache.org/repos/asf/maven/maven-3/trunk/maven-aether-provider/
Thanks
-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e
https://svn.apache.org/repos/asf/maven/maven-3/trunk/maven-aether-provider/
On Tue, Sep 13, 2011 at 8:52 PM, Barrie Treloar wrote:
> On Wed, Sep 14, 2011 at 9:57 AM, Benson Margulies
> wrote:
>> Aether is definitely surrounded by a maven component. The question is,
>> does that component expose
On Wed, Sep 14, 2011 at 9:57 AM, Benson Margulies wrote:
> Aether is definitely surrounded by a maven component. The question is,
> does that component expose what you need?
Point me to where I can look and I can answer the question :)
On Tue, Sep 13, 2011 at 7:54 PM, Barrie Treloar wrote:
> On Tue, Sep 13, 2011 at 11:31 PM, Benson Margulies
> wrote:
>>> As for the solution of creating a 2.x branch, that's fine. I don't
>>> really see much difference between your solution and mine, given that
>>> you basically admit that not mu
On Tue, Sep 13, 2011 at 11:31 PM, Benson Margulies
wrote:
>> As for the solution of creating a 2.x branch, that's fine. I don't
>> really see much difference between your solution and mine, given that
>> you basically admit that not much work will be performed on it. Kill
>> it outright, or let it
Precisely, and the sandbox is there for that purpose too
On 13 September 2011 16:23, Brian Fox wrote:
> Anyone who is actually going to do the work can make a branch when
> they need to. I see no point in making a branch just for fun.
>
> On Tue, Sep 13, 2011 at 10:01 AM, Benson Margulies
> wrot
Anyone who is actually going to do the work can make a branch when
they need to. I see no point in making a branch just for fun.
On Tue, Sep 13, 2011 at 10:01 AM, Benson Margulies
wrote:
>> As for the solution of creating a 2.x branch, that's fine. I don't
>> really see much difference between yo
> As for the solution of creating a 2.x branch, that's fine. I don't
> really see much difference between your solution and mine, given that
> you basically admit that not much work will be performed on it. Kill
> it outright, or let it bit rot, either way.. Let's just move forward
> with Maven 3.x
Greetings,
On Tue, Sep 13, 2011 at 9:36 AM, Benson Margulies wrote:
>
> There are these inconvenient creatures called users, and many of them
> are, for whatever organizational reasons, stuck in 2.x. The simplest
> solution is to make a branch, and not do much to it on the 2.x branch.
> No horrib
On Tue, Sep 13, 2011 at 9:20 AM, Jesse Farinacci wrote:
> Greetings,
>
> On Tue, Sep 13, 2011 at 6:25 AM, Benson Margulies
> wrote:
>> Are we going to end up with two branches of the plugin?
>
> Or how about we stop making whips for our own backs? Why don't we draw
> a line in the sand for the p
Greetings,
On Tue, Sep 13, 2011 at 6:25 AM, Benson Margulies wrote:
> Are we going to end up with two branches of the plugin?
Or how about we stop making whips for our own backs? Why don't we draw
a line in the sand for the plugins (by cutting a release) and say this
far, no further. All future
On Tue, Sep 13, 2011 at 6:41 AM, Ansgar Konermann
wrote:
> Am 12.09.2011 22:44, schrieb Jason Pyeron:
>> On my hit list are the following:
>
> I'd like to add:
>
> * make dependency:tree work with Maven 3.0 (as Benjamin pointed out, it
> currently does not, because of the way Aether works when con
Hello,
If possible not as we did for the maven site plugin.
But sure will need some "hackish" solution.
2011/9/13 Benson Margulies :
> Are we going to end up with two branches of the plugin?
>
> On Mon, Sep 12, 2011 at 5:11 PM, Ansgar Konermann
> wrote:
>> Am 12.09.2011 22:44, schrieb Jason Pyero
Are we going to end up with two branches of the plugin?
On Mon, Sep 12, 2011 at 5:11 PM, Ansgar Konermann
wrote:
> Am 12.09.2011 22:44, schrieb Jason Pyeron:
>> On my hit list are the following:
>
> I'd like to add:
>
> * make dependency:tree work with Maven 3.0 (as Benjamin pointed out, it
> cur
Cool. Will take a look when you finish!
Kristian
Den 12. sep. 2011 kl. 23:12 skrev Ansgar Konermann
:
> Am 12.09.2011 22:44, schrieb Jason Pyeron:
>> On my hit list are the following:
>
> I'd like to add:
>
> * make dependency:tree work with Maven 3.0 (as Benjamin pointed out, it
> currently d
Am 12.09.2011 22:44, schrieb Jason Pyeron:
> On my hit list are the following:
I'd like to add:
* make dependency:tree work with Maven 3.0 (as Benjamin pointed out, it
currently does not, because of the way Aether works when constructing
the dependency tree)
Best regards
Ansgar
---
>It's a common problem with dynamic instantiation.
>I understand why you skip runtime and test (test-runtime scope does not
>exist) scope.
>But what about the provide scope ? I think, by default, it should not
be
>skipped as for the compile scope.
Not sure. It seems like it should be included.
Hi Brian,
It's controlled by a flag you can turn on and off.
Yes, it's true. I haven't pay enough attention.
cf. ignoreNonCompile :
http://maven.apache.org/plugins/maven-dependency-plugin/analyze-mojo.html
The reason it's off by default is because you may have something required to
> run the te
To: Maven Developers List
Subject: Re: [maven-dependency-plugin] Analyze HTML Report
Very nice.
Brian, I wonder why the analyze goal of the maven-dependency-plugin just
take the compile dependencies for the Unused declared dependencies [1] ? Why
don't it take the test dependencies even though it
Very nice.
Brian, I wonder why the analyze goal of the maven-dependency-plugin just
take the compile dependencies for the Unused declared dependencies [1] ? Why
don't it take the test dependencies even though it also analyzes the test
classes ?
[1]
http://maven.apache.org/plugins/maven-dependency
Thanks Jeremy, I'll get that applied shortly.
-Original Message-
From: copernic Jeremy [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 14, 2007 10:26 AM
To: dev@maven.apache.org
Subject: [maven-dependency-plugin] Analyze HTML Report
I find the maven-dependency-plugin really powerful and
: Re: maven-dependency-plugin tests failing
On 22/06/07, Mark Hobson <[EMAIL PROTECTED]> wrote:
> On 22/06/07, Mark Hobson <[EMAIL PROTECTED]> wrote:
> > On 21/06/07, Mark Hobson <[EMAIL PROTECTED]> wrote:
> > > On 21/06/07, Brian E. Fox <[EMAIL PROTECTED]&g
ailto:[EMAIL PROTECTED]
Envoyé : samedi 23 juin 2007 02:11
À : Maven Developers List
Objet : RE: maven-dependency-plugin tests failing
Ugh. Several highly desired fixes for mdep require the new archiver. Is there
anyway to get it fixed or are we stuck?
(for the record, it still works for me b
riday, June 22, 2007 11:48 AM
To: Maven Developers List
Subject: Re: maven-dependency-plugin tests failing
On 22 Jun 07, at 9:44 AM 22 Jun 07, Mark Hobson wrote:
> On 22/06/07, Mark Hobson <[EMAIL PROTECTED]> wrote:
>> On 22/06/07, Mark Hobson <[EMAIL PROTECTED]> wrote:
>
On 22 Jun 07, at 9:44 AM 22 Jun 07, Mark Hobson wrote:
On 22/06/07, Mark Hobson <[EMAIL PROTECTED]> wrote:
On 22/06/07, Mark Hobson <[EMAIL PROTECTED]> wrote:
> On 21/06/07, Mark Hobson <[EMAIL PROTECTED]> wrote:
> > On 21/06/07, Brian E. Fox <[EMAIL PROTECTED]> wrote:
> > > That's odd, I am a
On 22/06/07, Mark Hobson <[EMAIL PROTECTED]> wrote:
On 22/06/07, Mark Hobson <[EMAIL PROTECTED]> wrote:
> On 21/06/07, Mark Hobson <[EMAIL PROTECTED]> wrote:
> > On 21/06/07, Brian E. Fox <[EMAIL PROTECTED]> wrote:
> > > That's odd, I am able to build mdep with no problems.
> >
> > I'm building u
On 22/06/07, Mark Hobson <[EMAIL PROTECTED]> wrote:
On 21/06/07, Mark Hobson <[EMAIL PROTECTED]> wrote:
> On 21/06/07, Brian E. Fox <[EMAIL PROTECTED]> wrote:
> > That's odd, I am able to build mdep with no problems.
>
> I'm building using the current 2.0.x branch, if that makes any difference?
On 21/06/07, Mark Hobson <[EMAIL PROTECTED]> wrote:
On 21/06/07, Brian E. Fox <[EMAIL PROTECTED]> wrote:
> That's odd, I am able to build mdep with no problems.
I'm building using the current 2.0.x branch, if that makes any difference?
Same problem with 2.0.5, 2.0.6 and 2.0.7..
Mark
On 21/06/07, Brian E. Fox <[EMAIL PROTECTED]> wrote:
That's odd, I am able to build mdep with no problems.
I'm building using the current 2.0.x branch, if that makes any difference?
Mark
-
To unsubscribe, e-mail: [EMAIL PROTE
That's odd, I am able to build mdep with no problems.
-Original Message-
From: Mark Hobson [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 21, 2007 10:23 AM
To: Maven Developers List
Subject: maven-dependency-plugin tests failing
Hi there,
Many of the plexus test cases fail in a fresh ch
It's coming soon. We need to get the parent released and deployed first.
-Original Message-
From: Sebastien Brunot [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 16, 2006 5:35 AM
To: dev@maven.apache.org
Subject: maven-dependency-plugin release plan
Hi all,
is there any release pl
75 matches
Mail list logo
