You might need to raise a bug with your security scanner regarding false positives.
So your dependency tree I only see log4j 2.17.1; i.e. Your Pom - org.springframework.boot:spring-boot-starter-web:2.6.4 -- org.springframework.boot:spring-boot-starter-web:2.6.4 --- org.springframework.boot:spring-boot-starter:2.6.4 ---- org.springframework.boot:spring-boot-starter-logging:2.6.4 ----- org.apache.logging.log4j:log4j-to-slf4j:2.17.1 ------ org.apache.logging.log4j:log4j-api:2.17.1 Doing a build "mvn clean install -Dmaven.repo.local=repo" Then "find repo -name "*log4j*" -type f", only returns; repo/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.jar repo/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.pom.sha1 repo/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.pom repo/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.jar.sha1 repo/org/apache/logging/log4j/log4j-to-slf4j/2.17.1/log4j-to-slf4j-2.17.1.pom repo/org/apache/logging/log4j/log4j-to-slf4j/2.17.1/log4j-to-slf4j-2.17.1.pom.sha1 repo/org/apache/logging/log4j/log4j-to-slf4j/2.17.1/log4j-to-slf4j-2.17.1.jar repo/org/apache/logging/log4j/log4j-to-slf4j/2.17.1/log4j-to-slf4j-2.17.1.jar.sha1 repo/org/apache/logging/log4j/log4j-bom/2.17.1/log4j-bom-2.17.1.pom repo/org/apache/logging/log4j/log4j-bom/2.17.1/log4j-bom-2.17.1.pom.sha1 repo/org/apache/logging/log4j/log4j/2.17.1/log4j-2.17.1.pom.sha1 repo/org/apache/logging/log4j/log4j/2.17.1/log4j-2.17.1.pom repo/log4j/log4j/1.2.12/log4j-1.2.12.pom repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1 What version does the scanner say its found? John On Mon, 28 Feb 2022 at 23:15, Juraj Veverka <juraj.veve...@globallogic.com.invalid> wrote: > Hi David > > Just for clarification: we are not relying on the maven dependency plugin > at runtime. Our runtime is perfectly clear of log4j vulnerabilities. > The problem is that our security scanners are scanning gitlab runner nodes > (virtual machines on which we compile and package our application) and > log4j vulnerability is found there. > > Kind regards > Juraj Veverka > > On Mon, Feb 28, 2022 at 1:32 PM Juraj Veverka < > juraj.veve...@globallogic.com> > wrote: > > > Hi David > > > > Many thanks for your email, I really appreciate your reply. This is an > > isolated example of the problem. > > https://github.com/jveverka/mvn-dependency-log4j > > You can find all repro steps there. In case of any questions, feel free > > to contact me. > > > > Kind regards > > Juraj Veverka > > > > > > > > On Mon, Feb 28, 2022 at 12:14 PM David Milet <david.mi...@gmail.com> > > wrote: > > > >> Where I work we decided to address log4j vulnerabilities only for > >> components directly used by the application and actually performing > logging. > >> We ignored transitive dependencies and maven plug-ins. > >> I’m curious about this use case from Venu though, what application would > >> rely on the maven dependency plugin at runtime? Does it mean you’re > pulling > >> maven dependencies after application startup? > >> > >> > On Feb 28, 2022, at 03:30, Slawomir Jaranowski < > s.jaranow...@gmail.com> > >> wrote: > >> > > >> > Hi, > >> > > >> > Please provide more information, like plugin, mven, os version. > >> > > >> > We also need an example project which reproduces your issue. > >> > When we can't reproduce we can't help. > >> > > >> > pon., 28 lut 2022 o 08:55 Jaladi, Venumadhav > >> > <jaladi.venumad...@verizon.com.invalid> napisał(a): > >> > > >> >> Hi team, > >> >> > >> >> Can I expect any response? Is this the right email address for my > >> >> question? > >> >> > >> >> Thanks, > >> >> Venu > >> >> > >> >> > >> >>> On Thu, Feb 24, 2022 at 6:47 AM Jaladi, Venumadhav < > >> >>> jaladi.venumad...@verizon.com> wrote: > >> >>> > >> >>> Hi team, > >> >>> > >> >>> We are using the Maven Dependency Plugin in one of our projects and > >> our > >> >>> scanning tools are showing multiple vulnerabilities related to Log4j > >> >>> (CVE-2019-17571, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, > >> >>> CVE-2022-23307 and CVE-2021-4104). > >> >>> > >> >>> We would like to know if there are any plans to release a newer > >> version > >> >>> of Maven Dependency Plugin with the fixes of these > >> >>> vulnerabilities(referring to the latest version of Log4j libraries). > >> If > >> >>> so, is there any planned date for this release? > >> >>> > >> >>> Please let us know any any more information is required. > >> >>> > >> >>> Thanks, > >> >>> Venu > >> >>> > >> >> > >> > > >> > > >> > -- > >> > Sławomir Jaranowski > >> > >> > > > > -- > > > > Best Regards > > > > > > -- > > > > Juraj Veverka <https://github.com/jveverka> | Solution Design Architect > > > > M +421 917 521 285 > > > > www.globallogic.sk <https://www.globallogic.com/sk/> > > > > <https://www.facebook.com/GlobalLogicSlovakia> [image: GLTwitter] > > <https://twitter.com/GlobalLogic_SR> > > <https://www.linkedin.com/company/9409064/admin/> > > <https://www.youtube.com/channel/UClazQeLF6Oas1ZVs-Iaq2Bg> > > <https://www.instagram.com/globallogic_slovakia/> > > > > http://www.globallogic.com/Disclaimer.htm > > > > > > > > -- > > Best Regards > > > -- > > Juraj Veverka <https://github.com/jveverka> | Solution Design Architect > > M +421 917 521 285 > > www.globallogic.sk <https://www.globallogic.com/sk/> > > <https://www.facebook.com/GlobalLogicSlovakia> [image: GLTwitter] > <https://twitter.com/GlobalLogic_SR> > <https://www.linkedin.com/company/9409064/admin/> > <https://www.youtube.com/channel/UClazQeLF6Oas1ZVs-Iaq2Bg> > <https://www.instagram.com/globallogic_slovakia/> > > http://www.globallogic.com/Disclaimer.htm >
